2 * Copyright 2017 Facebook, Inc.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
21 #include <folly/Subprocess.h>
24 #include <sys/prctl.h>
30 #include <system_error>
32 #include <boost/container/flat_set.hpp>
33 #include <boost/range/adaptors.hpp>
35 #include <glog/logging.h>
37 #include <folly/Assume.h>
38 #include <folly/Conv.h>
39 #include <folly/Exception.h>
40 #include <folly/ScopeGuard.h>
41 #include <folly/Shell.h>
42 #include <folly/String.h>
43 #include <folly/io/Cursor.h>
44 #include <folly/portability/Sockets.h>
45 #include <folly/portability/Stdlib.h>
46 #include <folly/portability/SysSyscall.h>
47 #include <folly/portability/Unistd.h>
49 constexpr int kExecFailure = 127;
50 constexpr int kChildFailure = 126;
54 ProcessReturnCode ProcessReturnCode::make(int status) {
55 if (!WIFEXITED(status) && !WIFSIGNALED(status)) {
56 throw std::runtime_error(
57 to<std::string>("Invalid ProcessReturnCode: ", status));
59 return ProcessReturnCode(status);
62 ProcessReturnCode::ProcessReturnCode(ProcessReturnCode&& p) noexcept
63 : rawStatus_(p.rawStatus_) {
64 p.rawStatus_ = ProcessReturnCode::RV_NOT_STARTED;
67 ProcessReturnCode& ProcessReturnCode::operator=(ProcessReturnCode&& p)
69 rawStatus_ = p.rawStatus_;
70 p.rawStatus_ = ProcessReturnCode::RV_NOT_STARTED;
74 ProcessReturnCode::State ProcessReturnCode::state() const {
75 if (rawStatus_ == RV_NOT_STARTED) return NOT_STARTED;
76 if (rawStatus_ == RV_RUNNING) return RUNNING;
77 if (WIFEXITED(rawStatus_)) return EXITED;
78 if (WIFSIGNALED(rawStatus_)) return KILLED;
82 void ProcessReturnCode::enforce(State expected) const {
85 throw std::logic_error(to<std::string>(
86 "Bad use of ProcessReturnCode; state is ", s, " expected ", expected
91 int ProcessReturnCode::exitStatus() const {
93 return WEXITSTATUS(rawStatus_);
96 int ProcessReturnCode::killSignal() const {
98 return WTERMSIG(rawStatus_);
101 bool ProcessReturnCode::coreDumped() const {
103 return WCOREDUMP(rawStatus_);
106 std::string ProcessReturnCode::str() const {
109 return "not started";
113 return to<std::string>("exited with status ", exitStatus());
115 return to<std::string>("killed by signal ", killSignal(),
116 (coreDumped() ? " (core dumped)" : ""));
118 assume_unreachable();
121 CalledProcessError::CalledProcessError(ProcessReturnCode rc)
122 : SubprocessError(rc.str()), returnCode_(rc) {}
124 static inline std::string toSubprocessSpawnErrorMessage(
125 char const* executable,
128 auto prefix = errCode == kExecFailure ? "failed to execute "
129 : "error preparing to execute ";
130 return to<std::string>(prefix, executable, ": ", errnoStr(errnoValue));
133 SubprocessSpawnError::SubprocessSpawnError(
134 const char* executable,
138 toSubprocessSpawnErrorMessage(executable, errCode, errnoValue)),
139 errnoValue_(errnoValue) {}
143 // Copy pointers to the given strings in a format suitable for posix_spawn
144 std::unique_ptr<const char*[]> cloneStrings(const std::vector<std::string>& s) {
145 std::unique_ptr<const char*[]> d(new const char*[s.size() + 1]);
146 for (size_t i = 0; i < s.size(); i++) {
149 d[s.size()] = nullptr;
153 // Check a wait() status, throw on non-successful
154 void checkStatus(ProcessReturnCode returnCode) {
155 if (returnCode.state() != ProcessReturnCode::EXITED ||
156 returnCode.exitStatus() != 0) {
157 throw CalledProcessError(returnCode);
163 Subprocess::Options& Subprocess::Options::fd(int fd, int action) {
164 if (action == Subprocess::PIPE) {
166 action = Subprocess::PIPE_IN;
167 } else if (fd == 1 || fd == 2) {
168 action = Subprocess::PIPE_OUT;
