1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "base/process/launch.h"
6
7 #include <dirent.h>
8 #include <errno.h>
9 #include <fcntl.h>
10 #include <sched.h>
11 #include <setjmp.h>
12 #include <signal.h>
13 #include <stddef.h>
14 #include <stdint.h>
15 #include <stdlib.h>
16 #include <sys/resource.h>
17 #include <sys/syscall.h>
18 #include <sys/time.h>
19 #include <sys/types.h>
20 #include <sys/wait.h>
21 #include <unistd.h>
22
23 #include <iterator>
24 #include <limits>
25 #include <memory>
26 #include <set>
27
28 #include "base/command_line.h"
29 #include "base/compiler_specific.h"
30 #include "base/debug/debugger.h"
31 #include "base/debug/stack_trace.h"
32 #include "base/files/dir_reader_posix.h"
33 #include "base/files/file_util.h"
34 #include "base/files/scoped_file.h"
35 #include "base/logging.h"
36 #include "base/posix/eintr_wrapper.h"
37 #include "base/process/process.h"
38 #include "base/process/process_metrics.h"
39 #include "base/strings/stringprintf.h"
40 #include "base/synchronization/waitable_event.h"
41 #include "base/third_party/dynamic_annotations/dynamic_annotations.h"
42 #include "base/third_party/valgrind/valgrind.h"
43 #include "base/threading/platform_thread.h"
44 #include "base/threading/thread_restrictions.h"
45 #include "build/build_config.h"
46
47 #if defined(OS_LINUX)
48 #include <sys/prctl.h>
49 #endif
50
51 #if defined(OS_CHROMEOS)
52 #include <sys/ioctl.h>
53 #endif
54
55 #if defined(OS_FREEBSD)
56 #include <sys/event.h>
57 #include <sys/ucontext.h>
58 #endif
59
60 #if defined(OS_MACOSX)
61 #include <crt_externs.h>
62 #include <sys/event.h>
63 #else
64 extern char** environ;
65 #endif
66
67 namespace base {
68
69 #if !defined(OS_NACL_NONSFI)
70
71 namespace {
72
73 // Get the process's "environment" (i.e. the thing that setenv/getenv
74 // work with).
GetEnvironment()75 char** GetEnvironment() {
76 #if defined(OS_MACOSX)
77 return *_NSGetEnviron();
78 #else
79 return environ;
80 #endif
81 }
82
83 // Set the process's "environment" (i.e. the thing that setenv/getenv
84 // work with).
SetEnvironment(char ** env)85 void SetEnvironment(char** env) {
86 #if defined(OS_MACOSX)
87 *_NSGetEnviron() = env;
88 #else
89 environ = env;
90 #endif
91 }
92
93 // Set the calling thread's signal mask to new_sigmask and return
94 // the previous signal mask.
SetSignalMask(const sigset_t & new_sigmask)95 sigset_t SetSignalMask(const sigset_t& new_sigmask) {
96 sigset_t old_sigmask;
97 #if defined(OS_ANDROID)
98 // POSIX says pthread_sigmask() must be used in multi-threaded processes,
99 // but Android's pthread_sigmask() was broken until 4.1:
100 // https://code.google.com/p/android/issues/detail?id=15337
101 // http://stackoverflow.com/questions/13777109/pthread-sigmask-on-android-not-working
102 RAW_CHECK(sigprocmask(SIG_SETMASK, &new_sigmask, &old_sigmask) == 0);
103 #else
104 RAW_CHECK(pthread_sigmask(SIG_SETMASK, &new_sigmask, &old_sigmask) == 0);
105 #endif
106 return old_sigmask;
107 }
108
109 #if !defined(OS_LINUX) || \
110 (!defined(__i386__) && !defined(__x86_64__) && !defined(__arm__))
ResetChildSignalHandlersToDefaults()111 void ResetChildSignalHandlersToDefaults() {
112 // The previous signal handlers are likely to be meaningless in the child's
113 // context so we reset them to the defaults for now. http://crbug.com/44953
114 // These signal handlers are set up at least in browser_main_posix.cc:
115 // BrowserMainPartsPosix::PreEarlyInitialization and stack_trace_posix.cc:
116 // EnableInProcessStackDumping.
