From: Igmar Palsenberg <igmar@palsenberg.com>
To: musl@lists.openwall.com
Subject: Re: abort() fails to terminate PID 1 process
Date: Sun, 3 Jul 2016 12:43:59 +0200 (CEST) [thread overview]
Message-ID: <alpine.LRH.2.20.1607031237430.3868@s1.palsenberg.com> (raw)
In-Reply-To: <20160620194110.GM10893@brightrain.aerifal.cx>
> > That rule doesn't apply to pid 1 by default. Pid 1 should be a proper init
> > system, not a full blows application that makes the system blow up on
> > every error.
>
> abort is specified to terminate the process no matter what.
Yes. But like mentioned : pid 1 is an exception to this.
> For it to
> ever be able to return is a serious bug since both the compiler and
> the programmer can assume any code after abort() is unreachable.
This specific case talked about pid 1. pid 1 has kernel protection, normal
userspace processes don't. In that case, the normal assumptions don't hold
up.
> At
> present musl avoids this worst-case failure (wrongfully returning)
> with an infinite loop, but that's just a fail-safe. The intent is that
> it terminate, and in particular, terminate abnormally as specified,
> which we don't do enough to guarantee (SIGKILL is not "abnormal"
> termination). So there's definitely work to be done to fix this. It's
> an issue I've been aware of for a long time but the kernel makes it
> painful to reliably produce abnormal termination without race
> conditions.
Can this even be reproduced under normal circumstances (aka : not pid 1) ?
If thes, then I agree : It's a bug. If no : Then not. If people have a
broken container init system, then it breaks and they keep the pieces.
> > Well, normally abort() does some signal magic, and then raises again.
> > Which is what POSIX mandates I think.
>
> To make this work reliably I think we need to make abort() take a lock
> the precludes further calls to sigaction prior to re-raising SIGABRT
> and resetting the disposition. But there are all sorts of
> complications to deal with. For example if another thread performs
> posix_spawn for fork and exec concurrent with abort() munging the
> disposition of SIGABRT, the child process could start with the wrong
> disposition for SIGABRT, which would be non-conforming. Finding ways
> to fix all places where the wrong behavior may be observable is a
> nontrivial problem.
Does the whole guaranteed termination also includes threaded programs ?
> > If you're pid 1 however, you should behave like one.
>
> I tend to agree, but if you're libc you should also behave as
> specified, and currently we don't in this regard.
Sure, but like mentioned : Normal rules don't apply to pid 1.
Igmar
next prev parent reply other threads:[~2016-07-03 10:43 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-18 20:32 Karl Böhlmark
2016-06-19 1:20 ` nathan
2016-06-20 9:02 ` Igmar Palsenberg
2016-06-20 10:04 ` Szabolcs Nagy
2016-06-20 12:00 ` Igmar Palsenberg
2016-06-20 19:41 ` Rich Felker
2016-07-03 10:43 ` Igmar Palsenberg [this message]
2016-07-03 13:58 ` Rich Felker
2016-07-03 19:58 ` Laurent Bercot
2016-07-03 20:01 ` Rich Felker
2016-07-03 20:20 ` Laurent Bercot
2016-07-03 20:24 ` Rich Felker
2016-07-04 13:38 ` Igmar Palsenberg
2016-07-04 13:37 ` Igmar Palsenberg
2016-07-05 3:07 ` Rich Felker
2016-07-30 21:24 ` Igmar Palsenberg
2016-06-20 10:29 ` Natanael Copa
2016-07-03 22:03 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LRH.2.20.1607031237430.3868@s1.palsenberg.com \
--to=igmar@palsenberg.com \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).