search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Pin Chrome's shortcut to the Win10 Start menu on install and OS upgrade.
[chromium-blink-merge.git] / base / process / launch_posix.cc
blob99d8e3aa64da8963aa212542bb7871d3a6c642d7
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "base/process/launch.h"
6
7 #include <dirent.h>
8 #include <errno.h>
9 #include <fcntl.h>
10 #include <sched.h>
11 #include <setjmp.h>
12 #include <signal.h>
13 #include <stdlib.h>
14 #include <sys/resource.h>
15 #include <sys/syscall.h>
16 #include <sys/time.h>
17 #include <sys/types.h>
18 #include <sys/wait.h>
19 #include <unistd.h>
20
21 #include <iterator>
22 #include <limits>
23 #include <set>
24
25 #include "base/allocator/type_profiler_control.h"
26 #include "base/command_line.h"
27 #include "base/compiler_specific.h"
28 #include "base/debug/debugger.h"
29 #include "base/debug/stack_trace.h"
30 #include "base/files/dir_reader_posix.h"
31 #include "base/files/file_util.h"
32 #include "base/files/scoped_file.h"
33 #include "base/logging.h"
34 #include "base/memory/scoped_ptr.h"
35 #include "base/posix/eintr_wrapper.h"
36 #include "base/process/process.h"
37 #include "base/process/process_metrics.h"
38 #include "base/strings/stringprintf.h"
39 #include "base/synchronization/waitable_event.h"
40 #include "base/third_party/dynamic_annotations/dynamic_annotations.h"
41 #include "base/third_party/valgrind/valgrind.h"
42 #include "base/threading/platform_thread.h"
43 #include "base/threading/thread_restrictions.h"
44 #include "build/build_config.h"
45
46 #if defined(OS_LINUX)
47 #include <sys/prctl.h>
48 #endif
49
50 #if defined(OS_CHROMEOS)
51 #include <sys/ioctl.h>
52 #endif
53
54 #if defined(OS_FREEBSD)
55 #include <sys/event.h>
56 #include <sys/ucontext.h>
57 #endif
58
59 #if defined(OS_MACOSX)
60 #include <crt_externs.h>
61 #include <sys/event.h>
62 #else
63 extern char** environ;
64 #endif
65
66 namespace base {
67
68 #if !defined(OS_NACL_NONSFI)
69
70 namespace {
71
72 // Get the process's "environment" (i.e. the thing that setenv/getenv
73 // work with).
74 char** GetEnvironment() {
75 #if defined(OS_MACOSX)
76 return *_NSGetEnviron();
77 #else
78 return environ;
79 #endif
80 }
81
82 // Set the process's "environment" (i.e. the thing that setenv/getenv
83 // work with).
84 void SetEnvironment(char** env) {
85 #if defined(OS_MACOSX)
86 *_NSGetEnviron() = env;
87 #else
88 environ = env;
89 #endif
90 }
91
92 // Set the calling thread's signal mask to new_sigmask and return
93 // the previous signal mask.
94 sigset_t SetSignalMask(const sigset_t& new_sigmask) {
95 sigset_t old_sigmask;
96 #if defined(OS_ANDROID)
97 // POSIX says pthread_sigmask() must be used in multi-threaded processes,
98 // but Android's pthread_sigmask() was broken until 4.1:
99 // https://code.google.com/p/android/issues/detail?id=15337
100 // http://stackoverflow.com/questions/13777109/pthread-sigmask-on-android-not-working
101 RAW_CHECK(sigprocmask(SIG_SETMASK, &new_sigmask, &old_sigmask) == 0);
102 #else
103 RAW_CHECK(pthread_sigmask(SIG_SETMASK, &new_sigmask, &old_sigmask) == 0);
104 #endif
105 return old_sigmask;
106 }
107
108 #if !defined(OS_LINUX) || \
109 (!defined(__i386__) && !defined(__x86_64__) && !defined(__arm__))
110 void ResetChildSignalHandlersToDefaults() {
111 // The previous signal handlers are likely to be meaningless in the child's
112 // context so we reset them to the defaults for now. http://crbug.com/44953
113 // These signal handlers are set up at least in browser_main_posix.cc:
114 // BrowserMainPartsPosix::PreEarlyInitialization and stack_trace_posix.cc:
115 // EnableInProcessStackDumping.
