1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "base/process/launch.h" 6 7 #include <dirent.h> 8 #include <errno.h> 9 #include <fcntl.h> 10 #include <sched.h> 11 #include <setjmp.h> 12 #include <signal.h> 13 #include <stddef.h> 14 #include <stdint.h> 15 #include <stdlib.h> 16 #include <sys/resource.h> 17 #include <sys/syscall.h> 18 #include <sys/time.h> 19 #include <sys/types.h> 20 #include <sys/wait.h> 21 #include <unistd.h> 22 23 #include <iterator> 24 #include <limits> 25 #include <set> 26 27 #include "base/command_line.h" 28 #include "base/compiler_specific.h" 29 #include "base/debug/debugger.h" 30 #include "base/debug/stack_trace.h" 31 #include "base/files/dir_reader_posix.h" 32 #include "base/files/file_util.h" 33 #include "base/files/scoped_file.h" 34 #include "base/logging.h" 35 #include "base/memory/scoped_ptr.h" 36 #include "base/posix/eintr_wrapper.h" 37 #include "base/process/process.h" 38 #include "base/process/process_metrics.h" 39 #include "base/strings/stringprintf.h" 40 #include "base/synchronization/waitable_event.h" 41 #include "base/threading/platform_thread.h" 42 #include "base/threading/thread_restrictions.h" 43 #include "build/build_config.h" 44 #include "third_party/valgrind/valgrind.h" 45 46 #if defined(OS_LINUX) 47 #include <sys/prctl.h> 48 #endif 49 50 #if defined(OS_CHROMEOS) 51 #include <sys/ioctl.h> 52 #endif 53 54 #if defined(OS_FREEBSD) 55 #include <sys/event.h> 56 #include <sys/ucontext.h> 57 #endif 58 59 #if defined(OS_MACOSX) 60 #include <crt_externs.h> 61 #include <sys/event.h> 62 #else 63 extern char** environ; 64 #endif 65 66 namespace base { 67 68 #if !defined(OS_NACL_NONSFI) 69 70 namespace { 71 72 // Get the process's "environment" (i.e. the thing that setenv/getenv 73 // work with). 74 char** GetEnvironment() { 75 #if defined(OS_MACOSX) 76 return *_NSGetEnviron(); 77 #else 78 return environ; 79 #endif 80 } 81 82 // Set the process's "environment" (i.e. the thing that setenv/getenv 83 // work with). 84 void SetEnvironment(char** env) { 85 #if defined(OS_MACOSX) 86 *_NSGetEnviron() = env; 87 #else 88 environ = env; 89 #endif 90 } 91 92 // Set the calling thread's signal mask to new_sigmask and return 93 // the previous signal mask. 94 sigset_t SetSignalMask(const sigset_t& new_sigmask) { 95 sigset_t old_sigmask; 96 #if defined(OS_ANDROID) 97 // POSIX says pthread_sigmask() must be used in multi-threaded processes, 98 // but Android's pthread_sigmask() was broken until 4.1: 99 // https://code.google.com/p/android/issues/detail?id=15337 100 // http://stackoverflow.com/questions/13777109/pthread-sigmask-on-android-not-working 101 RAW_CHECK(sigprocmask(SIG_SETMASK, &new_sigmask, &old_sigmask) == 0); 102 #else 103 RAW_CHECK(pthread_sigmask(SIG_SETMASK, &new_sigmask, &old_sigmask) == 0); 104 #endif 105 return old_sigmask; 106 } 107 108 #if !defined(OS_LINUX) || \ 109 (!defined(__i386__) && !defined(__x86_64__) && !defined(__arm__)) 110 void ResetChildSignalHandlersToDefaults() { 111 // The previous signal handlers are likely to be meaningless in the child's 112 // context so we reset them to the defaults for now. http://crbug.com/44953 113 // These signal handlers are set up at least in browser_main_posix.cc: 114 // BrowserMainPartsPosix::PreEarlyInitialization and stack_trace_posix.cc: 115 // EnableInProcessStackDumping. 