use self::Req::*;
use collections::HashMap;
+#[cfg(stage0)]
use collections::hash_map::Hasher;
use ffi::CString;
use hash::Hash;
mkerr_libc(r)
}
+ #[cfg(stage0)]
pub fn spawn<K, V, C, P>(cfg: &C, in_fd: Option<P>,
out_fd: Option<P>, err_fd: Option<P>)
-> IoResult<Process>
K: BytesContainer + Eq + Hash<Hasher>, V: BytesContainer
{
use libc::funcs::posix88::unistd::{fork, dup2, close, chdir, execvp};
+
+ mod rustrt {
+ extern {
+ pub fn rust_unset_sigprocmask();
+ }
+ }
+
+ #[cfg(all(target_os = "android", target_arch = "aarch64"))]
+ unsafe fn getdtablesize() -> c_int {
+ libc::sysconf(libc::consts::os::sysconf::_SC_OPEN_MAX) as c_int
+ }
+ #[cfg(not(all(target_os = "android", target_arch = "aarch64")))]
+ unsafe fn getdtablesize() -> c_int {
+ libc::funcs::bsd44::getdtablesize()
+ }
+
+ unsafe fn set_cloexec(fd: c_int) {
+ let ret = c::ioctl(fd, c::FIOCLEX);
+ assert_eq!(ret, 0);
+ }
+
+ let dirp = cfg.cwd().map(|c| c.as_ptr()).unwrap_or(ptr::null());
+
+ // temporary until unboxed closures land
+ let cfg = unsafe {
+ mem::transmute::<&ProcessConfig<K,V>,&'static ProcessConfig<K,V>>(cfg)
+ };
+
+ with_envp(cfg.env(), move|envp: *const c_void| {
+ with_argv(cfg.program(), cfg.args(), move|argv: *const *const libc::c_char| unsafe {
+ let (input, mut output) = try!(sys::os::pipe());
+
+ // We may use this in the child, so perform allocations before the
+ // fork
+ let devnull = b"/dev/null\0";
+
+ set_cloexec(output.fd());
+
+ let pid = fork();
+ if pid < 0 {
+ return Err(super::last_error())
+ } else if pid > 0 {
+ #[inline]
+ fn combine(arr: &[u8]) -> i32 {
+ let a = arr[0] as u32;
+ let b = arr[1] as u32;
+ let c = arr[2] as u32;
+ let d = arr[3] as u32;
+
+ ((a << 24) | (b << 16) | (c << 8) | (d << 0)) as i32
+ }
+
+ let p = Process{ pid: pid };
+ drop(output);
+ let mut bytes = [0; 8];
+ return match input.read(&mut bytes) {
+ Ok(8) => {
+ assert!(combine(CLOEXEC_MSG_FOOTER) == combine(&bytes[4.. 8]),
+ "Validation on the CLOEXEC pipe failed: {:?}", bytes);
+ let errno = combine(&bytes[0.. 4]);
+ assert!(p.wait(0).is_ok(), "wait(0) should either return Ok or panic");
+ Err(super::decode_error(errno))
+ }
+ Err(ref e) if e.kind == EndOfFile => Ok(p),
+ Err(e) => {
+ assert!(p.wait(0).is_ok(), "wait(0) should either return Ok or panic");
+ panic!("the CLOEXEC pipe failed: {:?}", e)
+ },
+ Ok(..) => { // pipe I/O up to PIPE_BUF bytes should be atomic
+ assert!(p.wait(0).is_ok(), "wait(0) should either return Ok or panic");
+ panic!("short read on the CLOEXEC pipe")
+ }
+ };
+ }
+
+ // And at this point we've reached a special time in the life of the
+ // child. The child must now be considered hamstrung and unable to
+ // do anything other than syscalls really. Consider the following
+ // scenario:
+ //
+ // 1. Thread A of process 1 grabs the malloc() mutex
+ // 2. Thread B of process 1 forks(), creating thread C
+ // 3. Thread C of process 2 then attempts to malloc()
+ // 4. The memory of process 2 is the same as the memory of
+ // process 1, so the mutex is locked.
+ //
+ // This situation looks a lot like deadlock, right? It turns out
+ // that this is what pthread_atfork() takes care of, which is
+ // presumably implemented across platforms. The first thing that
+ // threads to *before* forking is to do things like grab the malloc
+ // mutex, and then after the fork they unlock it.
+ //
+ // Despite this information, libnative's spawn has been witnessed to
+ // deadlock on both OSX and FreeBSD. I'm not entirely sure why, but
+ // all collected backtraces point at malloc/free traffic in the
+ // child spawned process.
+ //
+ // For this reason, the block of code below should contain 0
+ // invocations of either malloc of free (or their related friends).
+ //
+ // As an example of not having malloc/free traffic, we don't close
+ // this file descriptor by dropping the FileDesc (which contains an
+ // allocation). Instead we just close it manually. This will never
+ // have the drop glue anyway because this code never returns (the
+ // child will either exec() or invoke libc::exit)
+ let _ = libc::close(input.fd());
+
+ fn fail(output: &mut FileDesc) -> ! {
+ let errno = sys::os::errno() as u32;
+ let bytes = [
+ (errno >> 24) as u8,
+ (errno >> 16) as u8,
+ (errno >> 8) as u8,
+ (errno >> 0) as u8,
+ CLOEXEC_MSG_FOOTER[0], CLOEXEC_MSG_FOOTER[1],
+ CLOEXEC_MSG_FOOTER[2], CLOEXEC_MSG_FOOTER[3]
+ ];
+ // pipe I/O up to PIPE_BUF bytes should be atomic
+ assert!(output.write(&bytes).is_ok());
+ unsafe { libc::_exit(1) }
+ }
+
+ rustrt::rust_unset_sigprocmask();
+
+ // If a stdio file descriptor is set to be ignored (via a -1 file
+ // descriptor), then we don't actually close it, but rather open
+ // up /dev/null into that file descriptor. Otherwise, the first file
+ // descriptor opened up in the child would be numbered as one of the
+ // stdio file descriptors, which is likely to wreak havoc.
