1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "base/process/launch.h" 6 7 #include <dirent.h> 8 #include <errno.h> 9 #include <fcntl.h> 10 #include <sched.h> 11 #include <setjmp.h> 12 #include <signal.h> 13 #include <stddef.h> 14 #include <stdint.h> 15 #include <stdlib.h> 16 #include <sys/resource.h> 17 #include <sys/syscall.h> 18 #include <sys/time.h> 19 #include <sys/types.h> 20 #include <sys/wait.h> 21 #include <unistd.h> 22 23 #include <iterator> 24 #include <limits> 25 #include <memory> 26 #include <set> 27 28 #include "base/command_line.h" 29 #include "base/compiler_specific.h" 30 #include "base/debug/debugger.h" 31 #include "base/debug/stack_trace.h" 32 #include "base/files/dir_reader_posix.h" 33 #include "base/files/file_util.h" 34 #include "base/files/scoped_file.h" 35 #include "base/logging.h" 36 #include "base/posix/eintr_wrapper.h" 37 #include "base/process/process.h" 38 #include "base/process/process_metrics.h" 39 #include "base/strings/stringprintf.h" 40 #include "base/synchronization/waitable_event.h" 41 #include "base/third_party/dynamic_annotations/dynamic_annotations.h" 42 #include "base/third_party/valgrind/valgrind.h" 43 #include "base/threading/platform_thread.h" 44 #include "base/threading/thread_restrictions.h" 45 #include "build/build_config.h" 46 47 #if defined(OS_LINUX) 48 #include <sys/prctl.h> 49 #endif 50 51 #if defined(OS_CHROMEOS) 52 #include <sys/ioctl.h> 53 #endif 54 55 #if defined(OS_FREEBSD) 56 #include <sys/event.h> 57 #include <sys/ucontext.h> 58 #endif 59 60 #if defined(OS_MACOSX) 61 #include <crt_externs.h> 62 #include <sys/event.h> 63 #else 64 extern char** environ; 65 #endif 66 67 namespace base { 68 69 #if !defined(OS_NACL_NONSFI) 70 71 namespace { 72 73 // Get the process's "environment" (i.e. the thing that setenv/getenv 74 // work with). 75 char** GetEnvironment() { 76 #if defined(OS_MACOSX) 77 return *_NSGetEnviron(); 78 #else 79 return environ; 80 #endif 81 } 82 83 // Set the process's "environment" (i.e. the thing that setenv/getenv 84 // work with). 85 void SetEnvironment(char** env) { 86 #if defined(OS_MACOSX) 87 *_NSGetEnviron() = env; 88 #else 89 environ = env; 90 #endif 91 } 92 93 // Set the calling thread's signal mask to new_sigmask and return 94 // the previous signal mask. 95 sigset_t SetSignalMask(const sigset_t& new_sigmask) { 96 sigset_t old_sigmask; 97 #if defined(OS_ANDROID) 98 // POSIX says pthread_sigmask() must be used in multi-threaded processes, 99 // but Android's pthread_sigmask() was broken until 4.1: 100 // https://code.google.com/p/android/issues/detail?id=15337 101 // http://stackoverflow.com/questions/13777109/pthread-sigmask-on-android-not-working 102 RAW_CHECK(sigprocmask(SIG_SETMASK, &new_sigmask, &old_sigmask) == 0); 103 #else 104 RAW_CHECK(pthread_sigmask(SIG_SETMASK, &new_sigmask, &old_sigmask) == 0); 105 #endif 106 return old_sigmask; 107 } 108 109 #if !defined(OS_LINUX) || \ 110 (!defined(__i386__) && !defined(__x86_64__) && !defined(__arm__)) 111 void ResetChildSignalHandlersToDefaults() { 112 // The previous signal handlers are likely to be meaningless in the child's 113 // context so we reset them to the defaults for now. http://crbug.com/44953 114 // These signal handlers are set up at least in browser_main_posix.cc: 115 // BrowserMainPartsPosix::PreEarlyInitialization and stack_trace_posix.cc: 116 // EnableInProcessStackDumping. 117 signal(SIGHUP, SIG_DFL); 118 signal(SIGINT, SIG_DFL); 119 signal(SIGILL, SIG_DFL); 120 signal(SIGABRT, SIG_DFL); 121 signal(SIGFPE, SIG_DFL); 122 signal(SIGBUS, SIG_DFL); 123 signal(SIGSEGV, SIG_DFL); 124 signal(SIGSYS, SIG_DFL); 125 signal(SIGTERM, SIG_DFL); 126 } 127 128 #else 129 130 // TODO(jln): remove the Linux special case once kernels are fixed. 