Re: platform compatibility policy



>Excellent ideas...

I can't claim any credit for them; Sun has been using a classification
scheme and ABI validation tools for years. I've attached the
Solaris attributes(5) man-page as a good summary of the notion
of 'interface stability'; it also discusses how to classify
libraries or interfaces in terms of their degree of internationalization
(code-set independence) or MT-safety.

>Colm Smyth <Colm Smyth ireland sun com> writes: 
>> First of all, I believe that source and binary compatability 
>> should only be required for stable *public* interfaces.  
>> 
>> If an interface is wholly private to an application (e.g.  some
>> functions in a library that are shared by two closely related
>> programs, where those functions will never be needed elsewhere in
>> GNOME), then there is no need to maintain compatability over
>> releases.
>
>We need to be careful here. While some interfaces are genuinely
>private and enforced, others are theoretically private but in reality
>people are using them. (By "enforced" I mean for example that we don't
>install the header file.)

This "always" happens.  I would suggest that the genuinely public
interfaces are identified as such, while the private-but-publicly-used
symbols (semi-private?!)  are clearly listed as unstable.  In an ideal
world, it would be possible to identify the appropriate public symbol to
match each private symbol so that applications have a clear migration
path.  If it's possible to identify the apps that use private symbols
through the use of a tool (like the AppCert tool I mentioned), then it's
easier for the maintainers to become compliant.  I've attached an example
of an ABI database file for a library that's part of CDE.  As you can see,
it identifies both private and public symbols as an aid to classifying
symbol use in applications.

>> It's possible to automatically validate an application
>> by checking that there are only references to public
>> symbols. By statically analyzing the dependent libraries
>> of an application, it's possible to find all symbols that
>> are defined within the application code and all symbols
>> that are imported from public interfaces in GNOME libraries.
>> Any symbol that is resolved from a GNOME library that is
>> not part of a public interface can be highlighted as
>> a binary compatibility violation.
>> 
>> Actually this is exactly that a Solaris ABI validation tool
>> called AppCert does. The hardest part is actually capturing
>> all of the symbols that are part of the public interface
>> of each library, although this too can be automated by
>> taking the syntax-checking parts of a C compiler and
>> outputting all symbols defined within the public header files
>> of a library into a 'database' file for that public interface.
>> 
>> If there is any interest in such a tool for GNOME, I can contact
>> the team at Sun responsible for AppCert to see if they
>> could contribute the AppCert tool-set to open-source
>> for use in the GNOME project.
>> 
>
>It sounds useful, I think we'd be interested. 

You can find out more about AppCert and interface stability
at Sun's ABI web site - http://www.sun.com/developers/tools/abi/tech.html.

I'll contact the ABI tools team and see what we can do to make
these tools available to the community, along with the tools
we need to help generate an ABI database for GNOME libraries.

>For GTK 2.0, another thing we're doing is renaming all the private
>entry points with an underscore in front, and then we'll tell the
>linker not to export those from the library (on linkers that support
>that). This doesn't catch all private entry points, such as private
>functions exported by GDK for use in GTK, but it does catch a lot of
>them.

Using underscore to mark private symbols that are used internally
within a package is a good technique. As you mentioned, it's ideal
if a mapfile can be provided to the linker to limit the symbols
that are made global; this is a way to 'enforce' avoidance of
private symbols, although for backwards compatibility reasons
you may need to keep making "semi-private" symbols available
for a release or two.

>Havoc

Colm.


Standards, Environments, and Macros                 attributes(5)



NAME
     attributes, architecture, availability, CSI, stability,  MT-
     Level  -  characteristics of commands, utilities, and device
     drivers

DESCRIPTION
     The  ATTRIBUTES man  page  section  contains  a  table  (see
     below)  defining  attribute  types  and  their corresponding
     values.

     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Architecture                | SPARC                       |
    |_____________________________|_____________________________|
    | Availability                | SUNWcsu                     |
    |_____________________________|_____________________________|
    | CSI                         | Enabled                     |
    |_____________________________|_____________________________|
    | Interface Stability         | Unstable                    |
    |_____________________________|_____________________________|
    | MT-Level                    | Safe                        |
    |_____________________________|_____________________________|


  Architecture
     Architecture defines processor or specific hardware. (See -p
     option of uname(1)). In some cases, it may indicate required
     adapters or peripherals.