116 signal(SIGHUP, SIG_DFL);
117 signal(SIGINT, SIG_DFL);
118 signal(SIGILL, SIG_DFL);
119 signal(SIGABRT, SIG_DFL);
120 signal(SIGFPE, SIG_DFL);
121 signal(SIGBUS, SIG_DFL);
122 signal(SIGSEGV, SIG_DFL);
123 signal(SIGSYS, SIG_DFL);
124 signal(SIGTERM, SIG_DFL);
125 }
126
127 #else
128
129 // TODO(jln): remove the Linux special case once kernels are fixed.
130
131 // Internally the kernel makes sigset_t an array of long large enough to have
132 // one bit per signal.
133 typedef uint64_t kernel_sigset_t;
134
135 // This is what struct sigaction looks like to the kernel at least on X86 and
136 // ARM. MIPS, for instance, is very different.
137 struct kernel_sigaction {
138 void* k_sa_handler; // For this usage it only needs to be a generic pointer.
139 unsigned long k_sa_flags;
140 void* k_sa_restorer; // For this usage it only needs to be a generic pointer.
141 kernel_sigset_t k_sa_mask;
142 };
143
144 // glibc's sigaction() will prevent access to sa_restorer, so we need to roll
145 // our own.
146 int sys_rt_sigaction(int sig, const struct kernel_sigaction* act,
147 struct kernel_sigaction* oact) {
148 return syscall(SYS_rt_sigaction, sig, act, oact, sizeof(kernel_sigset_t));
149 }
150
151 // This function is intended to be used in between fork() and execve() and will
152 // reset all signal handlers to the default.
153 // The motivation for going through all of them is that sa_restorer can leak
154 // from parents and help defeat ASLR on buggy kernels. We reset it to NULL.
155 // See crbug.com/177956.
156 void ResetChildSignalHandlersToDefaults(void) {
157 for (int signum = 1; ; ++signum) {
158 struct kernel_sigaction act = {0};
159 int sigaction_get_ret = sys_rt_sigaction(signum, NULL, &act);
160 if (sigaction_get_ret && errno == EINVAL) {
161 #if !defined(NDEBUG)
162 // Linux supports 32 real-time signals from 33 to 64.
163 // If the number of signals in the Linux kernel changes, someone should
164 // look at this code.
165 const int kNumberOfSignals = 64;
166 RAW_CHECK(signum == kNumberOfSignals + 1);
167 #endif // !defined(NDEBUG)
168 break;
169 }
170 // All other failures are fatal.
171 if (sigaction_get_ret) {
172 RAW_LOG(FATAL, "sigaction (get) failed.");
173 }
174
175 // The kernel won't allow to re-set SIGKILL or SIGSTOP.
176 if (signum != SIGSTOP && signum != SIGKILL) {
177 act.k_sa_handler = reinterpret_cast<void*>(SIG_DFL);
178 act.k_sa_restorer = NULL;
179 if (sys_rt_sigaction(signum, &act, NULL)) {
180 RAW_LOG(FATAL, "sigaction (set) failed.");
181 }
182 }
183 #if !defined(NDEBUG)
184 // Now ask the kernel again and check that no restorer will leak.
185 if (sys_rt_sigaction(signum, NULL, &act) || act.k_sa_restorer) {
186 RAW_LOG(FATAL, "Cound not fix sa_restorer.");
187 }
188 #endif // !defined(NDEBUG)
189 }
190 }
191 #endif // !defined(OS_LINUX) ||
192 // (!defined(__i386__) && !defined(__x86_64__) && !defined(__arm__))
193 } // anonymous namespace
194
195 // Functor for |ScopedDIR| (below).
196 struct ScopedDIRClose {
197 inline void operator()(DIR* x) const {
198 if (x)
199 closedir(x);
200 }
201 };
202
203 // Automatically closes |DIR*|s.