131 132 // Internally the kernel makes sigset_t an array of long large enough to have 133 // one bit per signal. 134 typedef uint64_t kernel_sigset_t; 135 136 // This is what struct sigaction looks like to the kernel at least on X86 and 137 // ARM. MIPS, for instance, is very different. 138 struct kernel_sigaction { 139 void* k_sa_handler; // For this usage it only needs to be a generic pointer. 140 unsigned long k_sa_flags; 141 void* k_sa_restorer; // For this usage it only needs to be a generic pointer. 142 kernel_sigset_t k_sa_mask; 143 }; 144 145 // glibc's sigaction() will prevent access to sa_restorer, so we need to roll 146 // our own. 147 int sys_rt_sigaction(int sig, const struct kernel_sigaction* act, 148 struct kernel_sigaction* oact) { 149 return syscall(SYS_rt_sigaction, sig, act, oact, sizeof(kernel_sigset_t)); 150 } 151 152 // This function is intended to be used in between fork() and execve() and will 153 // reset all signal handlers to the default. 154 // The motivation for going through all of them is that sa_restorer can leak 155 // from parents and help defeat ASLR on buggy kernels. We reset it to null. 156 // See crbug.com/177956. 157 void ResetChildSignalHandlersToDefaults(void) { 158 for (int signum = 1; ; ++signum) { 159 #if defined(ANDROID) 160 struct kernel_sigaction act; 161 memset(&act, 0, sizeof(act)); 162 #else 163 struct kernel_sigaction act = {0}; 164 #endif 165 int sigaction_get_ret = sys_rt_sigaction(signum, nullptr, &act); 166 if (sigaction_get_ret && errno == EINVAL) { 167 #if !defined(NDEBUG) 168 // Linux supports 32 real-time signals from 33 to 64. 169 // If the number of signals in the Linux kernel changes, someone should 170 // look at this code. 171 const int kNumberOfSignals = 64; 172 RAW_CHECK(signum == kNumberOfSignals + 1); 173 #endif // !defined(NDEBUG) 174 break; 175 } 176 // All other failures are fatal. 177 if (sigaction_get_ret) { 178 RAW_LOG(FATAL, "sigaction (get) failed."); 179 } 180 181 // The kernel won't allow to re-set SIGKILL or SIGSTOP. 182 if (signum != SIGSTOP && signum != SIGKILL) { 183 act.k_sa_handler = reinterpret_cast<void*>(SIG_DFL); 184 act.k_sa_restorer = nullptr; 185 if (sys_rt_sigaction(signum, &act, nullptr)) { 186 RAW_LOG(FATAL, "sigaction (set) failed."); 187 } 188 } 189 #if !defined(NDEBUG) 190 // Now ask the kernel again and check that no restorer will leak. 191 if (sys_rt_sigaction(signum, nullptr, &act) || act.k_sa_restorer) { 192 RAW_LOG(FATAL, "Cound not fix sa_restorer."); 193 } 194 #endif // !defined(NDEBUG) 195 } 196 } 197 #endif // !defined(OS_LINUX) || 198 // (!defined(__i386__) && !defined(__x86_64__) && !defined(__arm__)) 199 } // anonymous namespace 200 201 // Functor for |ScopedDIR| (below). 202 struct ScopedDIRClose { 203 inline void operator()(DIR* x) const { 204 if (x) 205 closedir(x); 206 } 207 }; 208 209 // Automatically closes |DIR*|s. 210 typedef std::unique_ptr<DIR, ScopedDIRClose> ScopedDIR; 211 212 #if defined(OS_LINUX) 213 static const char kFDDir[] = "/proc/self/fd"; 214 #elif defined(OS_MACOSX) 215 static const char kFDDir[] = "/dev/fd"; 216 #elif defined(OS_SOLARIS) 217 static const char kFDDir[] = "/dev/fd"; 218 #elif defined(OS_FREEBSD) 219 static const char kFDDir[] = "/dev/fd"; 220 #elif defined(OS_OPENBSD) 221 static const char kFDDir[] = "/dev/fd"; 222 #elif defined(OS_ANDROID) 223 static const char kFDDir[] = "/proc/self/fd"; 224 #endif 225 226 void CloseSuperfluousFds(const base::InjectiveMultimap& saved_mapping) { 227 // DANGER: no calls to malloc or locks are allowed from now on: 228 // http://crbug.com/36678 229 230 // Get the maximum number of FDs possible. 