X-Git-Url: http://repo.macrolet.net/gitweb/?a=blobdiff_plain;f=src%2Fcode%2Ftimer.lisp;h=53523859208eafbb2425e281a2f726072ddf4f99;hb=fd324a9d981355d8bc10d2bd469cb54c4c9108fd;hp=2d4c67ac3c061950bd455805d9330f1598c9b134;hpb=0c5c2fec5aae5fc87fc392192b009d234ea99462;p=sbcl.git

diff --git a/src/code/timer.lisp b/src/code/timer.lisp
index 2d4c67a..5352385 100644
--- a/src/code/timer.lisp
+++ b/src/code/timer.lisp
@@ -361,8 +361,26 @@ triggers."
 
 (defmacro sb!ext:with-timeout (expires &body body)
   #!+sb-doc
-  "Execute the body, asynchronously interrupting it and signalling a
-TIMEOUT condition after at least EXPIRES seconds have passed."
+  "Execute the body, asynchronously interrupting it and signalling a TIMEOUT
+condition after at least EXPIRES seconds have passed.
+
+Note that it is never safe to unwind from an asynchronous condition. Consider:
+
+  (defun call-with-foo (function)
+    (let (foo)
+      (unwind-protect
+         (progn
+           (setf foo (get-foo))
+           (funcall function foo))
+       (when foo
+         (release-foo foo)))))
+
+If TIMEOUT occurs after GET-FOO has executed, but before the assignment, then
+RELEASE-FOO will be missed. While individual sites like this can be made proof
+against asynchronous unwinds, this doesn't solve the fundamental issue, as all
+the frames potentially unwound through need to be proofed, which includes both
+system and application code -- and in essence proofing everything will make
+the system uninterruptible."
   (with-unique-names (timer)
     ;; FIXME: a temporary compatibility workaround for CLX, if unsafe
     ;; unwinds are handled revisit it.