204 typedef scoped_ptr<DIR, ScopedDIRClose> ScopedDIR;
205
206 #if defined(OS_LINUX)
207 static const char kFDDir[] = "/proc/self/fd";
208 #elif defined(OS_MACOSX)
209 static const char kFDDir[] = "/dev/fd";
210 #elif defined(OS_SOLARIS)
211 static const char kFDDir[] = "/dev/fd";
212 #elif defined(OS_FREEBSD)
213 static const char kFDDir[] = "/dev/fd";
214 #elif defined(OS_OPENBSD)
215 static const char kFDDir[] = "/dev/fd";
216 #elif defined(OS_ANDROID)
217 static const char kFDDir[] = "/proc/self/fd";
218 #endif
219
220 void CloseSuperfluousFds(const base::InjectiveMultimap& saved_mapping) {
221 // DANGER: no calls to malloc or locks are allowed from now on:
222 // http://crbug.com/36678
223
224 // Get the maximum number of FDs possible.
225 size_t max_fds = GetMaxFds();
226
227 DirReaderPosix fd_dir(kFDDir);
228 if (!fd_dir.IsValid()) {
229 // Fallback case: Try every possible fd.
230 for (size_t i = 0; i < max_fds; ++i) {
231 const int fd = static_cast<int>(i);
232 if (fd == STDIN_FILENO || fd == STDOUT_FILENO || fd == STDERR_FILENO)
233 continue;
234 // Cannot use STL iterators here, since debug iterators use locks.
235 size_t j;
236 for (j = 0; j < saved_mapping.size(); j++) {
237 if (fd == saved_mapping[j].dest)
238 break;
239 }
240 if (j < saved_mapping.size())
241 continue;
242
243 // Since we're just trying to close anything we can find,
244 // ignore any error return values of close().
245 close(fd);
246 }
247 return;
248 }
249
250 const int dir_fd = fd_dir.fd();
251
252 for ( ; fd_dir.Next(); ) {
253 // Skip . and .. entries.
254 if (fd_dir.name()[0] == '.')
255 continue;
256
257 char *endptr;
258 errno = 0;
259 const long int fd = strtol(fd_dir.name(), &endptr, 10);
260 if (fd_dir.name()[0] == 0 || *endptr || fd < 0 || errno)
261 continue;
262 if (fd == STDIN_FILENO || fd == STDOUT_FILENO || fd == STDERR_FILENO)
263 continue;
264 // Cannot use STL iterators here, since debug iterators use locks.
265 size_t i;
266 for (i = 0; i < saved_mapping.size(); i++) {
267 if (fd == saved_mapping[i].dest)
268 break;
269 }
270 if (i < saved_mapping.size())
271 continue;
272 if (fd == dir_fd)
273 continue;
274
275 // When running under Valgrind, Valgrind opens several FDs for its
276 // own use and will complain if we try to close them. All of
277 // these FDs are >= |max_fds|, so we can check against that here
278 // before closing. See https://bugs.kde.org/show_bug.cgi?id=191758
279 if (fd < static_cast<int>(max_fds)) {
280 int ret = IGNORE_EINTR(close(fd));
281 DPCHECK(ret == 0);
282 }
283 }
284 }
285
286 Process LaunchProcess(const CommandLine& cmdline,
287 const LaunchOptions& options) {
288 return LaunchProcess(cmdline.argv(), options);
289 }
290
291 Process LaunchProcess(const std::vector<std::string>& argv,
292 const LaunchOptions& options) {
293 size_t fd_shuffle_size = 0;
294 if (options.fds_to_remap) {
295 fd_shuffle_size = options.fds_to_remap->size();
296 }
297
298 InjectiveMultimap fd_shuffle1;
299 InjectiveMultimap fd_shuffle2;
300 fd_shuffle1.reserve(fd_shuffle_size);
301 fd_shuffle2.reserve(fd_shuffle_size);
302
303 scoped_ptr<char* []> argv_cstr(new char* [argv.size() + 1]);
304 for (size_t i = 0; i < argv.size(); i++) {
305 argv_cstr[i] = const_cast<char*>(argv[i].c_str());
306 }
307 argv_cstr[argv.size()] = NULL;
308
309 scoped_ptr<char*[]> new_environ;
310 char* const empty_environ = NULL;
311 char* const* old_environ = GetEnvironment();
312 if (options.clear_environ)
313 old_environ = &empty_environ;
314 if (!options.environ.empty())
315 new_environ = AlterEnvironment(old_environ, options.environ);
316
317 sigset_t full_sigset;
318 sigfillset(&full_sigset);
319 const sigset_t orig_sigmask = SetSignalMask(full_sigset);
320
321 const char* current_directory = nullptr;
322 if (!options.current_directory.empty()) {
323 current_directory = options.current_directory.value().c_str();
324 }
325
326 pid_t pid;
327 #if defined(OS_LINUX)
328 if (options.clone_flags) {
329 // Signal handling in this function assumes the creation of a new
330 // process, so we check that a thread is not being created by mistake
331 // and that signal handling follows the process-creation rules.