231 size_t max_fds = GetMaxFds(); 232 233 DirReaderPosix fd_dir(kFDDir); 234 if (!fd_dir.IsValid()) { 235 // Fallback case: Try every possible fd. 236 for (size_t i = 0; i < max_fds; ++i) { 237 const int fd = static_cast<int>(i); 238 if (fd == STDIN_FILENO || fd == STDOUT_FILENO || fd == STDERR_FILENO) 239 continue; 240 // Cannot use STL iterators here, since debug iterators use locks. 241 size_t j; 242 for (j = 0; j < saved_mapping.size(); j++) { 243 if (fd == saved_mapping[j].dest) 244 break; 245 } 246 if (j < saved_mapping.size()) 247 continue; 248 249 // Since we're just trying to close anything we can find, 250 // ignore any error return values of close(). 251 close(fd); 252 } 253 return; 254 } 255 256 const int dir_fd = fd_dir.fd(); 257 258 for ( ; fd_dir.Next(); ) { 259 // Skip . and .. entries. 260 if (fd_dir.name()[0] == '.') 261 continue; 262 263 char *endptr; 264 errno = 0; 265 const long int fd = strtol(fd_dir.name(), &endptr, 10); 266 if (fd_dir.name()[0] == 0 || *endptr || fd < 0 || errno) 267 continue; 268 if (fd == STDIN_FILENO || fd == STDOUT_FILENO || fd == STDERR_FILENO) 269 continue; 270 // Cannot use STL iterators here, since debug iterators use locks. 271 size_t i; 272 for (i = 0; i < saved_mapping.size(); i++) { 273 if (fd == saved_mapping[i].dest) 274 break; 275 } 276 if (i < saved_mapping.size()) 277 continue; 278 if (fd == dir_fd) 279 continue; 280 281 // When running under Valgrind, Valgrind opens several FDs for its 282 // own use and will complain if we try to close them. All of 283 // these FDs are >= |max_fds|, so we can check against that here 284 // before closing. See https://bugs.kde.org/show_bug.cgi?id=191758 285 if (fd < static_cast<int>(max_fds)) { 286 int ret = IGNORE_EINTR(close(fd)); 287 DPCHECK(ret == 0); 288 } 289 } 290 } 291 292 Process LaunchProcess(const CommandLine& cmdline, 293 const LaunchOptions& options) { 294 return LaunchProcess(cmdline.argv(), options); 295 } 296 297 Process LaunchProcess(const std::vector<std::string>& argv, 298 const LaunchOptions& options) { 299 size_t fd_shuffle_size = 0; 300 if (options.fds_to_remap) { 301 fd_shuffle_size = options.fds_to_remap->size(); 302 } 303 304 InjectiveMultimap fd_shuffle1; 305 InjectiveMultimap fd_shuffle2; 306 fd_shuffle1.reserve(fd_shuffle_size); 307 fd_shuffle2.reserve(fd_shuffle_size); 308 309 std::unique_ptr<char* []> argv_cstr(new char*[argv.size() + 1]); 310 for (size_t i = 0; i < argv.size(); i++) { 311 argv_cstr[i] = const_cast<char*>(argv[i].c_str()); 312 } 313 argv_cstr[argv.size()] = nullptr; 314 315 std::unique_ptr<char* []> new_environ; 316 char* const empty_environ = nullptr; 317 char* const* old_environ = GetEnvironment(); 318 if (options.clear_environ) 319 old_environ = &empty_environ; 320 if (!options.environ.empty()) 321 new_environ = AlterEnvironment(old_environ, options.environ); 322 323 sigset_t full_sigset; 324 sigfillset(&full_sigset); 325 const sigset_t orig_sigmask = SetSignalMask(full_sigset); 326 327 const char* current_directory = nullptr; 328 if (!options.current_directory.empty()) { 329 current_directory = options.current_directory.value().c_str(); 330 } 331 332 pid_t pid; 333 #if defined(OS_LINUX) 334 if (options.clone_flags) { 335 // Signal handling in this function assumes the creation of a new 336 // process, so we check that a thread is not being created by mistake 337 // and that signal handling follows the process-creation rules. 338 RAW_CHECK( 339 !