From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/2725 Path: news.gmane.org!not-for-mail From: Rich Felker Newsgroups: gmane.linux.lib.musl.general Subject: Re: vfork replacement proposal Date: Sun, 3 Feb 2013 13:49:23 -0500 Message-ID: <20130203184923.GA20323@brightrain.aerifal.cx> References: <20121231203416.GA19960@brightrain.aerifal.cx> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1359917375 489 80.91.229.3 (3 Feb 2013 18:49:35 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 3 Feb 2013 18:49:35 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-2726-gllmg-musl=m.gmane.org@lists.openwall.com Sun Feb 03 19:49:55 2013 Return-path: Envelope-to: gllmg-musl@plane.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1U24dX-0001aB-HO for gllmg-musl@plane.gmane.org; Sun, 03 Feb 2013 19:49:55 +0100 Original-Received: (qmail 9417 invoked by uid 550); 3 Feb 2013 18:49:36 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 9409 invoked from network); 3 Feb 2013 18:49:36 -0000 Content-Disposition: inline In-Reply-To: <20121231203416.GA19960@brightrain.aerifal.cx> User-Agent: Mutt/1.5.21 (2010-09-15) Xref: news.gmane.org gmane.linux.lib.musl.general:2725 Archived-At: On Mon, Dec 31, 2012 at 03:34:17PM -0500, Rich Felker wrote: > I've been looking for a viable replacement of the vfork usage in musl > for a while, since it has two serious problems: > > 1. strace is buggy and causes the parent and child to run > simultaneously on the same stack under vfork when the process is being > traced. Binaries which can crash or go crazy under strace are highly > undesirable, even if the fault is with strace. > > 2. While current compilers don't do this, the compiler is conceptually > free to generate code that clobbers parts of the stack that still need > to be used by the parent when it determines they are no longer needed > in the child. > > The affected functions are posix_spawn[p], system, and popen. > > My new proposed design for these functions is: I've implemented the new design and it seems to be working. After a few more checks, I'll commit it and see if anybody can give it some stress testing. > 4. In the child, close the read end of the pipe and then shuffle file > descriptors as needed (for setting up stdin/out for popen, or file > actions for posix_spawn[p]), but with the added stipulations A-C: > > A. Before closing or dup2'ing onto a file descriptor in file actions, > check to see if it's occupied by the pipe fd, and if so, use fcntl > F_DUPFD_CLOEXEC to move it to a new number first. > > B. Before calling open in file actions, always use fcntl with > F_DUPFD_CLOEXEC and close the original pipe fd, to ensure that the > pipe is never occupying the otherwise-lowest-available fd number. I was wrong about (B); the "open" file action does not assign the lowest-available fd, but a caller-chosen fd. Thus, for our purposes, it's just like close or dup2, targetting a known fd number. This means the same logic can be used for all three operations, and it can be based on dup() rather than F_DUPFD_CLOEXEC. Note that F_DUPFD_CLOEXEC is actually not viable because it's missing on slightly-old kernels (up through mid 2.6 series), but we don't need atomicity anyway since this thread/process is fully under posix_spawn's control. Also, I think it would be possible to abandon the "shuffling" logic and compute in advance a safe fd number to put the pipe on. Finally, it seems posix_spawn will be sufficient as a backend for implementing popen, wordexp, and system, so I just put all the logic in posix_spawn itself rather than trying to design a more abstract API with callbacks for the specific caller case. Rich