116 signal(SIGHUP, SIG_DFL); 117 signal(SIGINT, SIG_DFL); 118 signal(SIGILL, SIG_DFL); 119 signal(SIGABRT, SIG_DFL); 120 signal(SIGFPE, SIG_DFL); 121 signal(SIGBUS, SIG_DFL); 122 signal(SIGSEGV, SIG_DFL); 123 signal(SIGSYS, SIG_DFL); 124 signal(SIGTERM, SIG_DFL); 125 } 126 127 #else 128 129 // TODO(jln): remove the Linux special case once kernels are fixed. 130 131 // Internally the kernel makes sigset_t an array of long large enough to have 132 // one bit per signal. 133 typedef uint64_t kernel_sigset_t; 134 135 // This is what struct sigaction looks like to the kernel at least on X86 and 136 // ARM. MIPS, for instance, is very different. 137 struct kernel_sigaction { 138 void* k_sa_handler; // For this usage it only needs to be a generic pointer. 139 unsigned long k_sa_flags; 140 void* k_sa_restorer; // For this usage it only needs to be a generic pointer. 141 kernel_sigset_t k_sa_mask; 142 }; 143 144 // glibc's sigaction() will prevent access to sa_restorer, so we need to roll 145 // our own. 146 int sys_rt_sigaction(int sig, const struct kernel_sigaction* act, 147 struct kernel_sigaction* oact) { 148 return syscall(SYS_rt_sigaction, sig, act, oact, sizeof(kernel_sigset_t)); 149 } 150 151 // This function is intended to be used in between fork() and execve() and will 152 // reset all signal handlers to the default. 153 // The motivation for going through all of them is that sa_restorer can leak 154 // from parents and help defeat ASLR on buggy kernels. We reset it to NULL. 155 // See crbug.com/177956. 156 void ResetChildSignalHandlersToDefaults(void) { 157 for (int signum = 1; ; ++signum) { 158 struct kernel_sigaction act; 159 memset(&act, 0, sizeof(act)); 160 int sigaction_get_ret = sys_rt_sigaction(signum, NULL, &act); 161 if (sigaction_get_ret && errno == EINVAL) { 162 #if !defined(NDEBUG) 163 // Linux supports 32 real-time signals from 33 to 64. 164 // If the number of signals in the Linux kernel changes, someone should 165 // look at this code. 166 const int kNumberOfSignals = 64; 167 RAW_CHECK(signum == kNumberOfSignals + 1); 168 #endif // !defined(NDEBUG) 169 break; 170 } 171 // All other failures are fatal. 172 if (sigaction_get_ret) { 173 RAW_LOG(FATAL, "sigaction (get) failed."); 174 } 175 176 // The kernel won't allow to re-set SIGKILL or SIGSTOP. 177 if (signum != SIGSTOP && signum != SIGKILL) { 178 act.k_sa_handler = reinterpret_cast<void*>(SIG_DFL); 179 act.k_sa_restorer = NULL; 180 if (sys_rt_sigaction(signum, &act, NULL)) { 181 RAW_LOG(FATAL, "sigaction (set) failed."); 182 } 183 } 184 #if !defined(NDEBUG) 185 // Now ask the kernel again and check that no restorer will leak. 186 if (sys_rt_sigaction(signum, NULL, &act) || act.k_sa_restorer) { 187 RAW_LOG(FATAL, "Cound not fix sa_restorer."); 188 } 189 #endif // !defined(NDEBUG) 190 } 191 } 192 #endif // !defined(OS_LINUX) || 193 // (!defined(__i386__) && !defined(__x86_64__) && !defined(__arm__)) 194 } // anonymous namespace 195 196 // Functor for |ScopedDIR| (below). 197 struct ScopedDIRClose { 198 inline void operator()(DIR* x) const { 199 if (x) 200 closedir(x); 201 } 202 }; 203 204 // Automatically closes |DIR*|s. 205 typedef scoped_ptr<DIR, ScopedDIRClose> ScopedDIR; 206 207 #if defined(OS_LINUX) 208 static const char kFDDir[] = "/proc/self/fd"; 209 #elif defined(OS_MACOSX) 210 static const char kFDDir[] = "/dev/fd"; 211 #elif defined(OS_SOLARIS) 212 static const char kFDDir[] = "/dev/fd"; 213 #elif defined(OS_FREEBSD) 214 static const char kFDDir[] = "/dev/fd"; 215 #elif defined(OS_OPENBSD) 216 static const char kFDDir[] = "/dev/fd"; 217 #elif defined(OS_ANDROID) 218 static const char kFDDir[] = "/proc/self/fd"; 219 #endif 220 221 void CloseSuperfluousFds(const base::InjectiveMultimap& saved_mapping) { 222 // DANGER: no calls to malloc or locks are allowed from now on: 223 // http://crbug.com/36678 224 225 // Get the maximum number of FDs possible. 