117 signal(SIGHUP, SIG_DFL);
118 signal(SIGINT, SIG_DFL);
119 signal(SIGILL, SIG_DFL);
120 signal(SIGABRT, SIG_DFL);
121 signal(SIGFPE, SIG_DFL);
122 signal(SIGBUS, SIG_DFL);
123 signal(SIGSEGV, SIG_DFL);
124 signal(SIGSYS, SIG_DFL);
125 signal(SIGTERM, SIG_DFL);
126 }
127
128 #else
129
130 // TODO(jln): remove the Linux special case once kernels are fixed.
131
132 // Internally the kernel makes sigset_t an array of long large enough to have
133 // one bit per signal.
134 typedef uint64_t kernel_sigset_t;
135
136 // This is what struct sigaction looks like to the kernel at least on X86 and
137 // ARM. MIPS, for instance, is very different.
138 struct kernel_sigaction {
139 void* k_sa_handler; // For this usage it only needs to be a generic pointer.
140 unsigned long k_sa_flags;
141 void* k_sa_restorer; // For this usage it only needs to be a generic pointer.
142 kernel_sigset_t k_sa_mask;
143 };
144
145 // glibc's sigaction() will prevent access to sa_restorer, so we need to roll
146 // our own.
sys_rt_sigaction(int sig,const struct kernel_sigaction * act,struct kernel_sigaction * oact)147 int sys_rt_sigaction(int sig, const struct kernel_sigaction* act,
148 struct kernel_sigaction* oact) {
149 return syscall(SYS_rt_sigaction, sig, act, oact, sizeof(kernel_sigset_t));
150 }
151
152 // This function is intended to be used in between fork() and execve() and will
153 // reset all signal handlers to the default.
154 // The motivation for going through all of them is that sa_restorer can leak
155 // from parents and help defeat ASLR on buggy kernels. We reset it to null.
156 // See crbug.com/177956.
ResetChildSignalHandlersToDefaults(void)157 void ResetChildSignalHandlersToDefaults(void) {
158 for (int signum = 1; ; ++signum) {
159 #if defined(ANDROID)
160 struct kernel_sigaction act;
161 memset(&act, 0, sizeof(act));
162 #else
163 struct kernel_sigaction act = {0};
164 #endif
165 int sigaction_get_ret = sys_rt_sigaction(signum, nullptr, &act);
166 if (sigaction_get_ret && errno == EINVAL) {
167 #if !defined(NDEBUG)
168 // Linux supports 32 real-time signals from 33 to 64.
169 // If the number of signals in the Linux kernel changes, someone should
170 // look at this code.
171 const int kNumberOfSignals = 64;
172 RAW_CHECK(signum == kNumberOfSignals + 1);
173 #endif // !defined(NDEBUG)
174 break;
175 }
176 // All other failures are fatal.
177 if (sigaction_get_ret) {
178 RAW_LOG(FATAL, "sigaction (get) failed.");
179 }
180
181 // The kernel won't allow to re-set SIGKILL or SIGSTOP.
182 if (signum != SIGSTOP && signum != SIGKILL) {
183 act.k_sa_handler = reinterpret_cast<void*>(SIG_DFL);
184 act.k_sa_restorer = nullptr;
185 if (sys_rt_sigaction(signum, &act, nullptr)) {
186 RAW_LOG(FATAL, "sigaction (set) failed.");
187 }
188 }
189 #if !defined(NDEBUG)
190 // Now ask the kernel again and check that no restorer will leak.
191 if (sys_rt_sigaction(signum, nullptr, &act) || act.k_sa_restorer) {
192 RAW_LOG(FATAL, "Cound not fix sa_restorer.");
193 }
194 #endif // !defined(NDEBUG)
195 }
196 }
197 #endif // !defined(OS_LINUX) ||
198 // (!defined(__i386__) && !defined(__x86_64__) && !defined(__arm__))
199 } // anonymous namespace
200
201 // Functor for |ScopedDIR| (below).