332 RAW_CHECK(
333 !(options.clone_flags & (CLONE_SIGHAND | CLONE_THREAD | CLONE_VM)));
334
335 // We specify a null ptid and ctid.
336 RAW_CHECK(
337 !(options.clone_flags &
338 (CLONE_CHILD_CLEARTID | CLONE_CHILD_SETTID | CLONE_PARENT_SETTID)));
339
340 // Since we use waitpid, we do not support custom termination signals in the
341 // clone flags.
342 RAW_CHECK((options.clone_flags & 0xff) == 0);
343
344 pid = ForkWithFlags(options.clone_flags | SIGCHLD, nullptr, nullptr);
345 } else
346 #endif
347 {
348 pid = fork();
349 }
350
351 // Always restore the original signal mask in the parent.
352 if (pid != 0) {
353 SetSignalMask(orig_sigmask);
354 }
355
356 if (pid < 0) {
357 DPLOG(ERROR) << "fork";
358 return Process();
359 } else if (pid == 0) {
360 // Child process
361
362 // DANGER: no calls to malloc or locks are allowed from now on:
363 // http://crbug.com/36678
364
365 // DANGER: fork() rule: in the child, if you don't end up doing exec*(),
366 // you call _exit() instead of exit(). This is because _exit() does not
367 // call any previously-registered (in the parent) exit handlers, which
368 // might do things like block waiting for threads that don't even exist
369 // in the child.
370
371 // If a child process uses the readline library, the process block forever.
372 // In BSD like OSes including OS X it is safe to assign /dev/null as stdin.
373 // See http://crbug.com/56596.
374 base::ScopedFD null_fd(HANDLE_EINTR(open("/dev/null", O_RDONLY)));
375 if (!null_fd.is_valid()) {
376 RAW_LOG(ERROR, "Failed to open /dev/null");
377 _exit(127);
378 }
379
380 int new_fd = HANDLE_EINTR(dup2(null_fd.get(), STDIN_FILENO));
381 if (new_fd != STDIN_FILENO) {
382 RAW_LOG(ERROR, "Failed to dup /dev/null for stdin");
383 _exit(127);
384 }
385
386 if (options.new_process_group) {
387 // Instead of inheriting the process group ID of the parent, the child
388 // starts off a new process group with pgid equal to its process ID.
389 if (setpgid(0, 0) < 0) {
390 RAW_LOG(ERROR, "setpgid failed");
391 _exit(127);
392 }
393 }
394
395 // Stop type-profiler.
396 // The profiler should be stopped between fork and exec since it inserts
397 // locks at new/delete expressions. See http://crbug.com/36678.
398 base::type_profiler::Controller::Stop();
399
400 if (options.maximize_rlimits) {
401 // Some resource limits need to be maximal in this child.
402 for (size_t i = 0; i < options.maximize_rlimits->size(); ++i) {
403 const int resource = (*options.maximize_rlimits)[i];
404 struct rlimit limit;
405 if (getrlimit(resource, &limit) < 0) {
406 RAW_LOG(WARNING, "getrlimit failed");
407 } else if (limit.rlim_cur < limit.rlim_max) {
408 limit.rlim_cur = limit.rlim_max;
409 if (setrlimit(resource, &limit) < 0) {
410 RAW_LOG(WARNING, "setrlimit failed");
411 }
412 }
413 }
414 }
415
416 #if defined(OS_MACOSX)
417 RestoreDefaultExceptionHandler();
418 if (!options.replacement_bootstrap_name.empty())
419 ReplaceBootstrapPort(options.replacement_bootstrap_name);
420 #endif // defined(OS_MACOSX)
421
422 ResetChildSignalHandlersToDefaults();
423 SetSignalMask(orig_sigmask);
424
425 #if 0
426 // When debugging it can be helpful to check that we really aren't making
427 // any hidden calls to malloc.