226 size_t max_fds = GetMaxFds(); 227 228 DirReaderPosix fd_dir(kFDDir); 229 if (!fd_dir.IsValid()) { 230 // Fallback case: Try every possible fd. 231 for (size_t i = 0; i < max_fds; ++i) { 232 const int fd = static_cast<int>(i); 233 if (fd == STDIN_FILENO || fd == STDOUT_FILENO || fd == STDERR_FILENO) 234 continue; 235 // Cannot use STL iterators here, since debug iterators use locks. 236 size_t j; 237 for (j = 0; j < saved_mapping.size(); j++) { 238 if (fd == saved_mapping[j].dest) 239 break; 240 } 241 if (j < saved_mapping.size()) 242 continue; 243 244 // Since we're just trying to close anything we can find, 245 // ignore any error return values of close(). 246 close(fd); 247 } 248 return; 249 } 250 251 const int dir_fd = fd_dir.fd(); 252 253 for ( ; fd_dir.Next(); ) { 254 // Skip . and .. entries. 255 if (fd_dir.name()[0] == '.') 256 continue; 257 258 char *endptr; 259 errno = 0; 260 const long int fd = strtol(fd_dir.name(), &endptr, 10); 261 if (fd_dir.name()[0] == 0 || *endptr || fd < 0 || errno) 262 continue; 263 if (fd == STDIN_FILENO || fd == STDOUT_FILENO || fd == STDERR_FILENO) 264 continue; 265 // Cannot use STL iterators here, since debug iterators use locks. 266 size_t i; 267 for (i = 0; i < saved_mapping.size(); i++) { 268 if (fd == saved_mapping[i].dest) 269 break; 270 } 271 if (i < saved_mapping.size()) 272 continue; 273 if (fd == dir_fd) 274 continue; 275 276 // When running under Valgrind, Valgrind opens several FDs for its 277 // own use and will complain if we try to close them. All of 278 // these FDs are >= |max_fds|, so we can check against that here 279 // before closing. See https://bugs.kde.org/show_bug.cgi?id=191758 280 if (fd < static_cast<int>(max_fds)) { 281 int ret = IGNORE_EINTR(close(fd)); 282 DPCHECK(ret == 0); 283 } 284 } 285 } 286 287 Process LaunchProcess(const CommandLine& cmdline, 288 const LaunchOptions& options) { 289 return LaunchProcess(cmdline.argv(), options); 290 } 291 292 Process LaunchProcess(const std::vector<std::string>& argv, 293 const LaunchOptions& options) { 294 size_t fd_shuffle_size = 0; 295 if (options.fds_to_remap) { 296 fd_shuffle_size = options.fds_to_remap->size(); 297 } 298 299 InjectiveMultimap fd_shuffle1; 300 InjectiveMultimap fd_shuffle2; 301 fd_shuffle1.reserve(fd_shuffle_size); 302 fd_shuffle2.reserve(fd_shuffle_size); 303 304 scoped_ptr<char* []> argv_cstr(new char* [argv.size() + 1]); 305 for (size_t i = 0; i < argv.size(); i++) { 306 argv_cstr[i] = const_cast<char*>(argv[i].c_str()); 307 } 308 argv_cstr[argv.size()] = NULL; 309 310 scoped_ptr<char*[]> new_environ; 311 char* const empty_environ = NULL; 312 char* const* old_environ = GetEnvironment(); 313 if (options.clear_environ) 314 old_environ = &empty_environ; 315 if (!options.environ.empty()) 316 new_environ = AlterEnvironment(old_environ, options.environ); 317 318 sigset_t full_sigset; 319 sigfillset(&full_sigset); 320 const sigset_t orig_sigmask = SetSignalMask(full_sigset); 321 322 const char* current_directory = nullptr; 323 if (!options.current_directory.empty()) { 324 current_directory = options.current_directory.value().c_str(); 325 } 326 327 pid_t pid; 328 #if defined(OS_LINUX) 329 if (options.clone_flags) { 330 // Signal handling in this function assumes the creation of a new 331 // process, so we check that a thread is not being created by mistake 332 // and that signal handling follows the process-creation rules. 