  Availability
     This refers to the software package which contains  the com-
     mand  or  component  being  described on the man page. To be
     able to use the command, the  indicated  package  must  have
     been  installed. For information on how to add a package see
     pkgadd(1M).

  Code Set Independence (CSI)
     OS utilities and libraries which are free of dependencies on
     the  properties  of  any code sets are said to have Code Set
     Independence (CSI). They have the  attribute  of  being  CSI
     enabled.  This is in contrast to many commands and utilities
     in Solaris, for example, that work only with  Extended  Unix
     Codesets  (EUC),  an  encoding method that allows concurrent
     support for up to four code sets and is  commonly  used   to
     represent Asian character sets.

     However, for practical reasons,  this  independence  is  not
     absolute.  Certain  assumptions  are  still  applied  to the
     current CSI implementation:

        o  File code is a superset of ASCII.



SunOS 5.8           Last change: 3 June 1997                    1






Standards, Environments, and Macros                 attributes(5)



        o  In order to support multi-byte  characters  and  NULL-
           terminated   UNIX  file  names, the NULL and / (slash)
           characters cannot be part of  any  multi-byte  charac-
           ters.

        o  Only "stateless" file code  encodings  are  supported.
           Stateless encoding avoids shift, locking shift, desig-
           nation, invocation,  and  so  forth,  although  single
           shift is not excluded.

        o  Process code (wchar_t values) is implementation depen-
           dent  and  can change over time or between implementa-
           tions or between locales.

        o  Not every object in Solaris 2 and  Solaris  7can  have
           names  composed  of arbitrary characters. The names of
           the following objects must be composed of ASCII  char-
           acters:

              o  User names, group name, and passwords

              o  System name

              o  Names of printers and special devices

              o  Names of terminals (/dev/tty*)

              o  Process ID numbers

              o  Message queues, semaphores,  and  shared  memory
                 labels.

              o  The following may be composed of ISO Latin-1  or
                 EUC characters:

                    o  File names

                    o  Directory names

                    o  Command names

                    o  Shell variables and environmental variable
                       names

                    o  Mount points for file systems

                    o  NIS key names and domain names

        o  The names of NFS shared files should  be  composed  of
           ASCII  characters.  Although files and directories may
           have names and contents composed  of  characters  from
           non-ASCII  code  sets,  using  only  the ASCII codeset



SunOS 5.8           Last change: 3 June 1997                    2






Standards, Environments, and Macros                 attributes(5)



           allows NFS mounting across any machine, regardless  of
           localization.  For the commands and utilities that are
           CSI enabled, all can handle single-byte and multi-byte
           locales  released in 2.6. For applications to get full
           support  of  internationalization  services,   dynamic
           binding  has  to be applied. Statically bound programs
           will only get support for C and POSIX locales.

  Interface Stability
     Sun often provides developers with early access to new tech-
     nologies,  which  allows developers to evaluate with them as
     soon as possible.  Unfortunately, new technologies are prone
     to  changes  and  standardization often results in interface
     incompatibility from previous versions.

     To make reasonable risk assessments, developers need to know
     how likely an interface is to change in future releases.  To
     aid developers in making these assessments,  interface  sta-
     bility  information  is  included  on some manual pages  for
     commands, entry-points, and file formats.

     The more stable interfaces can safely be used by nearly  all
     applications, because Sun will endeavor to ensure that these
     continue to work in future  minor  releases.    Applications
     that  depend  only  on Standard and Stable interfaces should
     reliably continue to  function  correctly  on  future  minor
     releases (but not necessarily on earlier major releases).

     The less stable interfaces allow experimentation and  proto-
     typing,  but should be used only with the understanding that
     they  might  change  incompatibly  or  even  be  dropped  or
     replaced with alternatives in future minor releases.

     "Interfaces" that Sun does not document (for  example,  most
     kernel  data  structures  and  some symbols in system header
     files) may be implementation artifacts. Such internal inter-
     faces  are  not only subject to incompatible change or remo-
     val, but we are unlikely to mention such a change in release
     notes.

