• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "base/process/launch.h"
6 
7 #include <dirent.h>
8 #include <errno.h>
9 #include <fcntl.h>
10 #include <signal.h>
11 #include <stdlib.h>
12 #include <sys/resource.h>
13 #include <sys/time.h>
14 #include <sys/types.h>
15 #include <sys/wait.h>
16 #include <unistd.h>
17 
18 #include <iterator>
19 #include <limits>
20 #include <set>
21 
22 #include "base/allocator/type_profiler_control.h"
23 #include "base/command_line.h"
24 #include "base/compiler_specific.h"
25 #include "base/debug/debugger.h"
26 #include "base/debug/stack_trace.h"
27 #include "base/files/dir_reader_posix.h"
28 #include "base/files/file_util.h"
29 #include "base/files/scoped_file.h"
30 #include "base/logging.h"
31 #include "base/memory/scoped_ptr.h"
32 #include "base/posix/eintr_wrapper.h"
33 #include "base/process/kill.h"
34 #include "base/process/process_metrics.h"
35 #include "base/strings/stringprintf.h"
36 #include "base/synchronization/waitable_event.h"
37 #include "base/third_party/dynamic_annotations/dynamic_annotations.h"
38 #include "base/threading/platform_thread.h"
39 #include "base/threading/thread_restrictions.h"
40 
41 #if defined(OS_LINUX)
42 #include <sys/prctl.h>
43 #endif
44 
45 #if defined(OS_CHROMEOS)
46 #include <sys/ioctl.h>
47 #endif
48 
49 #if defined(OS_FREEBSD)
50 #include <sys/event.h>
51 #include <sys/ucontext.h>
52 #endif
53 
54 #if defined(OS_MACOSX)
55 #include <crt_externs.h>
56 #include <sys/event.h>
57 #else
58 extern char** environ;
59 #endif
60 
61 namespace base {
62 
63 namespace {
64 
65 // Get the process's "environment" (i.e. the thing that setenv/getenv
66 // work with).
GetEnvironment()67 char** GetEnvironment() {
68 #if defined(OS_MACOSX)
69   return *_NSGetEnviron();
70 #else
71   return environ;
72 #endif
73 }
74 
75 // Set the process's "environment" (i.e. the thing that setenv/getenv
76 // work with).
SetEnvironment(char ** env)77 void SetEnvironment(char** env) {
78 #if defined(OS_MACOSX)
79   *_NSGetEnviron() = env;
80 #else
81   environ = env;
82 #endif
83 }
84 
85 // Set the calling thread's signal mask to new_sigmask and return
86 // the previous signal mask.
SetSignalMask(const sigset_t & new_sigmask)87 sigset_t SetSignalMask(const sigset_t& new_sigmask) {
88   sigset_t old_sigmask;
89 #if defined(OS_ANDROID)
90   // POSIX says pthread_sigmask() must be used in multi-threaded processes,
91   // but Android's pthread_sigmask() was broken until 4.1:
92   // https://code.google.com/p/android/issues/detail?id=15337
93   // http://stackoverflow.com/questions/13777109/pthread-sigmask-on-android-not-working
94   RAW_CHECK(sigprocmask(SIG_SETMASK, &new_sigmask, &old_sigmask) == 0);
95 #else
96   RAW_CHECK(pthread_sigmask(SIG_SETMASK, &new_sigmask, &old_sigmask) == 0);
97 #endif
98   return old_sigmask;
99 }
100 
101 #if !defined(OS_LINUX) || \
102     (!defined(__i386__) && !defined(__x86_64__) && !defined(__arm__))
ResetChildSignalHandlersToDefaults()103 void ResetChildSignalHandlersToDefaults() {
104   // The previous signal handlers are likely to be meaningless in the child's
105   // context so we reset them to the defaults for now. http://crbug.com/44953
106   // These signal handlers are set up at least in browser_main_posix.cc:
107   // BrowserMainPartsPosix::PreEarlyInitialization and stack_trace_posix.cc:
108   // EnableInProcessStackDumping.