333 RAW_CHECK( 334 !(options.clone_flags & (CLONE_SIGHAND | CLONE_THREAD | CLONE_VM))); 335 336 // We specify a null ptid and ctid. 337 RAW_CHECK( 338 !(options.clone_flags & 339 (CLONE_CHILD_CLEARTID | CLONE_CHILD_SETTID | CLONE_PARENT_SETTID))); 340 341 // Since we use waitpid, we do not support custom termination signals in the 342 // clone flags. 343 RAW_CHECK((options.clone_flags & 0xff) == 0); 344 345 pid = ForkWithFlags(options.clone_flags | SIGCHLD, nullptr, nullptr); 346 } else 347 #endif 348 { 349 pid = fork(); 350 } 351 352 // Always restore the original signal mask in the parent. 353 if (pid != 0) { 354 SetSignalMask(orig_sigmask); 355 } 356 357 if (pid < 0) { 358 DPLOG(ERROR) << "fork"; 359 return Process(); 360 } else if (pid == 0) { 361 // Child process 362 363 // DANGER: no calls to malloc or locks are allowed from now on: 364 // http://crbug.com/36678 365 366 // DANGER: fork() rule: in the child, if you don't end up doing exec*(), 367 // you call _exit() instead of exit(). This is because _exit() does not 368 // call any previously-registered (in the parent) exit handlers, which 369 // might do things like block waiting for threads that don't even exist 370 // in the child. 371 372 // If a child process uses the readline library, the process block forever. 373 // In BSD like OSes including OS X it is safe to assign /dev/null as stdin. 374 // See http://crbug.com/56596. 375 base::ScopedFD null_fd(HANDLE_EINTR(open("/dev/null", O_RDONLY))); 376 if (!null_fd.is_valid()) { 377 RAW_LOG(ERROR, "Failed to open /dev/null"); 378 _exit(127); 379 } 380 381 int new_fd = HANDLE_EINTR(dup2(null_fd.get(), STDIN_FILENO)); 382 if (new_fd != STDIN_FILENO) { 383 RAW_LOG(ERROR, "Failed to dup /dev/null for stdin"); 384 _exit(127); 385 } 386 387 if (options.new_process_group) { 388 // Instead of inheriting the process group ID of the parent, the child 389 // starts off a new process group with pgid equal to its process ID. 390 if (setpgid(0, 0) < 0) { 391 RAW_LOG(ERROR, "setpgid failed"); 392 _exit(127); 393 } 394 } 395 396 if (options.maximize_rlimits) { 397 // Some resource limits need to be maximal in this child. 398 for (size_t i = 0; i < options.maximize_rlimits->size(); ++i) { 399 const int resource = (*options.maximize_rlimits)[i]; 400 struct rlimit limit; 401 if (getrlimit(resource, &limit) < 0) { 402 RAW_LOG(WARNING, "getrlimit failed"); 403 } else if (limit.rlim_cur < limit.rlim_max) { 404 limit.rlim_cur = limit.rlim_max; 405 if (setrlimit(resource, &limit) < 0) { 406 RAW_LOG(WARNING, "setrlimit failed"); 407 } 408 } 409 } 410 } 411 412 #if defined(OS_MACOSX) 413 RestoreDefaultExceptionHandler(); 414 #endif // defined(OS_MACOSX) 415 416 ResetChildSignalHandlersToDefaults(); 417 SetSignalMask(orig_sigmask); 418 419 #if 0 420 // When debugging it can be helpful to check that we really aren't making 421 // any hidden calls to malloc. 