process: add execve

[ShogunPanda]

This PR adds a new process.execve method (absolutely willing to change the name if you want), which is a wrapper for the execve UNIX function.

The function will never return and will swap the current process with a new one.
All memory and system resources are automatically collected from execve, except for std{in,out,err}.

The primary use of this function is in shell scripts to allow to setup proper logics and then spawn another command.

[nodejs-github-bot]

Review requested:

• @nodejs/startup

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/64381/

[ljharb]

What does it do on non-Unix systems?

[ShogunPanda]

@ljharb By non Unix we only mean Windows, isn't it? If that's the case, Windows also supports execve via _execve (doc here) so we should be good to go.

Once the CI ends I'll see which platform needs special assistance.

[codecov]

Codecov Report

Attention: Patch coverage is 96.15385% with 4 lines in your changes missing coverage. Please review.

Project coverage is 89.18%. Comparing base (afafee2) to head (57e8266).
Report is 50 commits behind head on main.

Files with missing lines	Patch %	Lines
src/node_process_methods.cc	91.66%	3 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #56496      +/-   ##
==========================================
+ Coverage   88.53%   89.18%   +0.64%     
==========================================
  Files         657      662       +5     
  Lines      190761   191855    +1094     
  Branches    36616    36895     +279     
==========================================
+ Hits       168899   171097    +2198     
+ Misses      15048    13629    -1419     
- Partials     6814     7129     +315     

Files with missing lines	Coverage Δ
lib/internal/bootstrap/node.js	99.57% <100.00%> (+<0.01%)	⬆️
lib/internal/process/per_thread.js	99.39% <100.00%> (+0.07%)	⬆️
src/node_errors.h	88.00% <100.00%> (+3.00%)	⬆️
src/node_process_methods.cc	90.90% <91.66%> (+5.08%)	⬆️

... and 122 files with indirect coverage changes

[targos]

On Windows:

D:\a\node\node\src\node_process_methods.cc(544,26): error C2065: 'F_GETFD': undeclared identifier [D:\a\node\node\libnode.vcxproj]
  (compiling source file '/src/node_process_methods.cc')
  
D:\a\node\node\src\node_process_methods.cc(544,17): error C3861: 'fcntl': identifier not found [D:\a\node\node\libnode.vcxproj]
  (compiling source file '/src/node_process_methods.cc')
  
D:\a\node\node\src\node_process_methods.cc(546,17): error C2065: 'FD_CLOEXEC': undeclared identifier [D:\a\node\node\libnode.vcxproj]
  (compiling source file '/src/node_process_methods.cc')
  
D:\a\node\node\src\node_process_methods.cc(547,16): error C2065: 'F_SETFD': undeclared identifier [D:\a\node\node\libnode.vcxproj]
  (compiling source file '/src/node_process_methods.cc')
  
D:\a\node\node\src\node_process_methods.cc(547,7): error C3861: 'fcntl': identifier not found [D:\a\node\node\libnode.vcxproj]
  (compiling source file '/src/node_process_methods.cc')

[targos]

To fix https://ci.nodejs.org/job/node-test-commit-custom-suites-freestyle/40120/

[ardinugrxha]

we need check not null also in here, maybe(?)

[ShogunPanda]

Good spot. Added.

[anonrig]

I think we should use std::memcpy or a similar modern C++ function other than this.

[mcollina]

lgtm

[ShogunPanda]

@ljharb I was totally wrong. Despite of naming and similar signatures, the function _execve only creates a new process without replacing the old one.

I'll disable this function on Windows.

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/64387/

[addaleax]

If this is to be added, I'd absolutely recommend referring to it by a standard name such as execve(), or otherwise something that makes it clear that it spawns a new process.

This requires integration with the permissions API or is otherwise an immediate security hole.

Overall I'd recommend not adding this though, unless there's a concrete reason to believe that it fills a significant gap that the existing child_process API doesn't cover.

[addaleax]

What if this isn't the a desirable behavior in a given situation?

[ShogunPanda]

Can you please expand this? What do you mean?

[addaleax]

If there's any point in adding execve(), it's the customizability that the method brings with it. Leaving file descriptors open and/or redirecting them intentionally can be part of that -- just like you could in a bash script do exec bash 0<&4 1>&4 to create a shell that reads and writes to e.g. a pre-opened socket or something along those lines.

(With a similar reasoning, you could also allow users to actually specify argv[0] with a value they control -- it doesn't need to equal the filename that's being executed)

[addaleax]

This is quite hard-to-follow C++ with lots of unnecessary explicit memory management that Node.js has been doing a lot of effort to move away from. I'd recommend looking a bit a how other parts of the Node.js code base handle strings and conversion between C++ and JS values.

[anonrig]

+1

[ShogunPanda]

I'm absolutely willing to. Since I'm not familiar with the C++ codebase, do you have any suggestion of places I can look to?

[addaleax]

@ShogunPanda Well, mostly anywhere else works. As a general rule, you'll want to get rid of new, new[], char*, memcpy() and strdup() as much as possible, and replace them with std::vector, std::string/Utf8Value as much as possible.

(You won't be entirely able to avoid something like std::vector<char*> because execve expects char** arguments, but the std::vector<char*>'s entries could point to the entries of a std::vector<std::string> or std::vector<Utf8Value> rather than having to manage memory manually).