109   signal(SIGHUP, SIG_DFL);
110   signal(SIGINT, SIG_DFL);
111   signal(SIGILL, SIG_DFL);
112   signal(SIGABRT, SIG_DFL);
113   signal(SIGFPE, SIG_DFL);
114   signal(SIGBUS, SIG_DFL);
115   signal(SIGSEGV, SIG_DFL);
116   signal(SIGSYS, SIG_DFL);
117   signal(SIGTERM, SIG_DFL);
118 }
119 
120 #else
121 
122 // TODO(jln): remove the Linux special case once kernels are fixed.
123 
124 // Internally the kernel makes sigset_t an array of long large enough to have
125 // one bit per signal.
126 typedef uint64_t kernel_sigset_t;
127 
128 // This is what struct sigaction looks like to the kernel at least on X86 and
129 // ARM. MIPS, for instance, is very different.
130 struct kernel_sigaction {
131   void* k_sa_handler;  // For this usage it only needs to be a generic pointer.
132   unsigned long k_sa_flags;
133   void* k_sa_restorer;  // For this usage it only needs to be a generic pointer.
134   kernel_sigset_t k_sa_mask;
135 };
136 
137 // glibc's sigaction() will prevent access to sa_restorer, so we need to roll
138 // our own.
sys_rt_sigaction(int sig,const struct kernel_sigaction * act,struct kernel_sigaction * oact)139 int sys_rt_sigaction(int sig, const struct kernel_sigaction* act,
140                      struct kernel_sigaction* oact) {
141   return syscall(SYS_rt_sigaction, sig, act, oact, sizeof(kernel_sigset_t));
142 }
143 
144 // This function is intended to be used in between fork() and execve() and will
145 // reset all signal handlers to the default.
146 // The motivation for going through all of them is that sa_restorer can leak
147 // from parents and help defeat ASLR on buggy kernels.  We reset it to NULL.
148 // See crbug.com/177956.
ResetChildSignalHandlersToDefaults(void)149 void ResetChildSignalHandlersToDefaults(void) {
150   for (int signum = 1; ; ++signum) {
151     struct kernel_sigaction act = {0};
152     int sigaction_get_ret = sys_rt_sigaction(signum, NULL, &act);
153     if (sigaction_get_ret && errno == EINVAL) {
154 #if !defined(NDEBUG)
155       // Linux supports 32 real-time signals from 33 to 64.
156       // If the number of signals in the Linux kernel changes, someone should
157       // look at this code.
158       const int kNumberOfSignals = 64;
159       RAW_CHECK(signum == kNumberOfSignals + 1);
160 #endif  // !defined(NDEBUG)
161       break;
162     }
163     // All other failures are fatal.
164     if (sigaction_get_ret) {
165       RAW_LOG(FATAL, "sigaction (get) failed.");
166     }
167 
168     // The kernel won't allow to re-set SIGKILL or SIGSTOP.
169     if (signum != SIGSTOP && signum != SIGKILL) {
170       act.k_sa_handler = reinterpret_cast<void*>(SIG_DFL);
171       act.k_sa_restorer = NULL;
172       if (sys_rt_sigaction(signum, &act, NULL)) {
173         RAW_LOG(FATAL, "sigaction (set) failed.");
174       }
175     }
176 #if !defined(NDEBUG)
177     // Now ask the kernel again and check that no restorer will leak.
178     if (sys_rt_sigaction(signum, NULL, &act) || act.k_sa_restorer) {
179       RAW_LOG(FATAL, "Cound not fix sa_restorer.");
180     }
181 #endif  // !defined(NDEBUG)
182   }
183 }
184 #endif  // !defined(OS_LINUX) ||
185         // (!defined(__i386__) && !defined(__x86_64__) && !defined(__arm__))
186 
187 }  // anonymous namespace
188 
189 // Functor for |ScopedDIR| (below).
190 struct ScopedDIRClose {
operator ()base::ScopedDIRClose191   inline void operator()(DIR* x) const {
192     if (x)
193       closedir(x);
194   }
195 };
196 
197 // Automatically closes |DIR*|s.