170 throw std::invalid_argument(
171 to<std::string>("Only fds 0, 1, 2 are valid for action=PIPE: ", fd));
174 fdActions_[fd] = action;
178 Subprocess::Subprocess() {}
180 Subprocess::Subprocess(
181 const std::vector<std::string>& argv,
182 const Options& options,
183 const char* executable,
184 const std::vector<std::string>* env) {
186 throw std::invalid_argument("argv must not be empty");
188 if (!executable) executable = argv[0].c_str();
189 spawn(cloneStrings(argv), executable, options, env);
192 Subprocess::Subprocess(
193 const std::string& cmd,
194 const Options& options,
195 const std::vector<std::string>* env) {
196 if (options.usePath_) {
197 throw std::invalid_argument("usePath() not allowed when running in shell");
200 std::vector<std::string> argv = {"/bin/sh", "-c", cmd};
201 spawn(cloneStrings(argv), argv[0].c_str(), options, env);
204 Subprocess::~Subprocess() {
205 CHECK_NE(returnCode_.state(), ProcessReturnCode::RUNNING)
206 << "Subprocess destroyed without reaping child";
211 struct ChildErrorInfo {
216 [[noreturn]] void childError(int errFd, int errCode, int errnoValue) {
217 ChildErrorInfo info = {errCode, errnoValue};
218 // Write the error information over the pipe to our parent process.
219 // We can't really do anything else if this write call fails.
220 writeNoInt(errFd, &info, sizeof(info));
227 void Subprocess::setAllNonBlocking() {
228 for (auto& p : pipes_) {
229 int fd = p.pipe.fd();
230 int flags = ::fcntl(fd, F_GETFL);
231 checkUnixError(flags, "fcntl");
232 int r = ::fcntl(fd, F_SETFL, flags | O_NONBLOCK);
233 checkUnixError(r, "fcntl");
237 void Subprocess::spawn(
238 std::unique_ptr<const char*[]> argv,
239 const char* executable,
240 const Options& optionsIn,
241 const std::vector<std::string>* env) {
242 if (optionsIn.usePath_ && env) {
243 throw std::invalid_argument(
244 "usePath() not allowed when overriding environment");
247 // Make a copy, we'll mutate options
248 Options options(optionsIn);
250 // On error, close all pipes_ (ignoring errors, but that seems fine here).
251 auto pipesGuard = makeGuard([this] { pipes_.clear(); });
253 // Create a pipe to use to receive error information from the child,
254 // in case it fails before calling exec()
257 checkUnixError(::pipe2(errFds, O_CLOEXEC), "pipe2");
259 checkUnixError(::pipe(errFds), "pipe");
262 CHECK_ERR(::close(errFds[0]));
263 if (errFds[1] >= 0) {
264 CHECK_ERR(::close(errFds[1]));
268 #if !FOLLY_HAVE_PIPE2
269 // Ask the child to close the read end of the error pipe.
270 checkUnixError(fcntl(errFds[0], F_SETFD, FD_CLOEXEC), "set FD_CLOEXEC");
271 // Set the close-on-exec flag on the write side of the pipe.
272 // This way the pipe will be closed automatically in the child if execve()
273 // succeeds. If the exec fails the child can write error information to the
275 checkUnixError(fcntl(errFds[1], F_SETFD, FD_CLOEXEC), "set FD_CLOEXEC");
278 // Perform the actual work of setting up pipes then forking and
279 // executing the child.
280 spawnInternal(std::move(argv), executable, options, env, errFds[1]);
282 // After spawnInternal() returns the child is alive. We have to be very
283 // careful about throwing after this point. We are inside the constructor,
284 // so if we throw the Subprocess object will have never existed, and the
285 // destructor will never be called.
287 // We should only throw if we got an error via the errFd, and we know the
288 // child has exited and can be immediately waited for. In all other cases,
289 // we have no way of cleaning up the child.