422 void *malloc_thunk = 423 reinterpret_cast<void*>(reinterpret_cast<intptr_t>(malloc) & ~4095); 424 mprotect(malloc_thunk, 4096, PROT_READ | PROT_WRITE | PROT_EXEC); 425 memset(reinterpret_cast<void*>(malloc), 0xff, 8); 426 #endif // 0 427 428 #if defined(OS_CHROMEOS) 429 if (options.ctrl_terminal_fd >= 0) { 430 // Set process' controlling terminal. 431 if (HANDLE_EINTR(setsid()) != -1) { 432 if (HANDLE_EINTR( 433 ioctl(options.ctrl_terminal_fd, TIOCSCTTY, NULL)) == -1) { 434 RAW_LOG(WARNING, "ioctl(TIOCSCTTY), ctrl terminal not set"); 435 } 436 } else { 437 RAW_LOG(WARNING, "setsid failed, ctrl terminal not set"); 438 } 439 } 440 #endif // defined(OS_CHROMEOS) 441 442 if (options.fds_to_remap) { 443 // Cannot use STL iterators here, since debug iterators use locks. 444 for (size_t i = 0; i < options.fds_to_remap->size(); ++i) { 445 const FileHandleMappingVector::value_type& value = 446 (*options.fds_to_remap)[i]; 447 fd_shuffle1.push_back(InjectionArc(value.first, value.second, false)); 448 fd_shuffle2.push_back(InjectionArc(value.first, value.second, false)); 449 } 450 } 451 452 if (!options.environ.empty() || options.clear_environ) 453 SetEnvironment(new_environ.get()); 454 455 // fd_shuffle1 is mutated by this call because it cannot malloc. 456 if (!ShuffleFileDescriptors(&fd_shuffle1)) 457 _exit(127); 458 459 CloseSuperfluousFds(fd_shuffle2); 460 461 // Set NO_NEW_PRIVS by default. Since NO_NEW_PRIVS only exists in kernel 462 // 3.5+, do not check the return value of prctl here. 463 #if defined(OS_LINUX) 464 #ifndef PR_SET_NO_NEW_PRIVS 465 #define PR_SET_NO_NEW_PRIVS 38 466 #endif 467 if (!options.allow_new_privs) { 468 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) && errno != EINVAL) { 469 // Only log if the error is not EINVAL (i.e. not supported). 470 RAW_LOG(FATAL, "prctl(PR_SET_NO_NEW_PRIVS) failed"); 471 } 472 } 473 474 if (options.kill_on_parent_death) { 475 if (prctl(PR_SET_PDEATHSIG, SIGKILL) != 0) { 476 RAW_LOG(ERROR, "prctl(PR_SET_PDEATHSIG) failed"); 477 _exit(127); 478 } 479 } 480 #endif 481 482 if (current_directory != nullptr) { 483 RAW_CHECK(chdir(current_directory) == 0); 484 } 485 486 if (options.pre_exec_delegate != nullptr) { 487 options.pre_exec_delegate->RunAsyncSafe(); 488 } 489 490 execvp(argv_cstr[0], argv_cstr.get()); 491 492 RAW_LOG(ERROR, "LaunchProcess: failed to execvp:"); 493 RAW_LOG(ERROR, argv_cstr[0]); 494 _exit(127); 495 } else { 496 // Parent process 497 if (options.wait) { 498 // While this isn't strictly disk IO, waiting for another process to 499 // finish is the sort of thing ThreadRestrictions is trying to prevent. 500 base::ThreadRestrictions::AssertIOAllowed(); 501 pid_t ret = HANDLE_EINTR(waitpid(pid, 0, 0)); 502 DPCHECK(ret > 0); 503 } 504 } 505 506 return Process(pid); 507 } 508 509 void RaiseProcessToHighPriority() { 510 // On POSIX, we don't actually do anything here. We could try to nice() or 511 // setpriority() or sched_getscheduler, but these all require extra rights. 512 } 513 514 // Return value used by GetAppOutputInternal to encapsulate the various exit 515 // scenarios from the function. 