198 typedef scoped_ptr<DIR, ScopedDIRClose> ScopedDIR;
199 
200 #if defined(OS_LINUX)
201 static const char kFDDir[] = "/proc/self/fd";
202 #elif defined(OS_MACOSX)
203 static const char kFDDir[] = "/dev/fd";
204 #elif defined(OS_SOLARIS)
205 static const char kFDDir[] = "/dev/fd";
206 #elif defined(OS_FREEBSD)
207 static const char kFDDir[] = "/dev/fd";
208 #elif defined(OS_OPENBSD)
209 static const char kFDDir[] = "/dev/fd";
210 #elif defined(OS_ANDROID)
211 static const char kFDDir[] = "/proc/self/fd";
212 #endif
213 
CloseSuperfluousFds(const base::InjectiveMultimap & saved_mapping)214 void CloseSuperfluousFds(const base::InjectiveMultimap& saved_mapping) {
215   // DANGER: no calls to malloc or locks are allowed from now on:
216   // http://crbug.com/36678
217 
218   // Get the maximum number of FDs possible.
219   size_t max_fds = GetMaxFds();
220 
221   DirReaderPosix fd_dir(kFDDir);
222   if (!fd_dir.IsValid()) {
223     // Fallback case: Try every possible fd.
224     for (size_t i = 0; i < max_fds; ++i) {
225       const int fd = static_cast<int>(i);
226       if (fd == STDIN_FILENO || fd == STDOUT_FILENO || fd == STDERR_FILENO)
227         continue;
228       // Cannot use STL iterators here, since debug iterators use locks.
229       size_t j;
230       for (j = 0; j < saved_mapping.size(); j++) {
231         if (fd == saved_mapping[j].dest)
232           break;
233       }
234       if (j < saved_mapping.size())
235         continue;
236 
237       // Since we're just trying to close anything we can find,
238       // ignore any error return values of close().
239       close(fd);
240     }
241     return;
242   }
243 
244   const int dir_fd = fd_dir.fd();
245 
246   for ( ; fd_dir.Next(); ) {
247     // Skip . and .. entries.
248     if (fd_dir.name()[0] == '.')
249       continue;
250 
251     char *endptr;
252     errno = 0;
253     const long int fd = strtol(fd_dir.name(), &endptr, 10);
254     if (fd_dir.name()[0] == 0 || *endptr || fd < 0 || errno)
255       continue;
256     if (fd == STDIN_FILENO || fd == STDOUT_FILENO || fd == STDERR_FILENO)
257       continue;
258     // Cannot use STL iterators here, since debug iterators use locks.
259     size_t i;
260     for (i = 0; i < saved_mapping.size(); i++) {
261       if (fd == saved_mapping[i].dest)
262         break;
263     }
264     if (i < saved_mapping.size())
265       continue;
266     if (fd == dir_fd)
267       continue;
268 
269     // When running under Valgrind, Valgrind opens several FDs for its
270     // own use and will complain if we try to close them.  All of
271     // these FDs are >= |max_fds|, so we can check against that here
272     // before closing.  See https://bugs.kde.org/show_bug.cgi?id=191758
273     if (fd < static_cast<int>(max_fds)) {
274       int ret = IGNORE_EINTR(close(fd));
275       DPCHECK(ret == 0);
276     }
277   }
278 }
279 
LaunchProcess(const std::vector<std::string> & argv,const LaunchOptions & options,ProcessHandle * process_handle)280 bool LaunchProcess(const std::vector<std::string>& argv,
281                    const LaunchOptions& options,
282                    ProcessHandle* process_handle) {
283   size_t fd_shuffle_size = 0;
284   if (options.fds_to_remap) {
285     fd_shuffle_size = options.fds_to_remap->size();
286   }
287 
288   InjectiveMultimap fd_shuffle1;
289   InjectiveMultimap fd_shuffle2;
290   fd_shuffle1.reserve(fd_shuffle_size);
291   fd_shuffle2.reserve(fd_shuffle_size);
292 
293   scoped_ptr<char*[]> argv_cstr(new char*[argv.size() + 1]);
294   scoped_ptr<char*[]> new_environ;
295   char* const empty_environ = NULL;
296   char* const* old_environ = GetEnvironment();
297   if (options.clear_environ)
298     old_environ = &empty_environ;
299   if (!options.environ.empty())
300     new_environ = AlterEnvironment(old_environ, options.environ);
301 
302   sigset_t full_sigset;
303   sigfillset(&full_sigset);
304   const sigset_t orig_sigmask = SetSignalMask(full_sigset);
305 
306   pid_t pid;
307 #if defined(OS_LINUX)
308   if (options.clone_flags) {
309     // Signal handling in this function assumes the creation of a new
310     // process, so we check that a thread is not being created by mistake
311     // and that signal handling follows the process-creation rules.