428 void *malloc_thunk =
429 reinterpret_cast<void*>(reinterpret_cast<intptr_t>(malloc) & ~4095);
430 mprotect(malloc_thunk, 4096, PROT_READ | PROT_WRITE | PROT_EXEC);
431 memset(reinterpret_cast<void*>(malloc), 0xff, 8);
432 #endif // 0
433
434 #if defined(OS_CHROMEOS)
435 if (options.ctrl_terminal_fd >= 0) {
436 // Set process' controlling terminal.
437 if (HANDLE_EINTR(setsid()) != -1) {
438 if (HANDLE_EINTR(
439 ioctl(options.ctrl_terminal_fd, TIOCSCTTY, NULL)) == -1) {
440 RAW_LOG(WARNING, "ioctl(TIOCSCTTY), ctrl terminal not set");
441 }
442 } else {
443 RAW_LOG(WARNING, "setsid failed, ctrl terminal not set");
444 }
445 }
446 #endif // defined(OS_CHROMEOS)
447
448 if (options.fds_to_remap) {
449 // Cannot use STL iterators here, since debug iterators use locks.
450 for (size_t i = 0; i < options.fds_to_remap->size(); ++i) {
451 const FileHandleMappingVector::value_type& value =
452 (*options.fds_to_remap)[i];
453 fd_shuffle1.push_back(InjectionArc(value.first, value.second, false));
454 fd_shuffle2.push_back(InjectionArc(value.first, value.second, false));
455 }
456 }
457
458 if (!options.environ.empty() || options.clear_environ)
459 SetEnvironment(new_environ.get());
460
461 // fd_shuffle1 is mutated by this call because it cannot malloc.
462 if (!ShuffleFileDescriptors(&fd_shuffle1))
463 _exit(127);
464
465 CloseSuperfluousFds(fd_shuffle2);
466
467 // Set NO_NEW_PRIVS by default. Since NO_NEW_PRIVS only exists in kernel
468 // 3.5+, do not check the return value of prctl here.
469 #if defined(OS_LINUX)
470 #ifndef PR_SET_NO_NEW_PRIVS
471 #define PR_SET_NO_NEW_PRIVS 38
472 #endif
473 if (!options.allow_new_privs) {
474 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) && errno != EINVAL) {
475 // Only log if the error is not EINVAL (i.e. not supported).
476 RAW_LOG(FATAL, "prctl(PR_SET_NO_NEW_PRIVS) failed");
477 }
478 }
479
480 if (options.kill_on_parent_death) {
481 if (prctl(PR_SET_PDEATHSIG, SIGKILL) != 0) {
482 RAW_LOG(ERROR, "prctl(PR_SET_PDEATHSIG) failed");
483 _exit(127);
484 }
485 }
486 #endif
487
488 if (current_directory != nullptr) {
489 RAW_CHECK(chdir(current_directory) == 0);
490 }
491
492 if (options.pre_exec_delegate != nullptr) {
493 options.pre_exec_delegate->RunAsyncSafe();
494 }
495
496 execvp(argv_cstr[0], argv_cstr.get());
497
498 RAW_LOG(ERROR, "LaunchProcess: failed to execvp:");
499 RAW_LOG(ERROR, argv_cstr[0]);
500 _exit(127);
501 } else {
502 // Parent process
503 if (options.wait) {
504 // While this isn't strictly disk IO, waiting for another process to
505 // finish is the sort of thing ThreadRestrictions is trying to prevent.
