Looking at this again, trying to simply unwind the syscall frames (ie: without avoiding the pthread_exit call), it does not seem to be fully solving the issue.
I used `_Unwind_ForcedUnwind` the same way I previously did here, and it allows me to unwind syscall frames, by interleaving `_Unwind_ForcedUnwind` with `NtCallbackReturn` calls when appropriate. It even unwinds and execute handlers installed using `pthread_cleanup_push` / `pthread_cleanup_pop`, as long as the code is compiled with `-fexceptions`.
*However*, `pthread_cond_t` cleanup handlers are still causing trouble and crashes once the stack unwind is complete and `pthread_exit` is called. The reason is that, even though the glibc is probably compiled with `-fexceptions`, the condition variable cleanup handlers are not installed using `pthread_cleanup_push` but an internal version of them, which always using pthread thread-local cleanup handler linked list instead of personality routines. The thread-local cleanup handler list is not flushed by `_Unwind_ForcedUnwind` and only `pthread_cancel` / `pthread_exit` can, without offering the ability to interleave their unwinding with a custom code.
A possible solution would be to get rid of the thread-local unwind handlers by calling this internal pthread function, but it's much uglier than all the other solutions explored here:
```c struct _pthread_cleanup_buffer buffer = {0}; _pthread_cleanup_pop( &buffer, FALSE ); ```
Another possibility, would be to give up the unwinding control and leave `pthread_exit` do it, but expose personality routines for the syscall dispatchers to unwind the frames. I don't know how to write custom personality routines and hook them where pthread would find them though.