312     RAW_CHECK(
313         !(options.clone_flags & (CLONE_SIGHAND | CLONE_THREAD | CLONE_VM)));
314     pid = syscall(__NR_clone, options.clone_flags, 0, 0, 0);
315   } else
316 #endif
317   {
318     pid = fork();
319   }
320 
321   // Always restore the original signal mask in the parent.
322   if (pid != 0) {
323     SetSignalMask(orig_sigmask);
324   }
325 
326   if (pid < 0) {
327     DPLOG(ERROR) << "fork";
328     return false;
329   } else if (pid == 0) {
330     // Child process
331 
332     // DANGER: no calls to malloc or locks are allowed from now on:
333     // http://crbug.com/36678
334 
335     // DANGER: fork() rule: in the child, if you don't end up doing exec*(),
336     // you call _exit() instead of exit(). This is because _exit() does not
337     // call any previously-registered (in the parent) exit handlers, which
338     // might do things like block waiting for threads that don't even exist
339     // in the child.
340 
341     // If a child process uses the readline library, the process block forever.
342     // In BSD like OSes including OS X it is safe to assign /dev/null as stdin.
343     // See http://crbug.com/56596.
344     base::ScopedFD null_fd(HANDLE_EINTR(open("/dev/null", O_RDONLY)));
345     if (!null_fd.is_valid()) {
346       RAW_LOG(ERROR, "Failed to open /dev/null");
347       _exit(127);
348     }
349 
350     int new_fd = HANDLE_EINTR(dup2(null_fd.get(), STDIN_FILENO));
351     if (new_fd != STDIN_FILENO) {
352       RAW_LOG(ERROR, "Failed to dup /dev/null for stdin");
353       _exit(127);
354     }
355 
356     if (options.new_process_group) {
357       // Instead of inheriting the process group ID of the parent, the child
358       // starts off a new process group with pgid equal to its process ID.
359       if (setpgid(0, 0) < 0) {
360         RAW_LOG(ERROR, "setpgid failed");
361         _exit(127);
362       }
363     }
364 
365     // Stop type-profiler.
366     // The profiler should be stopped between fork and exec since it inserts
367     // locks at new/delete expressions.  See http://crbug.com/36678.
368     base::type_profiler::Controller::Stop();
369 
370     if (options.maximize_rlimits) {
371       // Some resource limits need to be maximal in this child.
372       for (size_t i = 0; i < options.maximize_rlimits->size(); ++i) {
373         const int resource = (*options.maximize_rlimits)[i];
374         struct rlimit limit;
375         if (getrlimit(resource, &limit) < 0) {
376           RAW_LOG(WARNING, "getrlimit failed");
377         } else if (limit.rlim_cur < limit.rlim_max) {
378           limit.rlim_cur = limit.rlim_max;
379           if (setrlimit(resource, &limit) < 0) {
380             RAW_LOG(WARNING, "setrlimit failed");
381           }
382         }
383       }
384     }
385 
386 #if defined(OS_MACOSX)
387     RestoreDefaultExceptionHandler();
388     if (!options.replacement_bootstrap_name.empty())
389       ReplaceBootstrapPort(options.replacement_bootstrap_name);
390 #endif  // defined(OS_MACOSX)
391 
392     ResetChildSignalHandlersToDefaults();
393     SetSignalMask(orig_sigmask);
394 
395 #if 0
396     // When debugging it can be helpful to check that we really aren't making
397     // any hidden calls to malloc.