[ShogunPanda]

@addaleax I vastly refactored the C++ part following your suggestions. It was great, thanks a lot for all the good hint.

I tried to use a single vector but when I instantiate a std::string or a Utf8Value inside a for loop it obviously went out of scope and garbage collected.
So I have to use two vectors for argv and two for envp. Is this the right approach or am I still missing something?

[ljharb]

Why would we want to add a function that can't work on all tier 1 platforms?

[jasnell]

Why would we want to add a function that can't work on all tier 1 platforms?

Well, we already have a number of such apis... process.getegid() for instance. There are actually quite a few already on process.

[ljharb]

Gotcha, i wasn't aware of that.

[jasnell]

I don't consider it to be ideal. I would have preferred a pattern like process.posix.getegid() similar to what we have with path.posix but these predate my involvement so they are what they are.

[jasnell]

+1 on @addaleax's alternative name suggestion. I'm fine with adding this so long as the cleanup logic/expectations are clearly documented.

[ShogunPanda]

Why would we want to add a function that can't work on all tier 1 platforms?

Well, we already have a number of such apis... process.getegid() for instance. There are actually quite a few already on process.

Thanks for involuntary hint. :)
I updated the code with #ifdef __POSIX__ and the docs to use the same wording already used there.

[ShogunPanda]

@addaleax

If this is to be added, I'd absolutely recommend referring to it by a standard name such as execve(), or otherwise something that makes it clear that it spawns a new process.

As requested, I've renamed it to execve. I didn't like the original name either :)

This requires integration with the permissions API or is otherwise an immediate security hole.

I just added integration with the permission API. It will require --allow-child-process.

Overall I'd recommend not adding this though, unless there's a concrete reason to believe that it fills a significant gap that the existing child_process API doesn't cover.

In the shell scripting context, there is no way to create a new process which would replace the current one. Think about using Node.js to build a complex command to run. After it, Node.js was not used anymore but since there was no way to swap the process, you would have to spawn a new process, manage it's stdin/stdout/stderr and so forth. That's why I added execve.

[ShogunPanda]

@jasnell

+1 on @addaleax's alternative name suggestion. I'm fine with adding this so long as the cleanup logic/expectations are clearly documented.

I added two tests which check that:

1. Test what happens if we leave a socket open and we try to reopen in the swapped process: the operation succeeds, which means the fd is destroyed. I also tried to install a on('close') but it is not invoked.

2. Test what happens if there is a process.on('exit') on the original process. It does not get invoked, which means that the system call immediately swap the programs without running any cleanup logic.

I've added this to the documentation to reflect that. Does it look good now?

[addaleax]

After it, Node.js was not used anymore but since there was no way to swap the process, you would have to spawn a new process, manage it's stdin/stdout/stderr and so forth. That's why I added execve.

I mean, to be clear, this is still a one-line operation (managing stdio literally just comes down to setting stdio: 'inherit') for the most part. I know where you're coming from but I wouldn't add this just for the sake of adding it.

[ShogunPanda]

After it, Node.js was not used anymore but since there was no way to swap the process, you would have to spawn a new process, manage it's stdin/stdout/stderr and so forth. That's why I added execve.

I mean, to be clear, this is still a one-line operation (managing stdio literally just comes down to setting stdio: 'inherit') for the most part. I know where you're coming from but I wouldn't add this just for the sake of adding it.

I kinda agree.
You still would have to handle the exit code to ensure proper broadcasting to the shell.
Also, I'm not sure what would happen with "TUI" (ncurses and similar) programs and so forth.

Is your objection a full block or just an "intent"?

[addaleax]

@ShogunPanda Just fyi, have you seen https://www.npmjs.com/package/foreground-child? That also works on Windows 🙂

My "request changes" marker only refers to the C++ memory management here, i.e. this comment specifically (and the integration with the permissions API, of course). I don't intend to block this feature, I've given my opinion but it's pretty clear overall that the Node.js project has a different stance from my own when it comes to 'what should go into core' 🙂

[jasnell]

The abundance of manual memory management in this function really makes me nervous.

[ShogunPanda]

@anonrig @addaleax @jasnell I have vastly refactored the C++ to address Anna's and James' suggestions. Can you please review it again?

Apparently I'm more a C guy than a C++ guy. And last time I officially touched C was several years ago. Lol.

Thanks for the patience here!

[jasnell]

For things like this, instead of using ToLocalChecked(), use a pattern like the following... this will avoid a process crash when a throw is appropriate:

Local<Value> str;
if (!envp_array->Get(context, i).ToLocal(&str)) {
  return;
}
envp_strings[i] = Utf8Value(str).ToString();

[jasnell]

rather than a using a loop here, consider something like:

if (persist_standard_stream(0) < 0 ||
    persist_standard_stream(1) < 0 ||
    persist_standard_stream(2) < 0) {
  THROW_ERR_PROCSS_EXECVE_FAILED(env, errno);
}

Or persist all three at once in one call to persist_standard_stream()

[jasnell]

Given that you're running the RunAtExit(...) here, and given that the expectation is for this process to be replaced, I wonder if it would be more appropriate to crash the process here instead of just throwing (a throw can be caught and ignored and I'm not sure we want that here)