base/process/kill_mac.cc

   1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "base/process/kill.h"
   6
   7 #include <signal.h>
   8 #include <sys/event.h>
   9 #include <sys/types.h>
  10 #include <sys/wait.h>
  11
  12 #include "base/file_util.h"
  13 #include "base/logging.h"
  14 #include "base/posix/eintr_wrapper.h"
  15
  16 namespace base {
  17
  18 namespace {
  19
  20 const int kWaitBeforeKillSeconds = 2;
  21
  22 // Reap |child| process. This call blocks until completion.
  23 void BlockingReap(pid_t child) {
  24   const pid_t result = HANDLE_EINTR(waitpid(child, NULL, 0));
  25   if (result == -1) {
  26     DPLOG(ERROR) << "waitpid(" << child << ", NULL, 0)";
  27   }
  28 }
  29
  30 // Waits for |timeout| seconds for the given |child| to exit and reap it. If
  31 // the child doesn't exit within the time specified, kills it.
  32 //
  33 // This function takes two approaches: first, it tries to use kqueue to
  34 // observe when the process exits. kevent can monitor a kqueue with a
  35 // timeout, so this method is preferred to wait for a specified period of
  36 // time. Once the kqueue indicates the process has exited, waitpid will reap
  37 // the exited child. If the kqueue doesn't provide an exit event notification,
  38 // before the timeout expires, or if the kqueue fails or misbehaves, the
  39 // process will be mercilessly killed and reaped.
  40 //
  41 // A child process passed to this function may be in one of several states:
  42 // running, terminated and not yet reaped, and (apparently, and unfortunately)
  43 // terminated and already reaped. Normally, a process will at least have been
  44 // asked to exit before this function is called, but this is not required.
  45 // If a process is terminating and unreaped, there may be a window between the
  46 // time that kqueue will no longer recognize it and when it becomes an actual
  47 // zombie that a non-blocking (WNOHANG) waitpid can reap. This condition is
  48 // detected when kqueue indicates that the process is not running and a
  49 // non-blocking waitpid fails to reap the process but indicates that it is
  50 // still running. In this event, a blocking attempt to reap the process
  51 // collects the known-dying child, preventing zombies from congregating.
  52 //
  53 // In the event that the kqueue misbehaves entirely, as it might under a
  54 // EMFILE condition ("too many open files", or out of file descriptors), this
  55 // function will forcibly kill and reap the child without delay. This
  56 // eliminates another potential zombie vector. (If you're out of file
  57 // descriptors, you're probably deep into something else, but that doesn't
  58 // mean that zombies be allowed to kick you while you're down.)
  59 //
  60 // The fact that this function seemingly can be called to wait on a child
  61 // that's not only already terminated but already reaped is a bit of a
  62 // problem: a reaped child's pid can be reclaimed and may refer to a distinct
  63 // process in that case. The fact that this function can seemingly be called
  64 // to wait on a process that's not even a child is also a problem: kqueue will
  65 // work in that case, but waitpid won't, and killing a non-child might not be
  66 // the best approach.
  67 void WaitForChildToDie(pid_t child, int timeout) {
  68   DCHECK(child > 0);
  69   DCHECK(timeout > 0);
  70
  71   // DON'T ADD ANY EARLY RETURNS TO THIS FUNCTION without ensuring that
  72   // |child| has been reaped. Specifically, even if a kqueue, kevent, or other
  73   // call fails, this function should fall back to the last resort of trying
  74   // to kill and reap the process. Not observing this rule will resurrect
  75   // zombies.
  76
  77   int result;
  78
  79   int kq = HANDLE_EINTR(kqueue());
  80   if (kq == -1) {
  81     DPLOG(ERROR) << "kqueue()";
  82   } else {
  83     file_util::ScopedFD auto_close_kq(&kq);
  84
  85     struct kevent change = {0};
  86     EV_SET(&change, child, EVFILT_PROC, EV_ADD, NOTE_EXIT, 0, NULL);
  87     result = HANDLE_EINTR(kevent(kq, &change, 1, NULL, 0, NULL));
  88
  89     if (result == -1) {
  90       if (errno != ESRCH) {
  91         DPLOG(ERROR) << "kevent (setup " << child << ")";
  92       } else {
  93         // At this point, one of the following has occurred:
  94         // 1. The process has died but has not yet been reaped.
  95         // 2. The process has died and has already been reaped.
  96         // 3. The process is in the process of dying. It's no longer
  97         //    kqueueable, but it may not be waitable yet either. Mark calls
  98         //    this case the "zombie death race".
  99
 100         result = HANDLE_EINTR(waitpid(child, NULL, WNOHANG));
 101
 102         if (result != 0) {
 103           // A positive result indicates case 1. waitpid succeeded and reaped
 104           // the child. A result of -1 indicates case 2. The child has already
 105           // been reaped. In both of these cases, no further action is
 106           // necessary.
 107           return;
 108         }
 109
 110         // |result| is 0, indicating case 3. The process will be waitable in
 111         // short order. Fall back out of the kqueue code to kill it (for good
 112         // measure) and reap it.
 113       }
 114     } else {
 115       // Keep track of the elapsed time to be able to restart kevent if it's
 116       // interrupted.
 117       TimeDelta remaining_delta = TimeDelta::FromSeconds(timeout);
 118       TimeTicks deadline = TimeTicks::Now() + remaining_delta;
 119       result = -1;
 120       struct kevent event = {0};
 121       while (remaining_delta.InMilliseconds() > 0) {
 122         const struct timespec remaining_timespec = remaining_delta.ToTimeSpec();
 123         result = kevent(kq, NULL, 0, &event, 1, &remaining_timespec);
 124         if (result == -1 && errno == EINTR) {
 125           remaining_delta = deadline - TimeTicks::Now();
 126           result = 0;
 127         } else {
 128           break;
 129         }
 130       }
 131
 132       if (result == -1) {
 133         DPLOG(ERROR) << "kevent (wait " << child << ")";
 134       } else if (result > 1) {
 135         DLOG(ERROR) << "kevent (wait " << child << "): unexpected result "
 136                     << result;
 137       } else if (result == 1) {
 138         if ((event.fflags & NOTE_EXIT) &&
 139             (event.ident == static_cast<uintptr_t>(child))) {
 140           // The process is dead or dying. This won't block for long, if at
 141           // all.
 142           BlockingReap(child);
 143           return;
 144         } else {
 145           DLOG(ERROR) << "kevent (wait " << child
 146                       << "): unexpected event: fflags=" << event.fflags
 147                       << ", ident=" << event.ident;
 148         }
 149       }
 150     }
 151   }
 152
 153   // The child is still alive, or is very freshly dead. Be sure by sending it
 154   // a signal. This is safe even if it's freshly dead, because it will be a
 155   // zombie (or on the way to zombiedom) and kill will return 0 even if the
 156   // signal is not delivered to a live process.
 157   result = kill(child, SIGKILL);
 158   if (result == -1) {
 159     DPLOG(ERROR) << "kill(" << child << ", SIGKILL)";
 160   } else {
 161     // The child is definitely on the way out now. BlockingReap won't need to
 162     // wait for long, if at all.
 163     BlockingReap(child);
 164   }
 165 }
 166
 167 }  // namespace
 168
 169 void EnsureProcessTerminated(ProcessHandle process) {
 170   WaitForChildToDie(process, kWaitBeforeKillSeconds);
 171 }
 172
 173 }  // namespace base