506 base::ThreadRestrictions::AssertIOAllowed();
507 pid_t ret = HANDLE_EINTR(waitpid(pid, 0, 0));
508 DPCHECK(ret > 0);
509 }
510 }
511
512 return Process(pid);
513 }
514
515 void RaiseProcessToHighPriority() {
516 // On POSIX, we don't actually do anything here. We could try to nice() or
517 // setpriority() or sched_getscheduler, but these all require extra rights.
518 }
519
520 // Return value used by GetAppOutputInternal to encapsulate the various exit
521 // scenarios from the function.
522 enum GetAppOutputInternalResult {
523 EXECUTE_FAILURE,
524 EXECUTE_SUCCESS,
525 GOT_MAX_OUTPUT,
526 };
527
528 // Executes the application specified by |argv| and wait for it to exit. Stores
529 // the output (stdout) in |output|. If |do_search_path| is set, it searches the
530 // path for the application; in that case, |envp| must be null, and it will use
531 // the current environment. If |do_search_path| is false, |argv[0]| should fully
532 // specify the path of the application, and |envp| will be used as the
533 // environment. Redirects stderr to /dev/null.
534 // If we successfully start the application and get all requested output, we
535 // return GOT_MAX_OUTPUT, or if there is a problem starting or exiting
536 // the application we return RUN_FAILURE. Otherwise we return EXECUTE_SUCCESS.
537 // The GOT_MAX_OUTPUT return value exists so a caller that asks for limited
538 // output can treat this as a success, despite having an exit code of SIG_PIPE
539 // due to us closing the output pipe.
540 // In the case of EXECUTE_SUCCESS, the application exit code will be returned
541 // in |*exit_code|, which should be checked to determine if the application
542 // ran successfully.
543 static GetAppOutputInternalResult GetAppOutputInternal(
544 const std::vector<std::string>& argv,
545 char* const envp[],
546 std::string* output,
547 size_t max_output,
548 bool do_search_path,
549 int* exit_code) {
550 // Doing a blocking wait for another command to finish counts as IO.
551 base::ThreadRestrictions::AssertIOAllowed();
552 // exit_code must be supplied so calling function can determine success.
553 DCHECK(exit_code);
554 *exit_code = EXIT_FAILURE;
555
556 int pipe_fd[2];
557 pid_t pid;
558 InjectiveMultimap fd_shuffle1, fd_shuffle2;
559 scoped_ptr<char*[]> argv_cstr(new char*[argv.size() + 1]);
560
561 fd_shuffle1.reserve(3);
562 fd_shuffle2.reserve(3);
563
564 // Either |do_search_path| should be false or |envp| should be null, but not
565 // both.
566 DCHECK(!do_search_path ^ !envp);
567
568 if (pipe(pipe_fd) < 0)
569 return EXECUTE_FAILURE;
570
571 switch (pid = fork()) {
572 case -1: // error
573 close(pipe_fd[0]);
574 close(pipe_fd[1]);
575 return EXECUTE_FAILURE;
576 case 0: // child
577 {
578 // DANGER: no calls to malloc or locks are allowed from now on:
579 // http://crbug.com/36678
580
581 #if defined(OS_MACOSX)
582 RestoreDefaultExceptionHandler();
583 #endif
584
585 // Obscure fork() rule: in the child, if you don't end up doing exec*(),
586 // you call _exit() instead of exit(). This is because _exit() does not
587 // call any previously-registered (in the parent) exit handlers, which
588 // might do things like block waiting for threads that don't even exist
589 // in the child.
590 int dev_null = open("/dev/null", O_WRONLY);
591 if (dev_null < 0)
592 _exit(127);
593
594 // Stop type-profiler.
595 // The profiler should be stopped between fork and exec since it inserts
596 // locks at new/delete expressions. See http://crbug.com/36678.
597 base::type_profiler::Controller::Stop();
598
599 fd_shuffle1.push_back(InjectionArc(pipe_fd[1], STDOUT_FILENO, true));
600 fd_shuffle1.push_back(InjectionArc(dev_null, STDERR_FILENO, true));
601 fd_shuffle1.push_back(InjectionArc(dev_null, STDIN_FILENO, true));
602 // Adding another element here? Remeber to increase the argument to
603 // reserve(), above.
