Better name for async-signal-safe functions

In Rust, "safety" is usually used in the context of unsafe functions,
which have documented preconditions.  Our async-signal-safe functions
are different; they offer extra safety properties. Rename them to
reduce confusion.

Ref: https://github.com/fish-shell/fish-shell/pull/12625#discussion_r3067819966

src/builtins/fish_key_reader.rs

@@ -27,8 +27,8 @@
     print_help::print_help,
     proc::set_interactive_session,
     reader::{
-        check_exit_loop_maybe_warning, reader_init, safe_reader_set_exit_signal, set_shell_modes,
-        terminal_init,
+        check_exit_loop_maybe_warning, reader_init, set_shell_modes,
+        signal_safe_reader_set_exit_signal, terminal_init,
     },
     threads,
     topic_monitor::topic_monitor_init,
@@ -98,7 +98,7 @@ fn process_input(
         use QueryResultEvent::*;
         let kevt = match input_queue.readch() {
             CharEvent::Implicit(ImplicitEvent::Eof) => {
-                safe_reader_set_exit_signal(libc::SIGHUP);
+                signal_safe_reader_set_exit_signal(libc::SIGHUP);
                 continue;
             }
             CharEvent::Key(kevt) => kevt,

src/exec.rs

@@ -20,7 +20,7 @@
     PATH_BSHELL, blocked_signals_for_job,
     postfork::{
         child_setup_process, execute_fork, execute_setpgid, report_setpgid_error,
-        safe_report_exec_error,
+        signal_safe_report_exec_error,
     },
 };
 use crate::function::{self, FunctionProperties};
@@ -393,7 +393,7 @@ pub fn is_thompson_shell_script(path: &CStr) -> bool {
 /// This function is executed by the child process created by a call to fork(). It should be called
 /// after \c child_setup_process. It calls execve to replace the fish process image with the command
 /// specified in \c p. It never returns. Called in a forked child! Do not allocate memory, etc.
-fn safe_launch_process(
+fn signal_safe_launch_process(
     _p: &Process,
     actual_cmd: &CStr,
     argv: &OwningNullTerminatedArray,
@@ -431,7 +431,7 @@ fn safe_launch_process(
     }
 
     set_errno(err);
-    safe_report_exec_error(errno().0, actual_cmd, argv, envv);
+    signal_safe_report_exec_error(errno().0, actual_cmd, argv, envv);
     exit_without_destructors(exit_code_from_exec_error(err.0));
 }
 
@@ -451,7 +451,7 @@ fn launch_process_nofork(vars: &EnvStack, p: &Process) -> ! {
     // Ensure the terminal modes are what they were before we changed them.
     restore_term_mode();
     // Bounce to launch_process. This never returns.
-    safe_launch_process(p, &actual_cmd, &argv, &envp);
+    signal_safe_launch_process(p, &actual_cmd, &argv, &envp);
 }
 
 // Returns whether we can use posix spawn for a given process in a given job.
@@ -908,7 +908,7 @@ fn exec_external_command(
         let pid = match pid {
             Ok(pid) => pid,
             Err(err) => {
-                safe_report_exec_error(err.0, &actual_cmd, &argv, &envv);
+                signal_safe_report_exec_error(err.0, &actual_cmd, &argv, &envv);
                 p.status
                     .set(ProcStatus::from_exit_code(exit_code_from_exec_error(err.0)));
                 return Err(());
@@ -940,7 +940,7 @@ fn exec_external_command(
     }
 
     fork_child_for_process(j, p, &dup2s, pgroup_policy, |p| {
-        safe_launch_process(p, &actual_cmd, &argv, &envv)
+        signal_safe_launch_process(p, &actual_cmd, &argv, &envv)
     })
 }
 

src/fork_exec/postfork.rs

@@ -225,7 +225,7 @@ pub fn execute_fork() -> pid_t {
     exit_without_destructors(1)
 }
 
-pub(crate) fn safe_report_exec_error(
+pub(crate) fn signal_safe_report_exec_error(
     err: i32,
     actual_cmd: &CStr,
     argvv: &OwningNullTerminatedArray,

src/reader/reader.rs

@@ -94,7 +94,7 @@
             QueryXtversion,
         },
     },
-    termsize::{safe_termsize_invalidate_tty, termsize_last, termsize_update},
+    termsize::{signal_safe_termsize_invalidate_tty, termsize_last, termsize_update},
     text_face::{TextFace, parse_text_face},
     threads::{assert_is_background_thread, assert_is_main_thread},
     tokenizer::{
@@ -284,7 +284,7 @@ pub fn terminal_init(vars: &dyn Environment, inputfd: RawFd) -> TerminalInitResu
         use ImplicitEvent::{CheckExit, Eof};
         use QueryResultEvent::*;
         match input_queue.readch() {
-            Implicit(Eof) => safe_reader_set_exit_signal(libc::SIGHUP),
+            Implicit(Eof) => signal_safe_reader_set_exit_signal(libc::SIGHUP),
             Implicit(CheckExit) => {}
             CharEvent::QueryResult(Response(QueryResponse::PrimaryDeviceAttribute)) => {
                 break;
@@ -1319,7 +1319,7 @@ pub fn read_generation_count() -> u32 {
 
 /// The readers interrupt signal handler. Cancels all currently running blocks.
 /// This is called from a signal handler!
-pub fn safe_reader_handle_sigint() {
+pub fn signal_safe_reader_handle_sigint() {
     INTERRUPTED.store(SIGINT, Ordering::Relaxed);
 }
 