  Release Levels
     Products are given release levels, as well as names, to  aid
     compatibility  discussions.   Each  release  level  may also
     include changes suitable for lower levels.

     Release   Version   Significance









SunOS 5.8           Last change: 3 June 1997                    3






Standards, Environments, and Macros                 attributes(5)



     Major     x.0       Likely to  contain  major  feature  addi-
                         tions;  adhere  to  different,   possibly
                         incompatible  Standard   revisions;   and
                         though  unlikely,  could change, drop, or
                         replace Standard  or  Stable  interfaces.
                         Initial product releases are usually 1.0.
     Minor     x.y       Compared to an  x.0  or  earlier  release
                         (y!=0),  it's  likely  to  contain: minor
                         feature  additions,  compatible  Standard
                         and  Stable interfaces, possibly incompa-
                         tible  Evolving  interfaces,  or   likely
                         incompatible Unstable interfaces.
     Micro     x.y.z     Intended to be interface compatible  with
                         the  previous  release (z!=0), but likely
                         to add bug  fixes,  performance  enhance-
                         ments,   and   support   for   additional
                         hardware.


  Classifications
     The following table summarizes how stability level  classif-
     ications relate to release level. The first column lists the
     Stability Level. The second column lists the  Release  Level
     for  Incompatable  Changes, and the third column lists other
     comments. For a complete discussion of individual  classifi-
     cations, see the appropriate subsection below.

     Stability           Release       Comments
     Standard            Major (x.0)   Actual or de facto.
     Stable              Major (x.0)   Incompatibilities are exceptional.
     Evolving            Minor (x.y)   Migration  advice  might   accompany   an
                                       incompatibility.
     Unstable            Minor (x.y)   Experimental or transitional:  incompati-
                                       bilities are common.
     Obsolete            Minor (x.y)   Deprecated  interface:   likely   to   be
                                       removed in a future minor release.


     The interface stability  levels  described  in  this  manual
     page apply to both source and binary  interfaces unless oth-
     erwise stated.  The stability level of  each   interface  is
     unknown unless explicitly stated.

     Standard: organization_name, standard_name, version
           The documented command or function complies  with  the
           standard  listed. Most of these interfaces are defined
           by a formal standard, and controlled  by  a  standards
           organization.  Changes  will usually be made in accor-
           dance with approved changes to that standard. his sta-
           bility  level   can also apply to interfaces that have
           been  adopted  (without  a  formal   standard)  by  an
           "industry convention."



SunOS 5.8           Last change: 3 June 1997                    4






Standards, Environments, and Macros                 attributes(5)



           Support is provided for only the specified  version(s)
           of  a  standard;   support  of  later  versions is not
           guaranteed. If the standards organization  approves  a
           non-upwards-compatible  change to a Standard interface
           that Sun decides to support, we will announce a compa-
           tibility and migration strategy.

     Stable
           A Stable interface is a mature interface  under  Sun's
           control.  Sun will try to avoid non-upwards-compatible
           changes to these interfaces, especially  in  minor  or
           micro releases.

           If support of a Stable interface must be discontinued,
           Sun  will  attempt  to  provide  notification  and the
           stability level changes to  Obsolete.

     Evolving
           An Evolving interface may eventually  become  Standard
           or Stable but is still in transition.

           Sun will make reasonable efforts to ensure compatibil-
           ity  with  previous releases as it evolves.  When non-
           upwards compatible changes become necessary, they will
           occur  in  minor and major releases; such changes will
           be avoided in  micro releases  whenever  possible.  If
           such  a change is necessary, it  will be documented in
           the release notes for the effected release,  and  when
           feasible,  Sun  will provide migration aids for binary
           compatibility and continued source development.

     Unstable
           An Unstable  interface is provided to give  developers
           early access to new  or rapidly changing technology or
           as an interim solution to a problem for which  a  more
           stable solution is anticipated in the future.

           For Unstable interfaces, Sun no  claims  about  either
           source  or binary compatibility from one minor release
           to another.  Applications developed  based  on   these
           interfaces may not work in future minor releases.