(options.clone_flags & (CLONE_SIGHAND | CLONE_THREAD | CLONE_VM))); 340 341 // We specify a null ptid and ctid. 342 RAW_CHECK( 343 !(options.clone_flags & 344 (CLONE_CHILD_CLEARTID | CLONE_CHILD_SETTID | CLONE_PARENT_SETTID))); 345 346 // Since we use waitpid, we do not support custom termination signals in the 347 // clone flags. 348 RAW_CHECK((options.clone_flags & 0xff) == 0); 349 350 pid = ForkWithFlags(options.clone_flags | SIGCHLD, nullptr, nullptr); 351 } else 352 #endif 353 { 354 pid = fork(); 355 } 356 357 // Always restore the original signal mask in the parent. 358 if (pid != 0) { 359 SetSignalMask(orig_sigmask); 360 } 361 362 if (pid < 0) { 363 DPLOG(ERROR) << "fork"; 364 return Process(); 365 } else if (pid == 0) { 366 // Child process 367 368 // DANGER: no calls to malloc or locks are allowed from now on: 369 // http://crbug.com/36678 370 371 // DANGER: fork() rule: in the child, if you don't end up doing exec*(), 372 // you call _exit() instead of exit(). This is because _exit() does not 373 // call any previously-registered (in the parent) exit handlers, which 374 // might do things like block waiting for threads that don't even exist 375 // in the child. 376 377 // If a child process uses the readline library, the process block forever. 378 // In BSD like OSes including OS X it is safe to assign /dev/null as stdin. 379 // See http://crbug.com/56596. 380 base::ScopedFD null_fd(HANDLE_EINTR(open("/dev/null", O_RDONLY))); 381 if (!null_fd.is_valid()) { 382 RAW_LOG(ERROR, "Failed to open /dev/null"); 383 _exit(127); 384 } 385 386 int new_fd = HANDLE_EINTR(dup2(null_fd.get(), STDIN_FILENO)); 387 if (new_fd != STDIN_FILENO) { 388 RAW_LOG(ERROR, "Failed to dup /dev/null for stdin"); 389 _exit(127); 390 } 391 392 if (options.new_process_group) { 393 // Instead of inheriting the process group ID of the parent, the child 394 // starts off a new process group with pgid equal to its process ID. 395 if (setpgid(0, 0) < 0) { 396 RAW_LOG(ERROR, "setpgid failed"); 397 _exit(127); 398 } 399 } 400 401 if (options.maximize_rlimits) { 402 // Some resource limits need to be maximal in this child. 403 for (size_t i = 0; i < options.maximize_rlimits->size(); ++i) { 404 const int resource = (*options.maximize_rlimits)[i]; 405 struct rlimit limit; 406 if (getrlimit(resource, &limit) < 0) { 407 RAW_LOG(WARNING, "getrlimit failed"); 408 } else if (limit.rlim_cur < limit.rlim_max) { 409 limit.rlim_cur = limit.rlim_max; 410 if (setrlimit(resource, &limit) < 0) { 411 RAW_LOG(WARNING, "setrlimit failed"); 412 } 413 } 414 } 415 } 416 417 #if defined(OS_MACOSX) 418 RestoreDefaultExceptionHandler(); 419 #endif // defined(OS_MACOSX) 420 421 ResetChildSignalHandlersToDefaults(); 422 SetSignalMask(orig_sigmask); 423 424 #if 0 425 // When debugging it can be helpful to check that we really aren't making 426 // any hidden calls to malloc. 427 void *malloc_thunk = 428 reinterpret_cast<void*>(reinterpret_cast<intptr_t>(malloc) & ~4095); 429 mprotect(malloc_thunk, 4096, PROT_READ | PROT_WRITE | PROT_EXEC); 430 memset(reinterpret_cast<void*>(malloc), 0xff, 8); 431 #endif // 0 432 433 #if defined(OS_CHROMEOS) 434 if (options.ctrl_terminal_fd >= 0) { 435 // Set process' controlling terminal. 436 if (HANDLE_EINTR(setsid()) != -1) { 437 if (HANDLE_EINTR( 438 ioctl(options.ctrl_terminal_fd, TIOCSCTTY, nullptr)) == -1) { 439 RAW_LOG(WARNING, "ioctl(TIOCSCTTY), ctrl terminal not set"); 440 } 441 } else { 442 RAW_LOG(WARNING, "setsid failed, ctrl terminal not set"); 443 } 444 } 445 #endif // defined(OS_CHROMEOS) 446 447 if (options.fds_to_remap) { 448 // Cannot use STL iterators here, since debug iterators use locks. 