202 struct ScopedDIRClose {
operator ()base::ScopedDIRClose203 inline void operator()(DIR* x) const {
204 if (x)
205 closedir(x);
206 }
207 };
208
209 // Automatically closes |DIR*|s.
210 typedef std::unique_ptr<DIR, ScopedDIRClose> ScopedDIR;
211
212 #if defined(OS_LINUX)
213 static const char kFDDir[] = "/proc/self/fd";
214 #elif defined(OS_MACOSX)
215 static const char kFDDir[] = "/dev/fd";
216 #elif defined(OS_SOLARIS)
217 static const char kFDDir[] = "/dev/fd";
218 #elif defined(OS_FREEBSD)
219 static const char kFDDir[] = "/dev/fd";
220 #elif defined(OS_OPENBSD)
221 static const char kFDDir[] = "/dev/fd";
222 #elif defined(OS_ANDROID)
223 static const char kFDDir[] = "/proc/self/fd";
224 #endif
225
CloseSuperfluousFds(const base::InjectiveMultimap & saved_mapping)226 void CloseSuperfluousFds(const base::InjectiveMultimap& saved_mapping) {
227 // DANGER: no calls to malloc or locks are allowed from now on:
228 // http://crbug.com/36678
229
230 // Get the maximum number of FDs possible.
231 size_t max_fds = GetMaxFds();
232
233 DirReaderPosix fd_dir(kFDDir);
234 if (!fd_dir.IsValid()) {
235 // Fallback case: Try every possible fd.
236 for (size_t i = 0; i < max_fds; ++i) {
237 const int fd = static_cast<int>(i);
238 if (fd == STDIN_FILENO || fd == STDOUT_FILENO || fd == STDERR_FILENO)
239 continue;
240 // Cannot use STL iterators here, since debug iterators use locks.
241 size_t j;
242 for (j = 0; j < saved_mapping.size(); j++) {
243 if (fd == saved_mapping[j].dest)
244 break;
245 }
246 if (j < saved_mapping.size())
247 continue;
248
249 // Since we're just trying to close anything we can find,
250 // ignore any error return values of close().
251 close(fd);
252 }
253 return;
254 }
255
256 const int dir_fd = fd_dir.fd();
257
258 for ( ; fd_dir.Next(); ) {
259 // Skip . and .. entries.
260 if (fd_dir.name()[0] == '.')
261 continue;
262
263 char *endptr;
264 errno = 0;
265 const long int fd = strtol(fd_dir.name(), &endptr, 10);
266 if (fd_dir.name()[0] == 0 || *endptr || fd < 0 || errno)
267 continue;
268 if (fd == STDIN_FILENO || fd == STDOUT_FILENO || fd == STDERR_FILENO)
269 continue;
270 // Cannot use STL iterators here, since debug iterators use locks.