604
605 for (size_t i = 0; i < fd_shuffle1.size(); ++i)
606 fd_shuffle2.push_back(fd_shuffle1[i]);
607
608 if (!ShuffleFileDescriptors(&fd_shuffle1))
609 _exit(127);
610
611 CloseSuperfluousFds(fd_shuffle2);
612
613 for (size_t i = 0; i < argv.size(); i++)
614 argv_cstr[i] = const_cast<char*>(argv[i].c_str());
615 argv_cstr[argv.size()] = NULL;
616 if (do_search_path)
617 execvp(argv_cstr[0], argv_cstr.get());
618 else
619 execve(argv_cstr[0], argv_cstr.get(), envp);
620 _exit(127);
621 }
622 default: // parent
623 {
624 // Close our writing end of pipe now. Otherwise later read would not
625 // be able to detect end of child's output (in theory we could still
626 // write to the pipe).
627 close(pipe_fd[1]);
628
629 output->clear();
630 char buffer[256];
631 size_t output_buf_left = max_output;
632 ssize_t bytes_read = 1; // A lie to properly handle |max_output == 0|
633 // case in the logic below.
634
635 while (output_buf_left > 0) {
636 bytes_read = HANDLE_EINTR(read(pipe_fd[0], buffer,
637 std::min(output_buf_left, sizeof(buffer))));
638 if (bytes_read <= 0)
639 break;
640 output->append(buffer, bytes_read);
641 output_buf_left -= static_cast<size_t>(bytes_read);
642 }
643 close(pipe_fd[0]);
644
645 // Always wait for exit code (even if we know we'll declare
646 // GOT_MAX_OUTPUT).
647 Process process(pid);
648 bool success = process.WaitForExit(exit_code);
649
650 // If we stopped because we read as much as we wanted, we return
651 // GOT_MAX_OUTPUT (because the child may exit due to |SIGPIPE|).
652 if (!output_buf_left && bytes_read > 0)
653 return GOT_MAX_OUTPUT;
654 else if (success)
655 return EXECUTE_SUCCESS;
656 return EXECUTE_FAILURE;
657 }
658 }
659 }
660
661 bool GetAppOutput(const CommandLine& cl, std::string* output) {
662 return GetAppOutput(cl.argv(), output);
663 }
664
665 bool GetAppOutput(const std::vector<std::string>& argv, std::string* output) {
666 // Run |execve()| with the current environment and store "unlimited" data.
667 int exit_code;
668 GetAppOutputInternalResult result = GetAppOutputInternal(
669 argv, NULL, output, std::numeric_limits<std::size_t>::max(), true,
670 &exit_code);
671 return result == EXECUTE_SUCCESS && exit_code == EXIT_SUCCESS;
672 }
673
674 // TODO(viettrungluu): Conceivably, we should have a timeout as well, so we
675 // don't hang if what we're calling hangs.
676 bool GetAppOutputRestricted(const CommandLine& cl,
677 std::string* output, size_t max_output) {
678 // Run |execve()| with the empty environment.
679 char* const empty_environ = NULL;
680 int exit_code;
681 GetAppOutputInternalResult result = GetAppOutputInternal(
682 cl.argv(), &empty_environ, output, max_output, false, &exit_code);
683 return result == GOT_MAX_OUTPUT || (result == EXECUTE_SUCCESS &&
684 exit_code == EXIT_SUCCESS);
685 }
686
687 bool GetAppOutputWithExitCode(const CommandLine& cl,
688 std::string* output,
689 int* exit_code) {
690 // Run |execve()| with the current environment and store "unlimited" data.
691 GetAppOutputInternalResult result = GetAppOutputInternal(
692 cl.argv(), NULL, output, std::numeric_limits<std::size_t>::max(), true,
693 exit_code);
694 return result == EXECUTE_SUCCESS;
695 }
696
697 #endif // !defined(OS_NACL_NONSFI)
698
699 #if defined(OS_LINUX) || defined(OS_NACL_NONSFI)
700 namespace {
701
702 bool IsRunningOnValgrind() {
703 return RUNNING_ON_VALGRIND;
704 }
705
706 // This function runs on the stack specified on the clone call. It uses longjmp
707 // to switch back to the original stack so the child can return from sys_clone.
