Cancellation Points

Cancellation Types

In POSIX, there are two pthread cancellation types: PTHREAD_CANCEL_DEFERRED and PTHREAD_CANCEL_ASYNCHRONOUS. PTHREAD_CANCEL_DEFERRED is the default and the normal kind of pthread cancellation that should be used. PTHREAD_CANCEL_ASYNCHRONOUS is brutal; it simply kills the pthread immediately without regard for what it is doing.

PTHREAD_CANCEL_DEFERRED works differently; nothing happens immediately. Instead, the cancellation will be deferred until the pthread is at (or a better preposition would be within) a cancellation point. You cannot have the PTHREAD_CANCEL_DEFERRED cancellation type without cancellation points and you will not have cancellation points unless you enable them with CONFIG_CANCELLATION_POINTS=y.

Cancellation Points

Cancellation points add special instrumentation to a specific set of interface functions. Those interface functions are listed here:

Enter and Leave Cancelation Point

In NuttX, each of these functions CONFIG_CANCELLATION_POINTS=y will enable a special call to enter_cancellation_point() at the beginning of the function and a matching call to leave_cancellation_point() before the interface function returns. These may be nested: One cancellation point function may call another which may call another, etc. The select() function, for example, calls poll() which calls sem_wait() so the nesting will be three deep.

These two cancellation point hooks behave in a complementary way. enter_cancellation_point() increments the nesting level and leave_cancellation_point() decrements the nesting level. No action is taken unless the nesting level is zero then, in that case, if there is a pending cancellation then the thread exists normally by simply calling pthread_exit().


When pthread_cancel() is called, it will check if the deferred cancellation mode is enabled for the target pthread. If so it will (1) mark the cancellation as pending, and (2) if the thread is waiting on a semaphore or message queue (and is in a cancelable state), it will wake it just in the same was as if the thread received a single (except with ECANCELED instead of EINTR).

If, on the other hand, the asynchronous mode is enabled (and the thread is in a cancelable state), pthread_cancel() will, instead, kill the thread immediately.

NOTE: For pthreads, the cancelable state is controlled by the interface pthread_setcancelstate(). This allows the pthread to disable or re-enable cancelability. If the thread is not cancelable when pthread_cancel() is called, it will never do more than just mark the cancellation as pending. When the cancelable state is re-enabled, then any pending cancellation will take effect

select() Walk-Through

Let's walk through the case of select() to see how would work:

  • When select() is called, it allocates some memory that it needs to handle the conversion to poll().
  • It then calls poll() which sets up the poll with all of the relevant drivers and, eventually, calls sem_wait().

So this pthread will spend almost all of its time waiting in sem_wait() and that is the most likely state of the pthread when pthread_cancel() is called with deferred cancellation eanbled.

  • When pthread_cancel() is called, it will set the pending cancellation state and wake up sem_wait() with the ECANCELED error.
  • sem_wait() will see the pending cancellation, but will do nothing because the nesting level is decremented only to two. It will return to poll() with the ECANCELED error. NOTE that the semaphore is left in a healthy state.
  • poll() will tear-down down the poll from all of the drivers and call leave_cancellation_point() before it exits. Again, it will see the pending cancellation but will do nothing because the nesting level decrements only to 1. NOTE that since poll() does the complete tear=down and all of the drivers are left in a healthy state.
  • Finally, select() cleans up all of its memory allocations and calls leave_cancellation_point(). This time, the nesting level decrements to zero and leave_cancellation_point() will call pthread_exit() with everything in a proper state.

If asynchronous pthread cancellation were selected, then the behavior would be very different. The first two steps would be the same but then:

  • When pthread_cancel() is called, the thread would be immediately killed. The semaphore would be left in the locked state; the memory allocated by select() would be stranded; drivers would be left with stale pointers to stranded memory. Not a good state to leave the system!

select() will not return to the caller in either case.

Application Interfaces

The following pthread application interfaces are available to manage cancellation:

  • pthread_cancel() cancels a thread.
  • pthread_setcancelstate() can be used to enable or disable a cancellation.
  • pthread_setcanceltype() can be used to switched between asynchronous and deferred thread cancellation.
  • pthread_testcancel() can be used to force a cancellation point.

Task Deletion

NuttX also supports some non-standard interfaces for task deletion (i.e., cancellation) of tasks as well. The cancellation point logic is identical and the task application interfaces are very similar:

  • task_delete() deletes (cancels) a task.
  • task_setcancelstate() can be used to enable or disable task cancellation.
  • task_setcanceltype() can be used to switched between asynchronous and deferred task cancellation.
  • task_testcancel() can be used to force a cancellation point.

Design Issues

There is one logical problem in many parts of the system. The following sequence of code appears in many places in the code bgase. It will work not work with thread/task cancellation:

void some_lock(FAR sem_t *sem)
  while ((ret = nxsem_wait(sem)) < 0)
      DEBUGASSERT(ret = -EINTR || ret = -ECANCELED);

That logic will makes it impossible to cancel the thread. Let me explain why:

  • The fact that -ECANCELED is occurring means that some other task tried to cancel this one.
  • The logic sequence is probably something like:
    • OS Function A is called by the application. Function A is a cancellation point. It calls enter_cancellation_point() on entry and leave_cancellation_point() on exit. If the application task is canceled, then the call to leave_cancellation_point() is where the task actually ends (by simply calling exit()).
    • OS Function A calls some internal Function B which has the above killer logic in it. It calls some_lock() and the task is suspended on waiting to get a count on the semaphore.
  • When the task is canceled, nxsem_wait() wakes up with the -ECANCELED error and returns that error to Function B. But because Function B just loops and calls nxsem_wait() again, the task does not terminate; it just goes back to waiting.

The end result is that Function B does not return to Function A so leave_cancellation_point() is never called and the task is not canceled. The fix requires a little re-design. The locking function would have to be like:

int some_lock(FAR sem_t *sem)
  while ((ret = nxsem_wait(sem)) < 0)
      DEBUGASSERT(ret = -EINTR || ret = -ECANCELED);
      if (ret != -EINTR)

  return ret;

It then returns a success/failure indication. Calling logic would also have to be modified to detect the failure case and handle it appropriately. In the case that the failure case, the calling logic (Function B in this example) needs to clean up and return the failure upstream (to Function A) which must also clean up. Then, eventually, leave_critical_section() will be called and the function will exit correctly.