449 for (size_t i = 0; i < options.fds_to_remap->size(); ++i) { 450 const FileHandleMappingVector::value_type& value = 451 (*options.fds_to_remap)[i]; 452 fd_shuffle1.push_back(InjectionArc(value.first, value.second, false)); 453 fd_shuffle2.push_back(InjectionArc(value.first, value.second, false)); 454 } 455 } 456 457 if (!options.environ.empty() || options.clear_environ) 458 SetEnvironment(new_environ.get()); 459 460 // fd_shuffle1 is mutated by this call because it cannot malloc. 461 if (!ShuffleFileDescriptors(&fd_shuffle1)) 462 _exit(127); 463 464 CloseSuperfluousFds(fd_shuffle2); 465 466 // Set NO_NEW_PRIVS by default. Since NO_NEW_PRIVS only exists in kernel 467 // 3.5+, do not check the return value of prctl here. 468 #if defined(OS_LINUX) 469 #ifndef PR_SET_NO_NEW_PRIVS 470 #define PR_SET_NO_NEW_PRIVS 38 471 #endif 472 if (!options.allow_new_privs) { 473 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) && errno != EINVAL) { 474 // Only log if the error is not EINVAL (i.e. not supported). 475 RAW_LOG(FATAL, "prctl(PR_SET_NO_NEW_PRIVS) failed"); 476 } 477 } 478 479 if (options.kill_on_parent_death) { 480 if (prctl(PR_SET_PDEATHSIG, SIGKILL) != 0) { 481 RAW_LOG(ERROR, "prctl(PR_SET_PDEATHSIG) failed"); 482 _exit(127); 483 } 484 } 485 #endif 486 487 if (current_directory != nullptr) { 488 RAW_CHECK(chdir(current_directory) == 0); 489 } 490 491 if (options.pre_exec_delegate != nullptr) { 492 options.pre_exec_delegate->RunAsyncSafe(); 493 } 494 495 execvp(argv_cstr[0], argv_cstr.get()); 496 497 RAW_LOG(ERROR, "LaunchProcess: failed to execvp:"); 498 RAW_LOG(ERROR, argv_cstr[0]); 499 _exit(127); 500 } else { 501 // Parent process 502 if (options.wait) { 503 // While this isn't strictly disk IO, waiting for another process to 504 // finish is the sort of thing ThreadRestrictions is trying to prevent. 505 base::ThreadRestrictions::AssertIOAllowed(); 506 pid_t ret = HANDLE_EINTR(waitpid(pid, 0, 0)); 507 DPCHECK(ret > 0); 508 } 509 } 510 511 return Process(pid); 512 } 513 514 void RaiseProcessToHighPriority() { 515 // On POSIX, we don't actually do anything here. We could try to nice() or 516 // setpriority() or sched_getscheduler, but these all require extra rights. 517 } 518 519 // Executes the application specified by |argv| and wait for it to exit. Stores 520 // the output (stdout) in |output|. If |do_search_path| is set, it searches the 521 // path for the application; in that case, |envp| must be null, and it will use 522 // the current environment. If |do_search_path| is false, |argv[0]| should fully 523 // specify the path of the application, and |envp| will be used as the 524 // environment. If |include_stderr| is true, includes stderr otherwise redirects 525 // it to /dev/null. 526 // The return value of the function indicates success or failure. In the case of 527 // success, the application exit code will be returned in |*exit_code|, which 528 // should be checked to determine if the application ran successfully. 529 static bool GetAppOutputInternal( 530 const std::vector<std::string>& argv, 531 char* const envp[], 532 bool include_stderr, 533 std::string* output, 534 bool do_search_path, 535 int* exit_code) { 536 // Doing a blocking wait for another command to finish counts as IO. 537 base::ThreadRestrictions::AssertIOAllowed(); 538 // exit_code must be supplied so calling function can determine success. 