516 enum GetAppOutputInternalResult { 517 EXECUTE_FAILURE, 518 EXECUTE_SUCCESS, 519 GOT_MAX_OUTPUT, 520 }; 521 522 // Executes the application specified by |argv| and wait for it to exit. Stores 523 // the output (stdout) in |output|. If |do_search_path| is set, it searches the 524 // path for the application; in that case, |envp| must be null, and it will use 525 // the current environment. If |do_search_path| is false, |argv[0]| should fully 526 // specify the path of the application, and |envp| will be used as the 527 // environment. If |include_stderr| is true, includes stderr otherwise redirects 528 // it to /dev/null. 529 // If we successfully start the application and get all requested output, we 530 // return GOT_MAX_OUTPUT, or if there is a problem starting or exiting 531 // the application we return RUN_FAILURE. Otherwise we return EXECUTE_SUCCESS. 532 // The GOT_MAX_OUTPUT return value exists so a caller that asks for limited 533 // output can treat this as a success, despite having an exit code of SIG_PIPE 534 // due to us closing the output pipe. 535 // In the case of EXECUTE_SUCCESS, the application exit code will be returned 536 // in |*exit_code|, which should be checked to determine if the application 537 // ran successfully. 538 static GetAppOutputInternalResult GetAppOutputInternal( 539 const std::vector<std::string>& argv, 540 char* const envp[], 541 bool include_stderr, 542 std::string* output, 543 size_t max_output, 544 bool do_search_path, 545 int* exit_code) { 546 // Doing a blocking wait for another command to finish counts as IO. 547 base::ThreadRestrictions::AssertIOAllowed(); 548 // exit_code must be supplied so calling function can determine success. 549 DCHECK(exit_code); 550 *exit_code = EXIT_FAILURE; 551 552 int pipe_fd[2]; 553 pid_t pid; 554 InjectiveMultimap fd_shuffle1, fd_shuffle2; 555 scoped_ptr<char*[]> argv_cstr(new char*[argv.size() + 1]); 556 557 fd_shuffle1.reserve(3); 558 fd_shuffle2.reserve(3); 559 560 // Either |do_search_path| should be false or |envp| should be null, but not 561 // both. 562 DCHECK(!do_search_path ^ !envp); 563 564 if (pipe(pipe_fd) < 0) 565 return EXECUTE_FAILURE; 566 567 switch (pid = fork()) { 568 case -1: // error 569 close(pipe_fd[0]); 570 close(pipe_fd[1]); 571 return EXECUTE_FAILURE; 572 case 0: // child 573 { 574 // DANGER: no calls to malloc or locks are allowed from now on: 575 // http://crbug.com/36678 576 577 #if defined(OS_MACOSX) 578 RestoreDefaultExceptionHandler(); 579 #endif 580 581 // Obscure fork() rule: in the child, if you don't end up doing exec*(), 582 // you call _exit() instead of exit(). This is because _exit() does not 583 // call any previously-registered (in the parent) exit handlers, which 584 // might do things like block waiting for threads that don't even exist 585 // in the child. 586 int dev_null = open("/dev/null", O_WRONLY); 587 if (dev_null < 0) 588 _exit(127); 589 590 fd_shuffle1.push_back(InjectionArc(pipe_fd[1], STDOUT_FILENO, true)); 591 fd_shuffle1.push_back(InjectionArc( 592 include_stderr ? pipe_fd[1] : dev_null, 593 STDERR_FILENO, true)); 594 fd_shuffle1.push_back(InjectionArc(dev_null, STDIN_FILENO, true)); 595 // Adding another element here? Remeber to increase the argument to 596 // reserve(), above. 597 598 for (size_t i = 0; i < fd_shuffle1.size(); ++i) 599 fd_shuffle2.push_back(fd_shuffle1[i]); 600 601 if (!ShuffleFileDescriptors(&fd_shuffle1)) 602 _exit(127); 603 604 CloseSuperfluousFds(fd_shuffle2); 605 606 for (size_t i = 0; i < argv.size(); i++) 607 argv_cstr[i] = const_cast<char*>(argv[i].c_str()); 608 argv_cstr[argv.size()] = NULL; 609 if (do_search_path) 610 execvp(argv_cstr[0], argv_cstr.get()); 611 else 612 execve(argv_cstr[0], argv_cstr.get(), envp); 613 _exit(127); 614 } 615 default: // parent 616 { 617 // Close our writing end of pipe now. Otherwise later read would not 618 // be able to detect end of child's output (in theory we could still 619 // write to the pipe). 