[musl] doubt about fork

[musl] doubt about fork

[guolongqiang]

[-- Attachment #1: Type: text/plain, Size: 281 bytes --]

Hello,
I have a problem about multi threads fork. The implement of fork not lock such as stdio file,
__thread_list_lock, or other global mutexs in musl libc before syscall of SYS_clone, this will
cause dead lock in child. Is this a bug?

Hope your response!
--Guo Longqiang

[-- Attachment #2: Type: text/html, Size: 2594 bytes --]

Re: [musl] doubt about fork

[Szabolcs Nagy]

* guolongqiang <guolongqiang@huawei.com> [2020-04-03 06:37:44 +0000]:
> Hello,
> I have a problem about multi threads fork. The implement of fork not lock such as stdio file,
> __thread_list_lock, or other global mutexs in musl libc before syscall of SYS_clone, this will
> cause dead lock in child. Is this a bug?

the standard is pretty clear that the child after fork
in a multi-threaded process can only do async-signal-safe
operations, anything that may lock is not as-safe.

https://pubs.opengroup.org/onlinepubs/9699919799/functions/fork.html

incidentally glibc tries to make certain operations work
in the child by taking libc internal locks before fork and
releasing them after, however that does not give strong
guarantees of stdio use in the child because glibc supports
malloc interposition and the interposed malloc can't
reliably handle fork (i.e locks may be held in the child)
so stdio (and all libc apis that may internally allocate)
can still deadlock i.e. you don't get more guarantees on
other implementations either than the standard.

> 
> Hope your response!
> --Guo Longqiang

Re: [musl] doubt about fork

[Rich Felker]

On Fri, Apr 03, 2020 at 11:28:54AM +0200, Szabolcs Nagy wrote:
> * guolongqiang <guolongqiang@huawei.com> [2020-04-03 06:37:44 +0000]:
> > Hello,
> > I have a problem about multi threads fork. The implement of fork not lock such as stdio file,
> > __thread_list_lock, or other global mutexs in musl libc before syscall of SYS_clone, this will
> > cause dead lock in child. Is this a bug?
> 
> the standard is pretty clear that the child after fork
> in a multi-threaded process can only do async-signal-safe
> operations, anything that may lock is not as-safe.
> 
> https://pubs.opengroup.org/onlinepubs/9699919799/functions/fork.html

Note that future editions of POSIX might change this by removing the
requirement that fork be AS-safe and adding _fork (I may be
misremembering the name but it's something like that) to be AS-safe.
So it's possible this could change in the future. But for now, indeed,
what you can do in the child if a multithreaded process forks is
extremely limited.

As an aside, musl will continue to track the standards, but personally
I'm against any such "improvements" to fork because I'm against fork
itself. Use of fork without immediate exec (that could be replaced by
posix_spawn or vfork) makes software incompatible with a MMU-less
environment and significantly harms security/hardening properties --
all potentially secret data from the parent that hasn't been scrubbed
leaks into the child where it might be disclosed later, and the child
lacks independent ASLR from the parent (see the classic Android Zygote
issue that completely undermined ASLR). It also significantly harms
memory usage accounting and performance by requiring that all of the
parent's memory usage continue to be charged against the child too
even if the child will not use most of it, and by converting all
writable pages in both the parent and child to copy-on-write (making
next access fault). Modern designs should serialize whatever data the
child is actually intending to use and spawn/exec a child that
deserializes it.

Rich