398     void *malloc_thunk =
399         reinterpret_cast<void*>(reinterpret_cast<intptr_t>(malloc) & ~4095);
400     mprotect(malloc_thunk, 4096, PROT_READ | PROT_WRITE | PROT_EXEC);
401     memset(reinterpret_cast<void*>(malloc), 0xff, 8);
402 #endif  // 0
403 
404 #if defined(OS_CHROMEOS)
405     if (options.ctrl_terminal_fd >= 0) {
406       // Set process' controlling terminal.
407       if (HANDLE_EINTR(setsid()) != -1) {
408         if (HANDLE_EINTR(
409                 ioctl(options.ctrl_terminal_fd, TIOCSCTTY, NULL)) == -1) {
410           RAW_LOG(WARNING, "ioctl(TIOCSCTTY), ctrl terminal not set");
411         }
412       } else {
413         RAW_LOG(WARNING, "setsid failed, ctrl terminal not set");
414       }
415     }
416 #endif  // defined(OS_CHROMEOS)
417 
418     if (options.fds_to_remap) {
419       // Cannot use STL iterators here, since debug iterators use locks.
420       for (size_t i = 0; i < options.fds_to_remap->size(); ++i) {
421         const FileHandleMappingVector::value_type& value =
422             (*options.fds_to_remap)[i];
423         fd_shuffle1.push_back(InjectionArc(value.first, value.second, false));
424         fd_shuffle2.push_back(InjectionArc(value.first, value.second, false));
425       }
426     }
427 
428     if (!options.environ.empty() || options.clear_environ)
429       SetEnvironment(new_environ.get());
430 
431     // fd_shuffle1 is mutated by this call because it cannot malloc.
432     if (!ShuffleFileDescriptors(&fd_shuffle1))
433       _exit(127);
434 
435     CloseSuperfluousFds(fd_shuffle2);
436 
437     // Set NO_NEW_PRIVS by default. Since NO_NEW_PRIVS only exists in kernel
438     // 3.5+, do not check the return value of prctl here.
439 #if defined(OS_LINUX)
440 #ifndef PR_SET_NO_NEW_PRIVS
441 #define PR_SET_NO_NEW_PRIVS 38
442 #endif
443     if (!options.allow_new_privs) {
444       if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) && errno != EINVAL) {
445         // Only log if the error is not EINVAL (i.e. not supported).
446         RAW_LOG(FATAL, "prctl(PR_SET_NO_NEW_PRIVS) failed");
447       }
448     }
449 #endif
450 
451     for (size_t i = 0; i < argv.size(); i++)
452       argv_cstr[i] = const_cast<char*>(argv[i].c_str());
453     argv_cstr[argv.size()] = NULL;
454     execvp(argv_cstr[0], argv_cstr.get());
455 
456     RAW_LOG(ERROR, "LaunchProcess: failed to execvp:");
457     RAW_LOG(ERROR, argv_cstr[0]);
458     _exit(127);
459   } else {
460     // Parent process
461     if (options.wait) {
462       // While this isn't strictly disk IO, waiting for another process to
463       // finish is the sort of thing ThreadRestrictions is trying to prevent.
464       base::ThreadRestrictions::AssertIOAllowed();
465       pid_t ret = HANDLE_EINTR(waitpid(pid, 0, 0));
466       DPCHECK(ret > 0);
467     }
468 
469     if (process_handle)
470       *process_handle = pid;
471   }
472 
473   return true;
474 }
475 
476 
LaunchProcess(const CommandLine & cmdline,const LaunchOptions & options,ProcessHandle * process_handle)477 bool LaunchProcess(const CommandLine& cmdline,
478                    const LaunchOptions& options,
479                    ProcessHandle* process_handle) {
480   return LaunchProcess(cmdline.argv(), options, process_handle);
481 }
482 
RaiseProcessToHighPriority()483 void RaiseProcessToHighPriority() {
484   // On POSIX, we don't actually do anything here.  We could try to nice() or
485   // setpriority() or sched_getscheduler, but these all require extra rights.