+ let setup = |src: Option<P>, dst: c_int| {
+ let src = match src {
+ None => {
+ let flags = if dst == libc::STDIN_FILENO {
+ libc::O_RDONLY
+ } else {
+ libc::O_RDWR
+ };
+ libc::open(devnull.as_ptr() as *const _, flags, 0)
+ }
+ Some(obj) => {
+ let fd = obj.as_inner().fd();
+ // Leak the memory and the file descriptor. We're in the
+ // child now an all our resources are going to be
+ // cleaned up very soon
+ mem::forget(obj);
+ fd
+ }
+ };
+ src != -1 && retry(|| dup2(src, dst)) != -1
+ };
+
+ if !setup(in_fd, libc::STDIN_FILENO) { fail(&mut output) }
+ if !setup(out_fd, libc::STDOUT_FILENO) { fail(&mut output) }
+ if !setup(err_fd, libc::STDERR_FILENO) { fail(&mut output) }
+
+ // close all other fds
+ for fd in (3..getdtablesize()).rev() {
+ if fd != output.fd() {
+ let _ = close(fd as c_int);
+ }
+ }
+
+ match cfg.gid() {
+ Some(u) => {
+ if libc::setgid(u as libc::gid_t) != 0 {
+ fail(&mut output);
+ }
+ }
+ None => {}
+ }
+ match cfg.uid() {
+ Some(u) => {
+ // When dropping privileges from root, the `setgroups` call
+ // will remove any extraneous groups. If we don't call this,
+ // then even though our uid has dropped, we may still have
+ // groups that enable us to do super-user things. This will
+ // fail if we aren't root, so don't bother checking the
+ // return value, this is just done as an optimistic
+ // privilege dropping function.
+ extern {
+ fn setgroups(ngroups: libc::c_int,
+ ptr: *const libc::c_void) -> libc::c_int;
+ }
+ let _ = setgroups(0, ptr::null());
+
+ if libc::setuid(u as libc::uid_t) != 0 {
+ fail(&mut output);
+ }
+ }
+ None => {}
+ }
+ if cfg.detach() {
+ // Don't check the error of setsid because it fails if we're the
+ // process leader already. We just forked so it shouldn't return
+ // error, but ignore it anyway.
+ let _ = libc::setsid();
+ }
+ if !dirp.is_null() && chdir(dirp) == -1 {
+ fail(&mut output);
+ }
+ if !envp.is_null() {
+ *sys::os::environ() = envp as *const _;
+ }
+ let _ = execvp(*argv, argv as *mut _);
+ fail(&mut output);
+ })
+ })
+ }
+ #[cfg(not(stage0))]
+ pub fn spawn<K, V, C, P>(cfg: &C, in_fd: Option<P>,
+ out_fd: Option<P>, err_fd: Option<P>)
+ -> IoResult<Process>
+ where C: ProcessConfig<K, V>, P: AsInner<FileDesc>,
+ K: BytesContainer + Eq + Hash, V: BytesContainer
+ {
+ use libc::funcs::posix88::unistd::{fork, dup2, close, chdir, execvp};
use libc::funcs::bsd44::getdtablesize;
mod rustrt {
cb(ptrs.as_ptr())
}
+#[cfg(stage0)]
fn with_envp<K,V,T,F>(env: Option<&HashMap<K, V>>,
cb: F)
-> T
_ => cb(ptr::null())
}
}
+#[cfg(not(stage0))]
+fn with_envp<K,V,T,F>(env: Option<&HashMap<K, V>>,
+ cb: F)
+ -> T
+ where F : FnOnce(*const c_void) -> T,
+ K : BytesContainer + Eq + Hash,
+ V : BytesContainer
+{
+ // On posixy systems we can pass a char** for envp, which is a
+ // null-terminated array of "k=v\0" strings. Since we must create
+ // these strings locally, yet expose a raw pointer to them, we
+ // create a temporary vector to own the CStrings that outlives the
+ // call to cb.
+ match env {
+ Some(env) => {
+ let mut tmps = Vec::with_capacity(env.len());
+
+ for pair in env {
+ let mut kv = Vec::new();
+ kv.push_all(pair.0.container_as_bytes());
+ kv.push('=' as u8);
+ kv.push_all(pair.1.container_as_bytes());
+ kv.push(0); // terminating null
+ tmps.push(kv);
+ }
+
+ // As with `with_argv`, this is unsafe, since cb could leak the pointers.
+ let mut ptrs: Vec<*const libc::c_char> =
+ tmps.iter()
+ .map(|tmp| tmp.as_ptr() as *const libc::c_char)
+ .collect();
+ ptrs.push(ptr::null());
+
+ cb(ptrs.as_ptr() as *const c_void)
+ }
+ _ => cb(ptr::null())
+ }
+}
fn translate_status(status: c_int) -> ProcessExit {
#![allow(non_snake_case)]
target_os = "ios",
target_os = "freebsd",
target_os = "dragonfly",
+ target_os = "bitrig",
target_os = "openbsd"))]
mod imp {
pub fn WIFEXITED(status: i32) -> bool { (status & 0x7f) == 0 }
projects / rust.git / blobdiff