Here's my take. Internally if a intentional errno is produced, the functions should cease motion and return -1 to indicate error.
However, these functions should probably guard against unintentional errno changes. Using save_errno method. I thought snprintf should maybe be a little different. I wondered if it should still accumulate an "usage estimate" in this case. It does not need to malloc, because the storage buffer is provided. Maybe that case already works out fine. Years ago I made positional arguments signal-handler safe using mmap. I really hope this doesn't mean snprintf has another late-allocation circumstance which uses signal-unsafe malloc -- that would suck. Recently we use dprintf in signal handlers. I hope it is safe, and doesn't need to malloc transient data.