291 // Close writable side of the errFd pipe in the parent process
292 CHECK_ERR(::close(errFds[1]));
295 // Read from the errFd pipe, to tell if the child ran into any errors before
297 readChildErrorPipe(errFds[0], executable);
299 // We have fully succeeded now, so release the guard on pipes_
300 pipesGuard.dismiss();
303 void Subprocess::spawnInternal(
304 std::unique_ptr<const char*[]> argv,
305 const char* executable,
307 const std::vector<std::string>* env,
309 // Parent work, pre-fork: create pipes
310 std::vector<int> childFds;
311 // Close all of the childFds as we leave this scope
313 // These are only pipes, closing them shouldn't fail
314 for (int cfd : childFds) {
315 CHECK_ERR(::close(cfd));
320 for (auto& p : options.fdActions_) {
321 if (p.second == PIPE_IN || p.second == PIPE_OUT) {
323 // We're setting both ends of the pipe as close-on-exec. The child
324 // doesn't need to reset the flag on its end, as we always dup2() the fd,
325 // and dup2() fds don't share the close-on-exec flag.
327 // If possible, set close-on-exec atomically. Otherwise, a concurrent
328 // Subprocess invocation can fork() between "pipe" and "fnctl",
329 // causing FDs to leak.
330 r = ::pipe2(fds, O_CLOEXEC);
331 checkUnixError(r, "pipe2");
334 checkUnixError(r, "pipe");
335 r = fcntl(fds[0], F_SETFD, FD_CLOEXEC);
336 checkUnixError(r, "set FD_CLOEXEC");
337 r = fcntl(fds[1], F_SETFD, FD_CLOEXEC);
338 checkUnixError(r, "set FD_CLOEXEC");
340 pipes_.emplace_back();
341 Pipe& pipe = pipes_.back();
342 pipe.direction = p.second;
344 if (p.second == PIPE_IN) {
345 // Child gets reading end
346 pipe.pipe = folly::File(fds[1], /*owns_fd=*/ true);
349 pipe.pipe = folly::File(fds[0], /*owns_fd=*/ true);
352 p.second = cfd; // ensure it gets dup2()ed
353 pipe.childFd = p.first;
354 childFds.push_back(cfd);
358 // This should already be sorted, as options.fdActions_ is
359 DCHECK(std::is_sorted(pipes_.begin(), pipes_.end()));
361 // Note that the const casts below are legit, per
362 // http://pubs.opengroup.org/onlinepubs/009695399/functions/exec.html
364 char** argVec = const_cast<char**>(argv.get());
366 // Set up environment
367 std::unique_ptr<const char*[]> envHolder;
370 envHolder = cloneStrings(*env);
371 envVec = const_cast<char**>(envHolder.get());
376 // Block all signals around vfork; see http://ewontfix.com/7/.
378 // As the child may run in the same address space as the parent until
379 // the actual execve() system call, any (custom) signal handlers that
380 // the parent has might alter parent's memory if invoked in the child,
381 // with undefined results. So we block all signals in the parent before
382 // vfork(), which will cause them to be blocked in the child as well (we
383 // rely on the fact that Linux, just like all sane implementations, only
384 // clones the calling thread). Then, in the child, we reset all signals
385 // to their default dispositions (while still blocked), and unblock them
386 // (so the exec()ed process inherits the parent's signal mask)
388 // The parent also unblocks all signals as soon as vfork() returns.
390 r = sigfillset(&allBlocked);
391 checkUnixError(r, "sigfillset");
394 r = pthread_sigmask(SIG_SETMASK, &allBlocked, &oldSignals);
395 checkPosixError(r, "pthread_sigmask");
397 // Restore signal mask
398 r = pthread_sigmask(SIG_SETMASK, &oldSignals, nullptr);
399 CHECK_EQ(r, 0) << "pthread_sigmask: " << errnoStr(r); // shouldn't fail
402 // Call c_str() here, as it's not necessarily safe after fork.