486 }
487 
488 // Return value used by GetAppOutputInternal to encapsulate the various exit
489 // scenarios from the function.
490 enum GetAppOutputInternalResult {
491   EXECUTE_FAILURE,
492   EXECUTE_SUCCESS,
493   GOT_MAX_OUTPUT,
494 };
495 
496 // Executes the application specified by |argv| and wait for it to exit. Stores
497 // the output (stdout) in |output|. If |do_search_path| is set, it searches the
498 // path for the application; in that case, |envp| must be null, and it will use
499 // the current environment. If |do_search_path| is false, |argv[0]| should fully
500 // specify the path of the application, and |envp| will be used as the
501 // environment. Redirects stderr to /dev/null.
502 // If we successfully start the application and get all requested output, we
503 // return GOT_MAX_OUTPUT, or if there is a problem starting or exiting
504 // the application we return RUN_FAILURE. Otherwise we return EXECUTE_SUCCESS.
505 // The GOT_MAX_OUTPUT return value exists so a caller that asks for limited
506 // output can treat this as a success, despite having an exit code of SIG_PIPE
507 // due to us closing the output pipe.
508 // In the case of EXECUTE_SUCCESS, the application exit code will be returned
509 // in |*exit_code|, which should be checked to determine if the application
510 // ran successfully.
GetAppOutputInternal(const std::vector<std::string> & argv,char * const envp[],std::string * output,size_t max_output,bool do_search_path,int * exit_code)511 static GetAppOutputInternalResult GetAppOutputInternal(
512     const std::vector<std::string>& argv,
513     char* const envp[],
514     std::string* output,
515     size_t max_output,
516     bool do_search_path,
517     int* exit_code) {
518   // Doing a blocking wait for another command to finish counts as IO.
519   base::ThreadRestrictions::AssertIOAllowed();
520   // exit_code must be supplied so calling function can determine success.
521   DCHECK(exit_code);
522   *exit_code = EXIT_FAILURE;
523 
524   int pipe_fd[2];
525   pid_t pid;
526   InjectiveMultimap fd_shuffle1, fd_shuffle2;
527   scoped_ptr<char*[]> argv_cstr(new char*[argv.size() + 1]);
528 
529   fd_shuffle1.reserve(3);
530   fd_shuffle2.reserve(3);
531 
532   // Either |do_search_path| should be false or |envp| should be null, but not
533   // both.
534   DCHECK(!do_search_path ^ !envp);
535 
536   if (pipe(pipe_fd) < 0)
537     return EXECUTE_FAILURE;
538 
539   switch (pid = fork()) {
540     case -1:  // error
541       close(pipe_fd[0]);
542       close(pipe_fd[1]);
543       return EXECUTE_FAILURE;
544     case 0:  // child
545       {
546         // DANGER: no calls to malloc or locks are allowed from now on:
547         // http://crbug.com/36678
548 
549 #if defined(OS_MACOSX)
550         RestoreDefaultExceptionHandler();
551 #endif
552 
553         // Obscure fork() rule: in the child, if you don't end up doing exec*(),
554         // you call _exit() instead of exit(). This is because _exit() does not
555         // call any previously-registered (in the parent) exit handlers, which
556         // might do things like block waiting for threads that don't even exist
557         // in the child.
558         int dev_null = open("/dev/null", O_WRONLY);
559         if (dev_null < 0)
560           _exit(127);
561 
562         // Stop type-profiler.
563         // The profiler should be stopped between fork and exec since it inserts
564         // locks at new/delete expressions.  See http://crbug.com/36678.
565         base::type_profiler::Controller::Stop();
566 
567         fd_shuffle1.push_back(InjectionArc(pipe_fd[1], STDOUT_FILENO, true));
568         fd_shuffle1.push_back(InjectionArc(dev_null, STDERR_FILENO, true));
569         fd_shuffle1.push_back(InjectionArc(dev_null, STDIN_FILENO, true));
570         // Adding another element here? Remeber to increase the argument to
571         // reserve(), above.