@@ -1341,7 +1341,7 @@ pub fn reader_test_and_clear_interrupted() -> i32 {
 }
 
 /// Mark that we received an exit signal (SIGHUP or SIGTERM). Invoked from a signal handler.
-pub fn safe_reader_set_exit_signal(sig: i32) {
+pub fn signal_safe_reader_set_exit_signal(sig: i32) {
     // Beware, we may be in a signal handler.
     EXIT_SIGNAL.store(sig, Ordering::Relaxed);
 }
@@ -2690,7 +2690,7 @@ fn run_input_command_scripts(&mut self, cmd: &wstr) {
         // ECHO mode, causing a race between new input and restoring the mode (#7770). So we leave the
         // tty alone, run the commands in shell mode, and then restore shell modes.
         set_shell_modes(STDIN_FILENO, "bind scripts");
-        safe_termsize_invalidate_tty();
+        signal_safe_termsize_invalidate_tty();
     }
 
     /// Read normal characters, inserting them into the command line.
@@ -2873,7 +2873,7 @@ fn handle_char_event(&mut self, injected_event: Option<CharEvent>) -> ControlFlo
             CharEvent::Implicit(implicit_event) => {
                 use ImplicitEvent::*;
                 match implicit_event {
-                    Eof => safe_reader_set_exit_signal(libc::SIGHUP),
+                    Eof => signal_safe_reader_set_exit_signal(libc::SIGHUP),
                     CheckExit => (),
                     FocusIn => {
                         event::fire_generic(self.parser, L!("fish_focus_in").to_owned(), vec![]);
@@ -4869,7 +4869,7 @@ fn term_steal(copy_modes: bool) {
         term_copy_modes();
     }
     set_shell_modes(STDIN_FILENO, "shell");
-    safe_termsize_invalidate_tty();
+    signal_safe_termsize_invalidate_tty();
 }
 
 // Ensure that fish owns the terminal, possibly waiting. If we cannot acquire the terminal, then
@@ -5006,7 +5006,7 @@ fn reader_interactive_init() {
         set_shell_modes(STDIN_FILENO, "startup");
     }
 
-    safe_termsize_invalidate_tty();
+    signal_safe_termsize_invalidate_tty();
 }
 
 /// Return whether fish is currently unwinding the stack in preparation to exit.

src/signal.rs

@@ -1,9 +1,9 @@
 use crate::event::{enqueue_signal, is_signal_observed};
 use crate::prelude::*;
-use crate::reader::{safe_reader_handle_sigint, safe_reader_set_exit_signal};
-use crate::termsize::safe_termsize_invalidate_tty;
+use crate::reader::{signal_safe_reader_handle_sigint, signal_safe_reader_set_exit_signal};
+use crate::termsize::signal_safe_termsize_invalidate_tty;
 use crate::topic_monitor::{Generation, GenerationsList, Topic, topic_monitor_principal};
-use crate::tty_handoff::safe_mark_tty_invalid;
+use crate::tty_handoff::signal_safe_mark_tty_invalid;
 use crate::wutil::fish_wcstoi;
 use errno::{errno, set_errno};
 use fish_common::exit_without_destructors;
@@ -86,14 +86,14 @@ extern "C" fn fish_signal_handler(
     match sig {
         libc::SIGWINCH => {
             // Respond to a winch signal by telling the termsize container.
-            safe_termsize_invalidate_tty();
+            signal_safe_termsize_invalidate_tty();
         }
         libc::SIGHUP | libc::SIGTERM => {
             // Exit unless the signal was trapped.
             if !observed {
-                safe_reader_set_exit_signal(sig);
+                signal_safe_reader_set_exit_signal(sig);
                 if sig == libc::SIGHUP {
-                    safe_mark_tty_invalid();
+                    signal_safe_mark_tty_invalid();
                 }
             }
             topic_monitor_principal().post(Topic::SigHupIntTerm);
@@ -103,7 +103,7 @@ extern "C" fn fish_signal_handler(
             if !observed {
                 CANCELLATION_SIGNAL.store(libc::SIGINT, Ordering::Relaxed);
             }
-            safe_reader_handle_sigint();
+            signal_safe_reader_handle_sigint();
             topic_monitor_principal().post(Topic::SigHupIntTerm);
         }
         libc::SIGCHLD => {

src/termsize.rs

@@ -256,7 +256,7 @@ pub fn termsize_update(parser: &Parser) -> Termsize {
 }
 
 /// May be called form a signal handler (WINCH).
-pub fn safe_termsize_invalidate_tty() {
+pub fn signal_safe_termsize_invalidate_tty() {
     TTY_TERMSIZE_GEN_COUNT.fetch_add(1, Ordering::Relaxed);
 }
 
@@ -298,7 +298,7 @@ fn stubby_termsize() -> Option<Termsize> {
         assert_eq!(ts.last(), Termsize::defaults());
 
         // Ok let's tell it. But it still doesn't update right away.
-        let handle_winch = safe_termsize_invalidate_tty;
+        let handle_winch = signal_safe_termsize_invalidate_tty;
         handle_winch();
         assert_eq!(ts.last(), Termsize::defaults());
 

src/tty_handoff.rs

@@ -335,7 +335,7 @@ pub fn deactivate_tty_protocols() {
 
 // Called from a signal handler to mark the tty as invalid (e.g. SIGHUP).
 // This suppresses any further attempts to write protocols to the tty,
-pub fn safe_mark_tty_invalid() {
+pub fn signal_safe_mark_tty_invalid() {
     TTY_INVALID.store(true);
 }