271 size_t i;
272 for (i = 0; i < saved_mapping.size(); i++) {
273 if (fd == saved_mapping[i].dest)
274 break;
275 }
276 if (i < saved_mapping.size())
277 continue;
278 if (fd == dir_fd)
279 continue;
280
281 // When running under Valgrind, Valgrind opens several FDs for its
282 // own use and will complain if we try to close them. All of
283 // these FDs are >= |max_fds|, so we can check against that here
284 // before closing. See https://bugs.kde.org/show_bug.cgi?id=191758
285 if (fd < static_cast<int>(max_fds)) {
286 int ret = IGNORE_EINTR(close(fd));
287 DPCHECK(ret == 0);
288 }
289 }
290 }
291
LaunchProcess(const CommandLine & cmdline,const LaunchOptions & options)292 Process LaunchProcess(const CommandLine& cmdline,
293 const LaunchOptions& options) {
294 return LaunchProcess(cmdline.argv(), options);
295 }
296
LaunchProcess(const std::vector<std::string> & argv,const LaunchOptions & options)297 Process LaunchProcess(const std::vector<std::string>& argv,
298 const LaunchOptions& options) {
299 size_t fd_shuffle_size = 0;
300 if (options.fds_to_remap) {
301 fd_shuffle_size = options.fds_to_remap->size();
302 }
303
304 InjectiveMultimap fd_shuffle1;
305 InjectiveMultimap fd_shuffle2;
306 fd_shuffle1.reserve(fd_shuffle_size);
307 fd_shuffle2.reserve(fd_shuffle_size);
308
309 std::unique_ptr<char* []> argv_cstr(new char*[argv.size() + 1]);
310 for (size_t i = 0; i < argv.size(); i++) {
311 argv_cstr[i] = const_cast<char*>(argv[i].c_str());
312 }
313 argv_cstr[argv.size()] = nullptr;
314
315 std::unique_ptr<char* []> new_environ;
316 char* const empty_environ = nullptr;
317 char* const* old_environ = GetEnvironment();
318 if (options.clear_environ)
319 old_environ = &empty_environ;
320 if (!options.environ.empty())
321 new_environ = AlterEnvironment(old_environ, options.environ);
322
323 sigset_t full_sigset;
324 sigfillset(&full_sigset);
325 const sigset_t orig_sigmask = SetSignalMask(full_sigset);
326
327 const char* current_directory = nullptr;
328 if (!options.current_directory.empty()) {
329 current_directory = options.current_directory.value().c_str();
330 }
331
332 pid_t pid;
333 #if defined(OS_LINUX)
334 if (options.clone_flags) {
335 // Signal handling in this function assumes the creation of a new
336 // process, so we check that a thread is not being created by mistake
337 // and that signal handling follows the process-creation rules.
338 RAW_CHECK(
339 !(options.clone_flags & (CLONE_SIGHAND | CLONE_THREAD | CLONE_VM)));
340
341 // We specify a null ptid and ctid.
342 RAW_CHECK(
343 !(options.clone_flags &
344 (CLONE_CHILD_CLEARTID | CLONE_CHILD_SETTID | CLONE_PARENT_SETTID)));
345
346 // Since we use waitpid, we do not support custom termination signals in the
347 // clone flags.
348 RAW_CHECK((options.clone_flags & 0xff) == 0);
349
350 pid = ForkWithFlags(options.clone_flags | SIGCHLD, nullptr, nullptr);
351 } else
352 #endif
353 {
354 pid = fork();
355 }
356
357 // Always restore the original signal mask in the parent.
358 if (pid != 0) {
359 SetSignalMask(orig_sigmask);
360 }
361
362 if (pid < 0) {
363 DPLOG(ERROR) << "fork";
364 return Process();
365 } else if (pid == 0) {
366 // Child process
367
368 // DANGER: no calls to malloc or locks are allowed from now on:
369 // http://crbug.com/36678
370
371 // DANGER: fork() rule: in the child, if you don't end up doing exec*(),
372 // you call _exit() instead of exit(). This is because _exit() does not
373 // call any previously-registered (in the parent) exit handlers, which
374 // might do things like block waiting for threads that don't even exist
375 // in the child.
376
377 // If a child process uses the readline library, the process block forever.
378 // In BSD like OSes including OS X it is safe to assign /dev/null as stdin.
379 // See http://crbug.com/56596.
380 base::ScopedFD null_fd(HANDLE_EINTR(open("/dev/null", O_RDONLY)));
381 if (!null_fd.is_valid()) {
382 RAW_LOG(ERROR, "Failed to open /dev/null");
383 _exit(127);
384 }
385
386 int new_fd = HANDLE_EINTR(dup2(null_fd.get(), STDIN_FILENO));
387 if (new_fd != STDIN_FILENO) {
388 RAW_LOG(ERROR, "Failed to dup /dev/null for stdin");
389 _exit(127);
390 }
391
392 if (options.new_process_group) {
393 // Instead of inheriting the process group ID of the parent, the child
394 // starts off a new process group with pgid equal to its process ID.
