From: Rich Felker <dalias@libc.org>
To: musl@lists.openwall.com
Subject: Re: [musl] Restrictions on child context after multithreaded fork
Date: Sat, 15 Aug 2020 23:57:59 -0400 [thread overview]
Message-ID: <20200816035759.GW3265@brightrain.aerifal.cx> (raw)
In-Reply-To: <20200814214136.GP3265@brightrain.aerifal.cx>
On Fri, Aug 14, 2020 at 05:41:38PM -0400, Rich Felker wrote:
> This is largely because glibc attempts to make the erroneous usage by
> these libraries work (more on that below).
>
> [...]
>
> In case we do want to follow a direction of trying to provide some
> degree of relaxation of restrictions on the child (taking the liberty
> of POSIX-future drop of fork's AS-safety requirement), I did a quick
> survey of libc-internal locks, and found:
>
> - at_quick_exit
> - atexit
> - dlerror
> - gettext
> - malloc
> - pthread_atfork (already necessarily held at fork)
> - random
> - sem_open
> - stdio open file list (vs individual FILEs)
> - syslog
> - timezone
>
> This list looks tractable. Aside from malloc, whose locks would need
> to be taken last since the others may call malloc, these don't seem to
> have any lock order dependencies between them, and each one's lock
> functions could be provided as strong overrides to weak no-op
> definitions in fork.c.
On some inspection, glibc does not actually attempt to make the child
environment unrestricted. The only things it does around fork are:
- obtain/release malloc locks (makes malloc work reliably in the
child)
- obtain stdio file list lock in parent, release in parent, reset in
child (probably makes fopen work in the child, but I see no reason
why the child resets the lock rather than just unlocking it)
- reset FILE locks in child (necessarily leads to accessing
inconsistent or corrupt state if they're ever used in the child)
- reset dynamic linker lock in child (AFAICT, necessarily leads to
accessing inconsistent or corrupt state in child if any dynamic
linker functions are ever used in the child, possibly including via
the lazy resolver (!!))
So pretty much the *only* thing glibc attempts to make work
"correctly" in the MT-forked-child context is malloc. Everything else
is either ignored (see all of the above I found for musl, plus lots
more things that are glibc-specific) or actively broken by the special
handling at fork time.
In light of this, I think it's very reasonable that the new POSIX
direction is just allowing implementations that make fork non-AS-safe,
but not allowing the application to assume anything new. "It's
AS-unsafe, except malloc works" is a really weird and arbitrary
restriction. This reassures me that we really should be working to get
the broken application/library code here fixed, rather than trying to
accommodate it, unless there's a major change in direction where
multiple implementors want to agree to make this really work "right".
Rich
next prev parent reply other threads:[~2020-08-16 3:58 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-14 21:41 Rich Felker
2020-08-14 22:02 ` Florian Weimer
2020-08-14 22:14 ` Rich Felker
2020-08-15 0:47 ` A. Wilcox
2020-08-15 2:40 ` Rich Felker
2020-08-15 2:07 ` Ariadne Conill
2020-08-15 3:02 ` Rich Felker
2020-08-15 6:51 ` Timo Teras
2020-08-15 11:51 ` Natanael Copa
2020-08-15 16:25 ` Rich Felker
2020-08-16 1:27 ` Rich Felker
2020-08-16 12:48 ` Natanael Copa
2020-08-16 3:57 ` Rich Felker [this message]
2020-08-16 9:10 ` Florian Weimer
2020-08-16 16:56 ` Rich Felker
2020-08-16 17:11 ` Florian Weimer
2020-08-16 18:33 ` Rich Felker
2020-08-16 7:05 ` Pirmin Walthert
2020-08-16 16:55 ` Rich Felker
2020-09-30 18:38 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200816035759.GW3265@brightrain.aerifal.cx \
--to=dalias@libc.org \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).