403 const char* childDir =
404 options.childDir_.empty() ? nullptr : options.childDir_.c_str();
408 if (options.cloneFlags_) {
409 pid = syscall(SYS_clone, *options.cloneFlags_, 0, nullptr, nullptr);
410 checkUnixError(pid, errno, "clone");
414 checkUnixError(pid, errno, "vfork");
419 int errnoValue = prepareChild(options, &oldSignals, childDir);
420 if (errnoValue != 0) {
421 childError(errFd, kChildFailure, errnoValue);
424 errnoValue = runChild(executable, argVec, envVec, options);
425 // If we get here, exec() failed.
426 childError(errFd, kExecFailure, errnoValue);
429 // Child is alive. We have to be very careful about throwing after this
430 // point. We are inside the constructor, so if we throw the Subprocess
431 // object will have never existed, and the destructor will never be called.
433 // We should only throw if we got an error via the errFd, and we know the
434 // child has exited and can be immediately waited for. In all other cases,
435 // we have no way of cleaning up the child.
437 returnCode_ = ProcessReturnCode::makeRunning();
440 int Subprocess::prepareChild(const Options& options,
441 const sigset_t* sigmask,
442 const char* childDir) const {
443 // While all signals are blocked, we must reset their
444 // dispositions to default.
445 for (int sig = 1; sig < NSIG; ++sig) {
446 ::signal(sig, SIG_DFL);
450 // Unblock signals; restore signal mask.
451 int r = pthread_sigmask(SIG_SETMASK, sigmask, nullptr);
453 return r; // pthread_sigmask() returns an errno value
457 // Change the working directory, if one is given
459 if (::chdir(childDir) == -1) {
464 // We don't have to explicitly close the parent's end of all pipes,
465 // as they all have the FD_CLOEXEC flag set and will be closed at
468 // Close all fds that we're supposed to close.
469 for (auto& p : options.fdActions_) {
470 if (p.second == CLOSE) {
471 if (::close(p.first) == -1) {
474 } else if (p.second != p.first) {
475 if (::dup2(p.second, p.first) == -1) {
481 // If requested, close all other file descriptors. Don't close
482 // any fds in options.fdActions_, and don't touch stdin, stdout, stderr.
484 if (options.closeOtherFds_) {
485 for (int fd = getdtablesize() - 1; fd >= 3; --fd) {
486 if (options.fdActions_.count(fd) == 0) {
493 // Opt to receive signal on parent death, if requested
494 if (options.parentDeathSignal_ != 0) {
495 const auto parentDeathSignal =
496 static_cast<unsigned long>(options.parentDeathSignal_);
497 if (prctl(PR_SET_PDEATHSIG, parentDeathSignal, 0, 0, 0) == -1) {
503 if (options.processGroupLeader_) {
504 if (setpgrp() == -1) {
509 // The user callback comes last, so that the child is otherwise all set up.
510 if (options.dangerousPostForkPreExecCallback_) {
511 if (int error = (*options.dangerousPostForkPreExecCallback_)()) {
519 int Subprocess::runChild(const char* executable,
520 char** argv, char** env,
521 const Options& options) const {
522 // Now, finally, exec.
523 if (options.usePath_) {
524 ::execvp(executable, argv);
526 ::execve(executable, argv, env);
531 void Subprocess::readChildErrorPipe(int pfd, const char* executable) {
533 auto rc = readNoInt(pfd, &info, sizeof(info));
535 // No data means the child executed successfully, and the pipe
536 // was closed due to the close-on-exec flag being set.
538 } else if (rc != sizeof(ChildErrorInfo)) {
539 // An error occurred trying to read from the pipe, or we got a partial read.
540 // Neither of these cases should really occur in practice.
542 // We can't get any error data from the child in this case, and we don't
543 // know if it is successfully running or not. All we can do is to return
544 // normally, as if the child executed successfully. If something bad
545 // happened the caller should at least get a non-normal exit status from
547 LOG(ERROR) << "unexpected error trying to read from child error pipe " <<
548 "rc=" << rc << ", errno=" << errno;
552 // We got error data from the child. The child should exit immediately in
553 // this case, so wait on it to clean up.