572 
573         for (size_t i = 0; i < fd_shuffle1.size(); ++i)
574           fd_shuffle2.push_back(fd_shuffle1[i]);
575 
576         if (!ShuffleFileDescriptors(&fd_shuffle1))
577           _exit(127);
578 
579         CloseSuperfluousFds(fd_shuffle2);
580 
581         for (size_t i = 0; i < argv.size(); i++)
582           argv_cstr[i] = const_cast<char*>(argv[i].c_str());
583         argv_cstr[argv.size()] = NULL;
584         if (do_search_path)
585           execvp(argv_cstr[0], argv_cstr.get());
586         else
587           execve(argv_cstr[0], argv_cstr.get(), envp);
588         _exit(127);
589       }
590     default:  // parent
591       {
592         // Close our writing end of pipe now. Otherwise later read would not
593         // be able to detect end of child's output (in theory we could still
594         // write to the pipe).
595         close(pipe_fd[1]);
596 
597         output->clear();
598         char buffer[256];
599         size_t output_buf_left = max_output;
600         ssize_t bytes_read = 1;  // A lie to properly handle |max_output == 0|
601                                  // case in the logic below.
602 
603         while (output_buf_left > 0) {
604           bytes_read = HANDLE_EINTR(read(pipe_fd[0], buffer,
605                                     std::min(output_buf_left, sizeof(buffer))));
606           if (bytes_read <= 0)
607             break;
608           output->append(buffer, bytes_read);
609           output_buf_left -= static_cast<size_t>(bytes_read);
610         }
611         close(pipe_fd[0]);
612 
613         // Always wait for exit code (even if we know we'll declare
614         // GOT_MAX_OUTPUT).
615         bool success = WaitForExitCode(pid, exit_code);
616 
617         // If we stopped because we read as much as we wanted, we return
618         // GOT_MAX_OUTPUT (because the child may exit due to |SIGPIPE|).
619         if (!output_buf_left && bytes_read > 0)
620           return GOT_MAX_OUTPUT;
621         else if (success)
622           return EXECUTE_SUCCESS;
623         return EXECUTE_FAILURE;
624       }
625   }
626 }
627 
GetAppOutput(const CommandLine & cl,std::string * output)628 bool GetAppOutput(const CommandLine& cl, std::string* output) {
629   return GetAppOutput(cl.argv(), output);
630 }
631 
GetAppOutput(const std::vector<std::string> & argv,std::string * output)632 bool GetAppOutput(const std::vector<std::string>& argv, std::string* output) {
633   // Run |execve()| with the current environment and store "unlimited" data.
634   int exit_code;
635   GetAppOutputInternalResult result = GetAppOutputInternal(
636       argv, NULL, output, std::numeric_limits<std::size_t>::max(), true,
637       &exit_code);
638   return result == EXECUTE_SUCCESS && exit_code == EXIT_SUCCESS;
639 }
640 
641 // TODO(viettrungluu): Conceivably, we should have a timeout as well, so we
642 // don't hang if what we're calling hangs.
GetAppOutputRestricted(const CommandLine & cl,std::string * output,size_t max_output)643 bool GetAppOutputRestricted(const CommandLine& cl,
644                             std::string* output, size_t max_output) {
645   // Run |execve()| with the empty environment.
646   char* const empty_environ = NULL;
647   int exit_code;
648   GetAppOutputInternalResult result = GetAppOutputInternal(
649       cl.argv(), &empty_environ, output, max_output, false, &exit_code);
650   return result == GOT_MAX_OUTPUT || (result == EXECUTE_SUCCESS &&
651                                       exit_code == EXIT_SUCCESS);
652 }
653 
GetAppOutputWithExitCode(const CommandLine & cl,std::string * output,int * exit_code)654 bool GetAppOutputWithExitCode(const CommandLine& cl,
655                               std::string* output,
656                               int* exit_code) {
657   // Run |execve()| with the current environment and store "unlimited" data.
658   GetAppOutputInternalResult result = GetAppOutputInternal(
659       cl.argv(), NULL, output, std::numeric_limits<std::size_t>::max(), true,
660       exit_code);
661   return result == EXECUTE_SUCCESS;
662 }
663 
664 }  // namespace base
665