395 if (setpgid(0, 0) < 0) {
396 RAW_LOG(ERROR, "setpgid failed");
397 _exit(127);
398 }
399 }
400
401 if (options.maximize_rlimits) {
402 // Some resource limits need to be maximal in this child.
403 for (size_t i = 0; i < options.maximize_rlimits->size(); ++i) {
404 const int resource = (*options.maximize_rlimits)[i];
405 struct rlimit limit;
406 if (getrlimit(resource, &limit) < 0) {
407 RAW_LOG(WARNING, "getrlimit failed");
408 } else if (limit.rlim_cur < limit.rlim_max) {
409 limit.rlim_cur = limit.rlim_max;
410 if (setrlimit(resource, &limit) < 0) {
411 RAW_LOG(WARNING, "setrlimit failed");
412 }
413 }
414 }
415 }
416
417 #if defined(OS_MACOSX)
418 RestoreDefaultExceptionHandler();
419 #endif // defined(OS_MACOSX)
420
421 ResetChildSignalHandlersToDefaults();
422 SetSignalMask(orig_sigmask);
423
424 #if 0
425 // When debugging it can be helpful to check that we really aren't making
426 // any hidden calls to malloc.
427 void *malloc_thunk =
428 reinterpret_cast<void*>(reinterpret_cast<intptr_t>(malloc) & ~4095);
429 mprotect(malloc_thunk, 4096, PROT_READ | PROT_WRITE | PROT_EXEC);
430 memset(reinterpret_cast<void*>(malloc), 0xff, 8);
431 #endif // 0
432
433 #if defined(OS_CHROMEOS)
434 if (options.ctrl_terminal_fd >= 0) {
435 // Set process' controlling terminal.
436 if (HANDLE_EINTR(setsid()) != -1) {
437 if (HANDLE_EINTR(
438 ioctl(options.ctrl_terminal_fd, TIOCSCTTY, nullptr)) == -1) {
439 RAW_LOG(WARNING, "ioctl(TIOCSCTTY), ctrl terminal not set");
440 }
441 } else {
442 RAW_LOG(WARNING, "setsid failed, ctrl terminal not set");
443 }
444 }
445 #endif // defined(OS_CHROMEOS)
446
447 if (options.fds_to_remap) {
448 // Cannot use STL iterators here, since debug iterators use locks.
449 for (size_t i = 0; i < options.fds_to_remap->size(); ++i) {
450 const FileHandleMappingVector::value_type& value =
451 (*options.fds_to_remap)[i];
452 fd_shuffle1.push_back(InjectionArc(value.first, value.second, false));
453 fd_shuffle2.push_back(InjectionArc(value.first, value.second, false));
454 }
455 }
456
457 if (!options.environ.empty() || options.clear_environ)
458 SetEnvironment(new_environ.get());
459
460 // fd_shuffle1 is mutated by this call because it cannot malloc.
461 if (!ShuffleFileDescriptors(&fd_shuffle1))
462 _exit(127);
463
464 CloseSuperfluousFds(fd_shuffle2);
465
466 // Set NO_NEW_PRIVS by default. Since NO_NEW_PRIVS only exists in kernel
467 // 3.5+, do not check the return value of prctl here.
468 #if defined(OS_LINUX)
469 #ifndef PR_SET_NO_NEW_PRIVS
470 #define PR_SET_NO_NEW_PRIVS 38
471 #endif
472 if (!options.allow_new_privs) {
473 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) && errno != EINVAL) {
474 // Only log if the error is not EINVAL (i.e. not supported).