556 // Throw to signal the error
557 throw SubprocessSpawnError(executable, info.errCode, info.errnoValue);
560 ProcessReturnCode Subprocess::poll(struct rusage* ru) {
561 returnCode_.enforce(ProcessReturnCode::RUNNING);
564 pid_t found = ::wait4(pid_, &status, WNOHANG, ru);
565 // The spec guarantees that EINTR does not occur with WNOHANG, so the only
566 // two remaining errors are ECHILD (other code reaped the child?), or
567 // EINVAL (cosmic rays?), both of which merit an abort:
568 PCHECK(found != -1) << "waitpid(" << pid_ << ", &status, WNOHANG)";
570 // Though the child process had quit, this call does not close the pipes
571 // since its descendants may still be using them.
572 returnCode_ = ProcessReturnCode::make(status);
578 bool Subprocess::pollChecked() {
579 if (poll().state() == ProcessReturnCode::RUNNING) {
582 checkStatus(returnCode_);
586 ProcessReturnCode Subprocess::wait() {
587 returnCode_.enforce(ProcessReturnCode::RUNNING);
592 found = ::waitpid(pid_, &status, 0);
593 } while (found == -1 && errno == EINTR);
594 // The only two remaining errors are ECHILD (other code reaped the
595 // child?), or EINVAL (cosmic rays?), and both merit an abort:
596 PCHECK(found != -1) << "waitpid(" << pid_ << ", &status, WNOHANG)";
597 // Though the child process had quit, this call does not close the pipes
598 // since its descendants may still be using them.
599 DCHECK_EQ(found, pid_);
600 returnCode_ = ProcessReturnCode::make(status);
605 void Subprocess::waitChecked() {
607 checkStatus(returnCode_);
610 void Subprocess::sendSignal(int signal) {
611 returnCode_.enforce(ProcessReturnCode::RUNNING);
612 int r = ::kill(pid_, signal);
613 checkUnixError(r, "kill");
616 pid_t Subprocess::pid() const {
622 ByteRange queueFront(const IOBufQueue& queue) {
623 auto* p = queue.front();
627 return io::Cursor(p).peekBytes();
631 bool handleWrite(int fd, IOBufQueue& queue) {
633 auto b = queueFront(queue);
638 ssize_t n = writeNoInt(fd, b.data(), b.size());
639 if (n == -1 && errno == EAGAIN) {
642 checkUnixError(n, "write");
648 bool handleRead(int fd, IOBufQueue& queue) {
650 auto p = queue.preallocate(100, 65000);
651 ssize_t n = readNoInt(fd, p.first, p.second);
652 if (n == -1 && errno == EAGAIN) {
655 checkUnixError(n, "read");
659 queue.postallocate(n);
663 bool discardRead(int fd) {
664 static const size_t bufSize = 65000;
665 // Thread unsafe, but it doesn't matter.
666 static std::unique_ptr<char[]> buf(new char[bufSize]);
669 ssize_t n = readNoInt(fd, buf.get(), bufSize);
670 if (n == -1 && errno == EAGAIN) {
673 checkUnixError(n, "read");
682 std::pair<std::string, std::string> Subprocess::communicate(
684 IOBufQueue inputQueue;
685 inputQueue.wrapBuffer(input.data(), input.size());
687 auto outQueues = communicateIOBuf(std::move(inputQueue));
688 auto outBufs = std::make_pair(outQueues.first.move(),
689 outQueues.second.move());
690 std::pair<std::string, std::string> out;
692 outBufs.first->coalesce();
693 out.first.assign(reinterpret_cast<const char*>(outBufs.first->data()),
694 outBufs.first->length());
696 if (outBufs.second) {
697 outBufs.second->coalesce();
698 out.second.assign(reinterpret_cast<const char*>(outBufs.second->data()),
699 outBufs.second->length());
704 std::pair<IOBufQueue, IOBufQueue> Subprocess::communicateIOBuf(
706 // If the user supplied a non-empty input buffer, make sure
707 // that stdin is a pipe so we can write the data.