539 DCHECK(exit_code); 540 *exit_code = EXIT_FAILURE; 541 542 int pipe_fd[2]; 543 pid_t pid; 544 InjectiveMultimap fd_shuffle1, fd_shuffle2; 545 std::unique_ptr<char* []> argv_cstr(new char*[argv.size() + 1]); 546 547 fd_shuffle1.reserve(3); 548 fd_shuffle2.reserve(3); 549 550 // Either |do_search_path| should be false or |envp| should be null, but not 551 // both. 552 DCHECK(!do_search_path ^ !envp); 553 554 if (pipe(pipe_fd) < 0) 555 return false; 556 557 switch (pid = fork()) { 558 case -1: // error 559 close(pipe_fd[0]); 560 close(pipe_fd[1]); 561 return false; 562 case 0: // child 563 { 564 // DANGER: no calls to malloc or locks are allowed from now on: 565 // http://crbug.com/36678 566 567 #if defined(OS_MACOSX) 568 RestoreDefaultExceptionHandler(); 569 #endif 570 571 // Obscure fork() rule: in the child, if you don't end up doing exec*(), 572 // you call _exit() instead of exit(). This is because _exit() does not 573 // call any previously-registered (in the parent) exit handlers, which 574 // might do things like block waiting for threads that don't even exist 575 // in the child. 576 int dev_null = open("/dev/null", O_WRONLY); 577 if (dev_null < 0) 578 _exit(127); 579 580 fd_shuffle1.push_back(InjectionArc(pipe_fd[1], STDOUT_FILENO, true)); 581 fd_shuffle1.push_back(InjectionArc( 582 include_stderr ? pipe_fd[1] : dev_null, 583 STDERR_FILENO, true)); 584 fd_shuffle1.push_back(InjectionArc(dev_null, STDIN_FILENO, true)); 585 // Adding another element here? Remeber to increase the argument to 586 // reserve(), above. 587 588 for (size_t i = 0; i < fd_shuffle1.size(); ++i) 589 fd_shuffle2.push_back(fd_shuffle1[i]); 590 591 if (!ShuffleFileDescriptors(&fd_shuffle1)) 592 _exit(127); 593 594 CloseSuperfluousFds(fd_shuffle2); 595 596 for (size_t i = 0; i < argv.size(); i++) 597 argv_cstr[i] = const_cast<char*>(argv[i].c_str()); 598 argv_cstr[argv.size()] = nullptr; 599 if (do_search_path) 600 execvp(argv_cstr[0], argv_cstr.get()); 601 else 602 execve(argv_cstr[0], argv_cstr.get(), envp); 603 _exit(127); 604 } 605 default: // parent 606 { 607 // Close our writing end of pipe now. Otherwise later read would not 608 // be able to detect end of child's output (in theory we could still 609 // write to the pipe). 610 close(pipe_fd[1]); 611 612 output->clear(); 613 614 while (true) { 615 char buffer[256]; 616 ssize_t bytes_read = 617 HANDLE_EINTR(read(pipe_fd[0], buffer, sizeof(buffer))); 618 if (bytes_read <= 0) 619 break; 620 output->append(buffer, bytes_read); 621 } 622 close(pipe_fd[0]); 623 624 // Always wait for exit code (even if we know we'll declare 625 // GOT_MAX_OUTPUT). 626 Process process(pid); 627 return process.WaitForExit(exit_code); 628 } 629 } 630 } 631 632 bool GetAppOutput(const CommandLine& cl, std::string* output) { 633 return GetAppOutput(cl.argv(), output); 634 } 635 636 bool GetAppOutput(const std::vector<std::string>& argv, std::string* output) { 637 // Run |execve()| with the current environment. 638 int exit_code; 639 bool result = 640 GetAppOutputInternal(argv, nullptr, false, output, true, &exit_code); 641 return result && exit_code == EXIT_SUCCESS; 642 } 643 644 bool GetAppOutputAndError(const CommandLine& cl, std::string* output) { 645 // Run |execve()| with the current environment. 646 int exit_code; 647 bool result = 648 GetAppOutputInternal(cl.argv(), nullptr, true, output, true, &exit_code); 649 return result && exit_code == EXIT_SUCCESS; 650 } 651 652 bool GetAppOutputWithExitCode(const CommandLine& cl, 653 std::string* output, 654 int* exit_code) { 655 // Run |execve()| with the current environment. 