     Obsolete: Scheduled for removal after event
           An Obsolete interface  is  supported  in  the  current
           release,  but  is  scheduled to be removed in a future
           (minor) release.  When support of an interface  is  to
           be discontinued, Sun will attempt to provide notifica-
           tion before discontinuing support. Use of an  Obsolete
           interface may produce warning messages.

  MT-Level




SunOS 5.8           Last change: 3 June 1997                    5






Standards, Environments, and Macros                 attributes(5)



     Libraries are classified into four categories  which  define
     their ability to support multiple threads. Manual pages con-
     taining routines that are of multiple or   differing  levels
     show this within their NOTES or USAGEsection.

     Safe  Safe is an attribute of code that can be called from a
           multithreaded  application. The effect of calling into
           a Safe interface or a safe code segment  is  that  the
           results   are  valid  even  when  called  by  multiple
           threads.  Often overlooked is the fact that the result
           of  this  Safe interface or safe code segment can have
           global consequences  that  affect  all  threads.   For
           example,  the action of opening or closing a file from
           one thread is visible by all the threads within a pro-
           cess.   A multi-threaded application has the responsi-
           bility for using these interfaces in  a  safe  manner,
           which  is  different from whether or not the interface
           is Safe.  For example,  a  multi-threaded  application
           that  closes  a  file  that  is  still in use by other
           threads  within  the  application  is  not  using  the
           close(2) interface safely.

     Unsafe
           An Unsafe library contains global and static data that
           is  not  protected.   It is not safe to use unless the
           application arranges for only one thread  at  time  to
           execute within the library. Unsafe libraries may  con-
           tain routines that are  Safe;  however,  most  of  the
           library's routines are unsafe to call.

           The following table  contains  reentrant  counterparts
           for Unsafe functions.  This table is subject to change
           by Sun.

           Reentrant functions for libc:


           Unsafe Function               Reentrant counterpart
           ctime                         ctime_r
           localtime                     localtime_r
           asctime                       asctime_r
           gmtime                        gmtime_r
           ctermid                       ctermid_r
           getlogin                      getlogin_r
           rand                          rand_r
           readdir                       readdir_r
           strtok                        strtok_r
           tmpnam                        tmpnam_r


     MT-Safe
           An MT-Safe library is fully prepared for multithreaded



SunOS 5.8           Last change: 3 June 1997                    6






Standards, Environments, and Macros                 attributes(5)



           access.  It  protects  its global and static data with
           locks, and can provide a  reasonable  amount  of  con-
           currency.  Note that a library can be safe to use, but
           not  MT-Safe.  For  example,  surrounding  an   entire
           library  with a monitor makes the library Safe, but it
           supports no concurrency so it is  not  considered  MT-
           Safe.  An  MT-Safe  library  must  permit a reasonable
           amount of concurrency. (This definition's  purpose  is
           to  give  precision to what is meant when a library is
           described as Safe.  The definition of a  Safe  library
           does  not specify if the library supports concurrency.
           The MT-Safe definition makes it clear that the library
           is  Safe,  and supports some concurrency.  This clari-
           fies the Safe definition, which can mean anything from
           being  single  threaded  to  being  any degree of mul-
           tithreaded.)

     Async-Signal-Safe
           Async-Signal-Safe refers to  particular  library  rou-
           tines that can be safely called from a signal handler.
           A thread that is executing an  Async-Signal-Safe  rou-
           tine will not deadlock with itself if interrupted by a
           signal. Signals are only a problem  for  MT-Safe  rou-
           tines that acquire locks.

           Signals  are  disabled  when  locks  are  acquired  in
           Async-Signal-Safe  routines.  This  prevents  a signal
           handler that might acquire the same  lock  from  being
           called.   The   list  of  Async-Signal-Safe  functions
           includes:


           _exit                access                aio_error
           aio_return           aio_suspend           alarm
           cfgetispeed          cfgetospeed           cfsetispeed
           cfsetospeed          chdir                 chmod
           chown                clock_gettime         close
           creat                dup                   dup2
           execle               execve                fcntl
           fdatasync            fork                  fstat
           fsync                getegid               geteuid
           getgid               getgroups             getpgrp
           getpid               getppid               getuid
           kill                 link                  lseek
           mkdir                mkfifo                open
           pathconf             pause                 pipe
           read                 rename                rmdir
           sem_post             sema_post             setgid
           setpgid              setsid                setuid
           sigaction            sigaddset             sigdelset
           sigemptyset          sigfillset            sigismember
           sigpending           sigprocmask           sigqueue