475 RAW_LOG(FATAL, "prctl(PR_SET_NO_NEW_PRIVS) failed");
476 }
477 }
478
479 if (options.kill_on_parent_death) {
480 if (prctl(PR_SET_PDEATHSIG, SIGKILL) != 0) {
481 RAW_LOG(ERROR, "prctl(PR_SET_PDEATHSIG) failed");
482 _exit(127);
483 }
484 }
485 #endif
486
487 if (current_directory != nullptr) {
488 RAW_CHECK(chdir(current_directory) == 0);
489 }
490
491 if (options.pre_exec_delegate != nullptr) {
492 options.pre_exec_delegate->RunAsyncSafe();
493 }
494
495 execvp(argv_cstr[0], argv_cstr.get());
496
497 RAW_LOG(ERROR, "LaunchProcess: failed to execvp:");
498 RAW_LOG(ERROR, argv_cstr[0]);
499 _exit(127);
500 } else {
501 // Parent process
502 if (options.wait) {
503 // While this isn't strictly disk IO, waiting for another process to
504 // finish is the sort of thing ThreadRestrictions is trying to prevent.
505 base::ThreadRestrictions::AssertIOAllowed();
506 pid_t ret = HANDLE_EINTR(waitpid(pid, 0, 0));
507 DPCHECK(ret > 0);
508 }
509 }
510
511 return Process(pid);
512 }
513
RaiseProcessToHighPriority()514 void RaiseProcessToHighPriority() {
515 // On POSIX, we don't actually do anything here. We could try to nice() or
516 // setpriority() or sched_getscheduler, but these all require extra rights.
517 }
518
519 // Executes the application specified by |argv| and wait for it to exit. Stores
520 // the output (stdout) in |output|. If |do_search_path| is set, it searches the
521 // path for the application; in that case, |envp| must be null, and it will use
522 // the current environment. If |do_search_path| is false, |argv[0]| should fully
523 // specify the path of the application, and |envp| will be used as the
524 // environment. If |include_stderr| is true, includes stderr otherwise redirects
525 // it to /dev/null.
526 // The return value of the function indicates success or failure. In the case of
527 // success, the application exit code will be returned in |*exit_code|, which
528 // should be checked to determine if the application ran successfully.
GetAppOutputInternal(const std::vector<std::string> & argv,char * const envp[],bool include_stderr,std::string * output,bool do_search_path,int * exit_code)529 static bool GetAppOutputInternal(
530 const std::vector<std::string>& argv,
531 char* const envp[],
532 bool include_stderr,
533 std::string* output,
534 bool do_search_path,
535 int* exit_code) {
536 // Doing a blocking wait for another command to finish counts as IO.
537 base::ThreadRestrictions::AssertIOAllowed();
538 // exit_code must be supplied so calling function can determine success.
539 DCHECK(exit_code);
540 *exit_code = EXIT_FAILURE;
541
542 int pipe_fd[2];
543 pid_t pid;
544 InjectiveMultimap fd_shuffle1, fd_shuffle2;
545 std::unique_ptr<char* []> argv_cstr(new char*[argv.size() + 1]);
546
547 fd_shuffle1.reserve(3);
548 fd_shuffle2.reserve(3);
549
550 // Either |do_search_path| should be false or |envp| should be null, but not
551 // both.
552 DCHECK(!do_search_path ^ !envp);
553
554 if (pipe(pipe_fd) < 0)
555 return false;
556
557 switch (pid = fork()) {
558 case -1: // error
559 close(pipe_fd[0]);
560 close(pipe_fd[1]);
561 return false;
562 case 0: // child
563 {
564 // DANGER: no calls to malloc or locks are allowed from now on:
565 // http://crbug.com/36678
566
567 #if defined(OS_MACOSX)
568 RestoreDefaultExceptionHandler();
569 #endif
570
571 // Obscure fork() rule: in the child, if you don't end up doing exec*(),
572 // you call _exit() instead of exit(). This is because _exit() does not
573 // call any previously-registered (in the parent) exit handlers, which
574 // might do things like block waiting for threads that don't even exist
575 // in the child.