708 if (!input.empty()) {
709 // findByChildFd() will throw std::invalid_argument if no pipe for
710 // STDIN_FILENO exists
711 findByChildFd(STDIN_FILENO);
714 std::pair<IOBufQueue, IOBufQueue> out;
716 auto readCallback = [&] (int pfd, int cfd) -> bool {
717 if (cfd == STDOUT_FILENO) {
718 return handleRead(pfd, out.first);
719 } else if (cfd == STDERR_FILENO) {
720 return handleRead(pfd, out.second);
722 // Don't close the file descriptor, the child might not like SIGPIPE,
723 // just read and throw the data away.
724 return discardRead(pfd);
728 auto writeCallback = [&] (int pfd, int cfd) -> bool {
729 if (cfd == STDIN_FILENO) {
730 return handleWrite(pfd, input);
732 // If we don't want to write to this fd, just close it.
737 communicate(std::move(readCallback), std::move(writeCallback));
742 void Subprocess::communicate(FdCallback readCallback,
743 FdCallback writeCallback) {
744 // This serves to prevent wait() followed by communicate(), but if you
745 // legitimately need that, send a patch to delete this line.
746 returnCode_.enforce(ProcessReturnCode::RUNNING);
749 std::vector<pollfd> fds;
750 fds.reserve(pipes_.size());
751 std::vector<size_t> toClose; // indexes into pipes_
752 toClose.reserve(pipes_.size());
754 while (!pipes_.empty()) {
758 for (auto& p : pipes_) {
760 pfd.fd = p.pipe.fd();
761 // Yes, backwards, PIPE_IN / PIPE_OUT are defined from the
762 // child's point of view.
764 // Still keeping fd in watched set so we get notified of POLLHUP /
767 } else if (p.direction == PIPE_IN) {
768 pfd.events = POLLOUT;
777 r = ::poll(fds.data(), fds.size(), -1);
778 } while (r == -1 && errno == EINTR);
779 checkUnixError(r, "poll");
781 for (size_t i = 0; i < pipes_.size(); ++i) {
783 auto parentFd = p.pipe.fd();
784 DCHECK_EQ(fds[i].fd, parentFd);
785 short events = fds[i].revents;
788 if (events & POLLOUT) {
789 DCHECK(!(events & POLLIN));
790 if (writeCallback(parentFd, p.childFd)) {
791 toClose.push_back(i);
796 // Call read callback on POLLHUP, to give it a chance to read (and act
798 if (events & (POLLIN | POLLHUP)) {
799 DCHECK(!(events & POLLOUT));
800 if (readCallback(parentFd, p.childFd)) {
801 toClose.push_back(i);
806 if ((events & (POLLHUP | POLLERR)) && !closed) {
807 toClose.push_back(i);
812 // Close the fds in reverse order so the indexes hold after erase()
813 for (int idx : boost::adaptors::reverse(toClose)) {
814 auto pos = pipes_.begin() + idx;
815 pos->pipe.close(); // Throws on error
821 void Subprocess::enableNotifications(int childFd, bool enabled) {
822 pipes_[findByChildFd(childFd)].enabled = enabled;
825 bool Subprocess::notificationsEnabled(int childFd) const {
826 return pipes_[findByChildFd(childFd)].enabled;
829 size_t Subprocess::findByChildFd(int childFd) const {
830 auto pos = std::lower_bound(
831 pipes_.begin(), pipes_.end(), childFd,
832 [] (const Pipe& pipe, int fd) { return pipe.childFd < fd; });
833 if (pos == pipes_.end() || pos->childFd != childFd) {
834 throw std::invalid_argument(folly::to<std::string>(
835 "child fd not found ", childFd));
837 return pos - pipes_.begin();
840 void Subprocess::closeParentFd(int childFd) {
841 int idx = findByChildFd(childFd);
842 pipes_[idx].pipe.close(); // May throw
843 pipes_.erase(pipes_.begin() + idx);
846 std::vector<Subprocess::ChildPipe> Subprocess::takeOwnershipOfPipes() {
847 std::vector<Subprocess::ChildPipe> pipes;
848 for (auto& p : pipes_) {
849 pipes.emplace_back(p.childFd, std::move(p.pipe));
852 std::vector<Pipe>().swap(pipes_);
861 // We like EPIPE, thanks.
862 ::signal(SIGPIPE, SIG_IGN);
866 Initializer initializer;
projects / folly.git / blob