708 int CloneHelper(void* arg) {
709 jmp_buf* env_ptr = reinterpret_cast<jmp_buf*>(arg);
710 longjmp(*env_ptr, 1);
711
712 // Should not be reached.
713 RAW_CHECK(false);
714 return 1;
715 }
716
717 // This function is noinline to ensure that stack_buf is below the stack pointer
718 // that is saved when setjmp is called below. This is needed because when
719 // compiled with FORTIFY_SOURCE, glibc's longjmp checks that the stack is moved
720 // upwards. See crbug.com/442912 for more details.
721 #if defined(ADDRESS_SANITIZER)
722 // Disable AddressSanitizer instrumentation for this function to make sure
723 // |stack_buf| is allocated on thread stack instead of ASan's fake stack.
724 // Under ASan longjmp() will attempt to clean up the area between the old and
725 // new stack pointers and print a warning that may confuse the user.
726 __attribute__((no_sanitize_address))
727 #endif
728 NOINLINE pid_t CloneAndLongjmpInChild(unsigned long flags,
729 pid_t* ptid,
730 pid_t* ctid,
731 jmp_buf* env) {
732 // We use the libc clone wrapper instead of making the syscall
733 // directly because making the syscall may fail to update the libc's
734 // internal pid cache. The libc interface unfortunately requires
735 // specifying a new stack, so we use setjmp/longjmp to emulate
736 // fork-like behavior.
737 char stack_buf[PTHREAD_STACK_MIN];
738 #if defined(ARCH_CPU_X86_FAMILY) || defined(ARCH_CPU_ARM_FAMILY) || \
739 defined(ARCH_CPU_MIPS64_FAMILY) || defined(ARCH_CPU_MIPS_FAMILY)
740 // The stack grows downward.
741 void* stack = stack_buf + sizeof(stack_buf);
742 #else
743 #error "Unsupported architecture"
744 #endif
745 return clone(&CloneHelper, stack, flags, env, ptid, nullptr, ctid);
746 }
747
748 } // anonymous namespace
749
750 pid_t ForkWithFlags(unsigned long flags, pid_t* ptid, pid_t* ctid) {
751 const bool clone_tls_used = flags & CLONE_SETTLS;
752 const bool invalid_ctid =
753 (flags & (CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID)) && !ctid;
754 const bool invalid_ptid = (flags & CLONE_PARENT_SETTID) && !ptid;
755
756 // We do not support CLONE_VM.
757 const bool clone_vm_used = flags & CLONE_VM;
758
759 if (clone_tls_used || invalid_ctid || invalid_ptid || clone_vm_used) {
760 RAW_LOG(FATAL, "Invalid usage of ForkWithFlags");
761 }
762
763 // Valgrind's clone implementation does not support specifiying a child_stack
764 // without CLONE_VM, so we cannot use libc's clone wrapper when running under
765 // Valgrind. As a result, the libc pid cache may be incorrect under Valgrind.
766 // See crbug.com/442817 for more details.
767 if (IsRunningOnValgrind()) {
768 // See kernel/fork.c in Linux. There is different ordering of sys_clone
769 // parameters depending on CONFIG_CLONE_BACKWARDS* configuration options.
770 #if defined(ARCH_CPU_X86_64)
771 return syscall(__NR_clone, flags, nullptr, ptid, ctid, nullptr);
772 #elif defined(ARCH_CPU_X86) || defined(ARCH_CPU_ARM_FAMILY) || \
773 defined(ARCH_CPU_MIPS_FAMILY) || defined(ARCH_CPU_MIPS64_FAMILY)
774 // CONFIG_CLONE_BACKWARDS defined.
775 return syscall(__NR_clone, flags, nullptr, ptid, nullptr, ctid);
776 #else
777 #error "Unsupported architecture"
778 #endif
779 }
780
781 jmp_buf env;
782 if (setjmp(env) == 0) {
783 return CloneAndLongjmpInChild(flags, ptid, ctid, &env);
784 }
785
786 return 0;
787 }
788 #endif // defined(OS_LINUX) || defined(OS_NACL_NONSFI)
789
790 } // namespace base