576 int dev_null = open("/dev/null", O_WRONLY);
577 if (dev_null < 0)
578 _exit(127);
579
580 fd_shuffle1.push_back(InjectionArc(pipe_fd[1], STDOUT_FILENO, true));
581 fd_shuffle1.push_back(InjectionArc(
582 include_stderr ? pipe_fd[1] : dev_null,
583 STDERR_FILENO, true));
584 fd_shuffle1.push_back(InjectionArc(dev_null, STDIN_FILENO, true));
585 // Adding another element here? Remeber to increase the argument to
586 // reserve(), above.
587
588 for (size_t i = 0; i < fd_shuffle1.size(); ++i)
589 fd_shuffle2.push_back(fd_shuffle1[i]);
590
591 if (!ShuffleFileDescriptors(&fd_shuffle1))
592 _exit(127);
593
594 CloseSuperfluousFds(fd_shuffle2);
595
596 for (size_t i = 0; i < argv.size(); i++)
597 argv_cstr[i] = const_cast<char*>(argv[i].c_str());
598 argv_cstr[argv.size()] = nullptr;
599 if (do_search_path)
600 execvp(argv_cstr[0], argv_cstr.get());
601 else
602 execve(argv_cstr[0], argv_cstr.get(), envp);
603 _exit(127);
604 }
605 default: // parent
606 {
607 // Close our writing end of pipe now. Otherwise later read would not
608 // be able to detect end of child's output (in theory we could still
609 // write to the pipe).
610 close(pipe_fd[1]);
611
612 output->clear();
613
614 while (true) {
615 char buffer[256];
616 ssize_t bytes_read =
617 HANDLE_EINTR(read(pipe_fd[0], buffer, sizeof(buffer)));
618 if (bytes_read <= 0)
619 break;
620 output->append(buffer, bytes_read);
621 }
622 close(pipe_fd[0]);
623
624 // Always wait for exit code (even if we know we'll declare
625 // GOT_MAX_OUTPUT).
626 Process process(pid);
627 return process.WaitForExit(exit_code);
628 }
629 }
630 }
631
GetAppOutput(const CommandLine & cl,std::string * output)632 bool GetAppOutput(const CommandLine& cl, std::string* output) {
633 return GetAppOutput(cl.argv(), output);
634 }
635
GetAppOutput(const std::vector<std::string> & argv,std::string * output)636 bool GetAppOutput(const std::vector<std::string>& argv, std::string* output) {
637 // Run |execve()| with the current environment.
638 int exit_code;
639 bool result =
640 GetAppOutputInternal(argv, nullptr, false, output, true, &exit_code);
641 return result && exit_code == EXIT_SUCCESS;
642 }
643
GetAppOutputAndError(const CommandLine & cl,std::string * output)644 bool GetAppOutputAndError(const CommandLine& cl, std::string* output) {
645 // Run |execve()| with the current environment.
646 int exit_code;
647 bool result =
648 GetAppOutputInternal(cl.argv(), nullptr, true, output, true, &exit_code);
649 return result && exit_code == EXIT_SUCCESS;
650 }
651
GetAppOutputWithExitCode(const CommandLine & cl,std::string * output,int * exit_code)652 bool GetAppOutputWithExitCode(const CommandLine& cl,
653 std::string* output,
654 int* exit_code) {
655 // Run |execve()| with the current environment.
656 return GetAppOutputInternal(cl.argv(), nullptr, false, output, true,
657 exit_code);
658 }
659
660 #endif // !defined(OS_NACL_NONSFI)
661
662 #if defined(OS_LINUX) || defined(OS_NACL_NONSFI)
663 namespace {
664
IsRunningOnValgrind()665 bool IsRunningOnValgrind() {
666 return RUNNING_ON_VALGRIND;
667 }
668
669 // This function runs on the stack specified on the clone call. It uses longjmp
670 // to switch back to the original stack so the child can return from sys_clone.
CloneHelper(void * arg)671 int CloneHelper(void* arg) {
672 jmp_buf* env_ptr = reinterpret_cast<jmp_buf*>(arg);
673 longjmp(*env_ptr, 1);
674
675 // Should not be reached.