620 close(pipe_fd[1]); 621 622 output->clear(); 623 char buffer[256]; 624 size_t output_buf_left = max_output; 625 ssize_t bytes_read = 1; // A lie to properly handle |max_output == 0| 626 // case in the logic below. 627 628 while (output_buf_left > 0) { 629 bytes_read = HANDLE_EINTR(read(pipe_fd[0], buffer, 630 std::min(output_buf_left, sizeof(buffer)))); 631 if (bytes_read <= 0) 632 break; 633 output->append(buffer, bytes_read); 634 output_buf_left -= static_cast<size_t>(bytes_read); 635 } 636 close(pipe_fd[0]); 637 638 // Always wait for exit code (even if we know we'll declare 639 // GOT_MAX_OUTPUT). 640 Process process(pid); 641 bool success = process.WaitForExit(exit_code); 642 643 // If we stopped because we read as much as we wanted, we return 644 // GOT_MAX_OUTPUT (because the child may exit due to |SIGPIPE|). 645 if (!output_buf_left && bytes_read > 0) 646 return GOT_MAX_OUTPUT; 647 else if (success) 648 return EXECUTE_SUCCESS; 649 return EXECUTE_FAILURE; 650 } 651 } 652 } 653 654 bool GetAppOutput(const CommandLine& cl, std::string* output) { 655 return GetAppOutput(cl.argv(), output); 656 } 657 658 bool GetAppOutput(const std::vector<std::string>& argv, std::string* output) { 659 // Run |execve()| with the current environment and store "unlimited" data. 660 int exit_code; 661 GetAppOutputInternalResult result = GetAppOutputInternal( 662 argv, NULL, false, output, std::numeric_limits<std::size_t>::max(), true, 663 &exit_code); 664 return result == EXECUTE_SUCCESS && exit_code == EXIT_SUCCESS; 665 } 666 667 bool GetAppOutputAndError(const CommandLine& cl, std::string* output) { 668 // Run |execve()| with the current environment and store "unlimited" data. 669 int exit_code; 670 GetAppOutputInternalResult result = GetAppOutputInternal( 671 cl.argv(), NULL, true, output, std::numeric_limits<std::size_t>::max(), 672 true, &exit_code); 673 return result == EXECUTE_SUCCESS && exit_code == EXIT_SUCCESS; 674 } 675 676 // TODO(viettrungluu): Conceivably, we should have a timeout as well, so we 677 // don't hang if what we're calling hangs. 678 bool GetAppOutputRestricted(const CommandLine& cl, 679 std::string* output, size_t max_output) { 680 // Run |execve()| with the empty environment. 681 char* const empty_environ = NULL; 682 int exit_code; 683 GetAppOutputInternalResult result = GetAppOutputInternal( 684 cl.argv(), &empty_environ, false, output, max_output, false, &exit_code); 685 return result == GOT_MAX_OUTPUT || (result == EXECUTE_SUCCESS && 686 exit_code == EXIT_SUCCESS); 687 } 688 689 bool GetAppOutputWithExitCode(const CommandLine& cl, 690 std::string* output, 691 int* exit_code) { 692 // Run |execve()| with the current environment and store "unlimited" data. 693 GetAppOutputInternalResult result = GetAppOutputInternal( 694 cl.argv(), NULL, false, output, std::numeric_limits<std::size_t>::max(), 695 true, exit_code); 696 return result == EXECUTE_SUCCESS; 697 } 698 699 #endif // !defined(OS_NACL_NONSFI) 700 701 #if defined(OS_LINUX) || defined(OS_NACL_NONSFI) 702 namespace { 703 704 bool IsRunningOnValgrind() { 705 return RUNNING_ON_VALGRIND; 706 } 707 708 // This function runs on the stack specified on the clone call. It uses longjmp 709 // to switch back to the original stack so the child can return from sys_clone. 