From: Rich Felker <dalias@aerifal.cx>
To: musl@lists.openwall.com
Subject: Re: vfork replacement proposal
Date: Sun, 3 Feb 2013 13:49:23 -0500 [thread overview]
Message-ID: <20130203184923.GA20323@brightrain.aerifal.cx> (raw)
In-Reply-To: <20121231203416.GA19960@brightrain.aerifal.cx>
On Mon, Dec 31, 2012 at 03:34:17PM -0500, Rich Felker wrote:
> I've been looking for a viable replacement of the vfork usage in musl
> for a while, since it has two serious problems:
>
> 1. strace is buggy and causes the parent and child to run
> simultaneously on the same stack under vfork when the process is being
> traced. Binaries which can crash or go crazy under strace are highly
> undesirable, even if the fault is with strace.
>
> 2. While current compilers don't do this, the compiler is conceptually
> free to generate code that clobbers parts of the stack that still need
> to be used by the parent when it determines they are no longer needed
> in the child.
>
> The affected functions are posix_spawn[p], system, and popen.
>
> My new proposed design for these functions is:
I've implemented the new design and it seems to be working. After a
few more checks, I'll commit it and see if anybody can give it some
stress testing.
> 4. In the child, close the read end of the pipe and then shuffle file
> descriptors as needed (for setting up stdin/out for popen, or file
> actions for posix_spawn[p]), but with the added stipulations A-C:
>
> A. Before closing or dup2'ing onto a file descriptor in file actions,
> check to see if it's occupied by the pipe fd, and if so, use fcntl
> F_DUPFD_CLOEXEC to move it to a new number first.
>
> B. Before calling open in file actions, always use fcntl with
> F_DUPFD_CLOEXEC and close the original pipe fd, to ensure that the
> pipe is never occupying the otherwise-lowest-available fd number.
I was wrong about (B); the "open" file action does not assign the
lowest-available fd, but a caller-chosen fd. Thus, for our purposes,
it's just like close or dup2, targetting a known fd number. This means
the same logic can be used for all three operations, and it can be
based on dup() rather than F_DUPFD_CLOEXEC. Note that F_DUPFD_CLOEXEC
is actually not viable because it's missing on slightly-old kernels
(up through mid 2.6 series), but we don't need atomicity anyway since
this thread/process is fully under posix_spawn's control.
Also, I think it would be possible to abandon the "shuffling" logic
and compute in advance a safe fd number to put the pipe on.
Finally, it seems posix_spawn will be sufficient as a backend for
implementing popen, wordexp, and system, so I just put all the logic
in posix_spawn itself rather than trying to design a more abstract API
with callbacks for the specific caller case.
Rich
next prev parent reply other threads:[~2013-02-03 18:49 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-31 20:34 Rich Felker
2013-02-03 18:49 ` Rich Felker [this message]
2013-02-03 20:36 ` Szabolcs Nagy
2013-02-03 20:47 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130203184923.GA20323@brightrain.aerifal.cx \
--to=dalias@aerifal.cx \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).