SunOS 5.8           Last change: 3 June 1997                    7






Standards, Environments, and Macros                 attributes(5)



           sigsuspend           sleep                 stat
           sysconf              tcdrain               tcflow
           tcflush              tcgetattr             tcgetpgrp
           tcsendbreak          tcsetattr             tcsetpgrp
           thr_kill             thr_sigsetmask        time
           timer_getoverrun     timer_gettime         timer_settime
           times                umask                 uname
           unlink               utime                 wait
           waitpid              write


     MT-Safe with Exceptions
           See the NOTES or USAGE sections of these pages  for  a
           description of the exceptions.

     Safe with Exceptions
           See the NOTES or USAGE sections of these pages  for  a
           description of the exceptions.

     Fork1-Safe
           A Fork1-Safe library releases the locks  it  had  held
           whenever  fork1(2)  is called in a Solaris thread pro-
           gram, or fork(2) in a POSIX (see standards(5))  thread
           program.   Calling  fork(2)  in a POSIX thread program
           has the same semantic as calling fork1(2) in a Solaris
           thread program. All system calls, libpthread, and lib-
           thread are Fork1-Safe. Otherwise,  you  should  handle
           the      locking      clean-up      yourself      (see
           pthread_atfork(3THR)).

     Cancel-Safety
           If     a     multi-threaded      application      uses
           pthread_cancel(3THR)  to  cancel  (that  is,  kill)  a
           thread, it is  possible  that  the  target  thread  is
           killed  while  holding  a  resource, such as a lock or
           allocated memory. If the thread has not installed  the
           appropriate  cancellation  cleanup handlers to release
           the        resources        appropriately         (see
           pthread_cancel(3THR)),  the  application  is  "cancel-
           unsafe", that is, it is not safe with respect to  can-
           cellation. This unsafety could result in deadlocks due
           to locks not released by a thread that gets cancelled,
           or resource leaks; for example, memory not being freed
           on thread  cancellation.  All  applications  that  use
           pthread_cancel(3THR)  should  ensure that they operate
           in a Cancel-Safe environment. Libraries that have can-
           cellation  points  and which acquire resources such as
           locks or allocate memory dynamically, also  contribute
           to the cancel-unsafety of applications that are linked
           with these libraries. This introduces another level of
           safety  for  libraries  in  a  multi-threaded program:
           Cancel-Safety.  There  are   two   sub-categories   of



SunOS 5.8           Last change: 3 June 1997                    8






Standards, Environments, and Macros                 attributes(5)



           Cancel-Safety:       Deferred-Cancel-Safety,       and
           Asynchronous-Cancel-Safety.  An  application  is  con-
           sidered  to be Deferred-Cancel-Safe when it is Cancel-
           Safe  for   threads   whose   cancellation   type   is
           PTHREAD_CANCEL_DEFERRED.  An application is considered
           to be Asynchronous-Cancel-Safe when it is  Cancel-Safe
           for     threads    whose    cancellation    type    is
           PTHREAD_CANCEL_ASYNCHRONOUS. Deferred-Cancel-Safety is
           easier  to  achieve  than  Asynchronous-Cancel-Safety,
           since a thread with the deferred cancellation type can
           be cancelled only at well-defined cancellation points,
           whereas a thread with  the  asynchronous  cancellation
           type  can be cancelled anywhere. Since all threads are
           created by default to have the  deferred  cancellation
           type,  it  may never be necessary to worry about asyn-
           chronous cancel safety. Indeed, most applications  and
           libraries  are  expected  to  always  be Asynchronous-
           Cancel-Unsafe.  An application which is  Asynchronous-
           Cancel-Safe  is  also, by definition, Deferred-Cancel-
           Safe.

SEE ALSO
     uname(1), pkgadd(1M), Intro(3), standards(5)
































SunOS 5.8           Last change: 3 June 1997                    9



Attachment: libDtTerm.so.2.abi
Description: libDtTerm.so.2.abi



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]