710 int CloneHelper(void* arg) { 711 jmp_buf* env_ptr = reinterpret_cast<jmp_buf*>(arg); 712 longjmp(*env_ptr, 1); 713 714 // Should not be reached. 715 RAW_CHECK(false); 716 return 1; 717 } 718 719 // This function is noinline to ensure that stack_buf is below the stack pointer 720 // that is saved when setjmp is called below. This is needed because when 721 // compiled with FORTIFY_SOURCE, glibc's longjmp checks that the stack is moved 722 // upwards. See crbug.com/442912 for more details. 723 #if defined(ADDRESS_SANITIZER) 724 // Disable AddressSanitizer instrumentation for this function to make sure 725 // |stack_buf| is allocated on thread stack instead of ASan's fake stack. 726 // Under ASan longjmp() will attempt to clean up the area between the old and 727 // new stack pointers and print a warning that may confuse the user. 728 __attribute__((no_sanitize_address)) 729 #endif 730 NOINLINE pid_t CloneAndLongjmpInChild(unsigned long flags, 731 pid_t* ptid, 732 pid_t* ctid, 733 jmp_buf* env) { 734 // We use the libc clone wrapper instead of making the syscall 735 // directly because making the syscall may fail to update the libc's 736 // internal pid cache. The libc interface unfortunately requires 737 // specifying a new stack, so we use setjmp/longjmp to emulate 738 // fork-like behavior. 739 char stack_buf[PTHREAD_STACK_MIN]; 740 #if defined(ARCH_CPU_X86_FAMILY) || defined(ARCH_CPU_ARM_FAMILY) || \ 741 defined(ARCH_CPU_MIPS64_FAMILY) || defined(ARCH_CPU_MIPS_FAMILY) 742 // The stack grows downward. 743 void* stack = stack_buf + sizeof(stack_buf); 744 #else 745 #error "Unsupported architecture" 746 #endif 747 return clone(&CloneHelper, stack, flags, env, ptid, nullptr, ctid); 748 } 749 750 } // anonymous namespace 751 752 pid_t ForkWithFlags(unsigned long flags, pid_t* ptid, pid_t* ctid) { 753 const bool clone_tls_used = flags & CLONE_SETTLS; 754 const bool invalid_ctid = 755 (flags & (CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID)) && !ctid; 756 const bool invalid_ptid = (flags & CLONE_PARENT_SETTID) && !ptid; 757 758 // We do not support CLONE_VM. 759 const bool clone_vm_used = flags & CLONE_VM; 760 761 if (clone_tls_used || invalid_ctid || invalid_ptid || clone_vm_used) { 762 RAW_LOG(FATAL, "Invalid usage of ForkWithFlags"); 763 } 764 765 // Valgrind's clone implementation does not support specifiying a child_stack 766 // without CLONE_VM, so we cannot use libc's clone wrapper when running under 767 // Valgrind. As a result, the libc pid cache may be incorrect under Valgrind. 768 // See crbug.com/442817 for more details. 769 if (IsRunningOnValgrind()) { 770 // See kernel/fork.c in Linux. There is different ordering of sys_clone 771 // parameters depending on CONFIG_CLONE_BACKWARDS* configuration options. 772 #if defined(ARCH_CPU_X86_64) 773 return syscall(__NR_clone, flags, nullptr, ptid, ctid, nullptr); 774 #elif defined(ARCH_CPU_X86) || defined(ARCH_CPU_ARM_FAMILY) || \ 775 defined(ARCH_CPU_MIPS_FAMILY) || defined(ARCH_CPU_MIPS64_FAMILY) 776 // CONFIG_CLONE_BACKWARDS defined. 777 return syscall(__NR_clone, flags, nullptr, ptid, nullptr, ctid); 778 #else 779 #error "Unsupported architecture" 780 #endif 781 } 782 783 jmp_buf env; 784 if (setjmp(env) == 0) { 785 return CloneAndLongjmpInChild(flags, ptid, ctid, &env); 786 } 787 788 return 0; 789 } 790 #endif // defined(OS_LINUX) || defined(OS_NACL_NONSFI) 791 792 } // namespace base 793