676 RAW_CHECK(false);
677 return 1;
678 }
679
680 // This function is noinline to ensure that stack_buf is below the stack pointer
681 // that is saved when setjmp is called below. This is needed because when
682 // compiled with FORTIFY_SOURCE, glibc's longjmp checks that the stack is moved
683 // upwards. See crbug.com/442912 for more details.
684 #if defined(ADDRESS_SANITIZER)
685 // Disable AddressSanitizer instrumentation for this function to make sure
686 // |stack_buf| is allocated on thread stack instead of ASan's fake stack.
687 // Under ASan longjmp() will attempt to clean up the area between the old and
688 // new stack pointers and print a warning that may confuse the user.
689 __attribute__((no_sanitize_address))
690 #endif
CloneAndLongjmpInChild(unsigned long flags,pid_t * ptid,pid_t * ctid,jmp_buf * env)691 NOINLINE pid_t CloneAndLongjmpInChild(unsigned long flags,
692 pid_t* ptid,
693 pid_t* ctid,
694 jmp_buf* env) {
695 // We use the libc clone wrapper instead of making the syscall
696 // directly because making the syscall may fail to update the libc's
697 // internal pid cache. The libc interface unfortunately requires
698 // specifying a new stack, so we use setjmp/longjmp to emulate
699 // fork-like behavior.
700 char stack_buf[PTHREAD_STACK_MIN] ALIGNAS(16);
701 #if defined(ARCH_CPU_X86_FAMILY) || defined(ARCH_CPU_ARM_FAMILY) || \
702 defined(ARCH_CPU_MIPS_FAMILY)
703 // The stack grows downward.
704 void* stack = stack_buf + sizeof(stack_buf);
705 #else
706 #error "Unsupported architecture"
707 #endif
708 return clone(&CloneHelper, stack, flags, env, ptid, nullptr, ctid);
709 }
710
711 } // anonymous namespace
712
ForkWithFlags(unsigned long flags,pid_t * ptid,pid_t * ctid)713 pid_t ForkWithFlags(unsigned long flags, pid_t* ptid, pid_t* ctid) {
714 const bool clone_tls_used = flags & CLONE_SETTLS;
715 const bool invalid_ctid =
716 (flags & (CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID)) && !ctid;
717 const bool invalid_ptid = (flags & CLONE_PARENT_SETTID) && !ptid;
718
719 // We do not support CLONE_VM.
720 const bool clone_vm_used = flags & CLONE_VM;
721
722 if (clone_tls_used || invalid_ctid || invalid_ptid || clone_vm_used) {
723 RAW_LOG(FATAL, "Invalid usage of ForkWithFlags");
724 }
725
726 // Valgrind's clone implementation does not support specifiying a child_stack
727 // without CLONE_VM, so we cannot use libc's clone wrapper when running under
728 // Valgrind. As a result, the libc pid cache may be incorrect under Valgrind.
729 // See crbug.com/442817 for more details.
730 if (IsRunningOnValgrind()) {
731 // See kernel/fork.c in Linux. There is different ordering of sys_clone
732 // parameters depending on CONFIG_CLONE_BACKWARDS* configuration options.
733 #if defined(ARCH_CPU_X86_64)
734 return syscall(__NR_clone, flags, nullptr, ptid, ctid, nullptr);
735 #elif defined(ARCH_CPU_X86) || defined(ARCH_CPU_ARM_FAMILY) || \
736 defined(ARCH_CPU_MIPS_FAMILY)
737 // CONFIG_CLONE_BACKWARDS defined.
738 return syscall(__NR_clone, flags, nullptr, ptid, nullptr, ctid);
739 #else
740 #error "Unsupported architecture"
741 #endif
742 }
743
744 jmp_buf env;
745 if (setjmp(env) == 0) {
746 return CloneAndLongjmpInChild(flags, ptid, ctid, &env);
747 }
748
749 return 0;
750 }
751 #endif // defined(OS_LINUX) || defined(OS_NACL_NONSFI)
752
753 } // namespace base
754