656 return GetAppOutputInternal(cl.argv(), nullptr, false, output, true, 657 exit_code); 658 } 659 660 #endif // !defined(OS_NACL_NONSFI) 661 662 #if defined(OS_LINUX) || defined(OS_NACL_NONSFI) 663 namespace { 664 665 bool IsRunningOnValgrind() { 666 return RUNNING_ON_VALGRIND; 667 } 668 669 // This function runs on the stack specified on the clone call. It uses longjmp 670 // to switch back to the original stack so the child can return from sys_clone. 671 int CloneHelper(void* arg) { 672 jmp_buf* env_ptr = reinterpret_cast<jmp_buf*>(arg); 673 longjmp(*env_ptr, 1); 674 675 // Should not be reached. 676 RAW_CHECK(false); 677 return 1; 678 } 679 680 // This function is noinline to ensure that stack_buf is below the stack pointer 681 // that is saved when setjmp is called below. This is needed because when 682 // compiled with FORTIFY_SOURCE, glibc's longjmp checks that the stack is moved 683 // upwards. See crbug.com/442912 for more details. 684 #if defined(ADDRESS_SANITIZER) 685 // Disable AddressSanitizer instrumentation for this function to make sure 686 // |stack_buf| is allocated on thread stack instead of ASan's fake stack. 687 // Under ASan longjmp() will attempt to clean up the area between the old and 688 // new stack pointers and print a warning that may confuse the user. 689 __attribute__((no_sanitize_address)) 690 #endif 691 NOINLINE pid_t CloneAndLongjmpInChild(unsigned long flags, 692 pid_t* ptid, 693 pid_t* ctid, 694 jmp_buf* env) { 695 // We use the libc clone wrapper instead of making the syscall 696 // directly because making the syscall may fail to update the libc's 697 // internal pid cache. The libc interface unfortunately requires 698 // specifying a new stack, so we use setjmp/longjmp to emulate 699 // fork-like behavior. 700 char stack_buf[PTHREAD_STACK_MIN] ALIGNAS(16); 701 #if defined(ARCH_CPU_X86_FAMILY) || defined(ARCH_CPU_ARM_FAMILY) || \ 702 defined(ARCH_CPU_MIPS_FAMILY) 703 // The stack grows downward. 704 void* stack = stack_buf + sizeof(stack_buf); 705 #else 706 #error "Unsupported architecture" 707 #endif 708 return clone(&CloneHelper, stack, flags, env, ptid, nullptr, ctid); 709 } 710 711 } // anonymous namespace 712 713 pid_t ForkWithFlags(unsigned long flags, pid_t* ptid, pid_t* ctid) { 714 const bool clone_tls_used = flags & CLONE_SETTLS; 715 const bool invalid_ctid = 716 (flags & (CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID)) && !ctid; 717 const bool invalid_ptid = (flags & CLONE_PARENT_SETTID) && !ptid; 718 719 // We do not support CLONE_VM. 720 const bool clone_vm_used = flags & CLONE_VM; 721 722 if (clone_tls_used || invalid_ctid || invalid_ptid || clone_vm_used) { 723 RAW_LOG(FATAL, "Invalid usage of ForkWithFlags"); 724 } 725 726 // Valgrind's clone implementation does not support specifiying a child_stack 727 // without CLONE_VM, so we cannot use libc's clone wrapper when running under 728 // Valgrind. As a result, the libc pid cache may be incorrect under Valgrind. 729 // See crbug.com/442817 for more details. 730 if (IsRunningOnValgrind()) { 731 // See kernel/fork.c in Linux. There is different ordering of sys_clone 732 // parameters depending on CONFIG_CLONE_BACKWARDS* configuration options. 733 #if defined(ARCH_CPU_X86_64) 734 return syscall(__NR_clone, flags, nullptr, ptid, ctid, nullptr); 735 #elif defined(ARCH_CPU_X86) || defined(ARCH_CPU_ARM_FAMILY) || \ 736 defined(ARCH_CPU_MIPS_FAMILY) 737 // CONFIG_CLONE_BACKWARDS defined. 738 return syscall(__NR_clone, flags, nullptr, ptid, nullptr, ctid); 739 #else 740 #error "Unsupported architecture" 741 #endif 742 } 743 744 jmp_buf env; 745 if (setjmp(env) == 0) { 746 return CloneAndLongjmpInChild(flags, ptid, ctid, &env); 747 } 748 749 return 0; 750 } 751 #endif // defined(OS_LINUX) || defined(OS_NACL_NONSFI) 752 753 } // namespace base 754
