-
Notifications
You must be signed in to change notification settings - Fork 13k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
std::process::Command doesn't follow Unix signal safety in forked child #64718
Comments
Triage: I am not sure that the standard library intends to be fork safe. |
We try to make sure std code itself is fork safe, though that may not apply to std APIs (e.g., forking in Cell::update is probably a bad idea). I am unsure what exactly is a good solution in this case, though. |
I mean, the operations it provides should be implemented properly. From how I understand this post, using We also made |
Also it seems like |
See #55359 for an approach that doesn't have the issues described here. It also avoids execvp (note that the pull request description isn't up to date with respect to the final version of the code). Although, it didn't handle the case when PATH was unset, where excevp uses a default search path _CS_PATH, introduced a search path regression, and was subsequently reverted. |
Oh wow I had already successfully forgotten this... |
@joshtriplett wrote elsewhere:
However, it is not clear to me how "multi-thread safe" and "signal safe" (aka can-be-used-after- |
We also can't rely on any particular safety property of |
Assigning |
Following up on this, here's a summary of the changes that would need to happen:
|
Just caution that changing this could break existing code (though unlikely). #37868 is a similar issue where |
…oshtriplett Do not attempt to unlock envlock in child process after a fork. This implements the first two points from rust-lang#64718 (comment) This is a breaking change for cases where the environment is accessed in a Command::pre_exec closure. Except for single-threaded programs these uses were not correct anyway since they aren't async-signal safe. Note that we had a ui test that explicitly tried `env::set_var` in `pre_exec`. As expected it failed with these changes when I tested locally.
What is the current status of this? At least as far as the env lock is concerned, the relevant code changed quite a bit: rust/library/std/src/sys/unix/process/process_unix.rs Lines 71 to 78 in 9e77211
This looks to me like it will avoid calling the non-signal-safe 'unlock' in the child. However there is no comment next to the We are still calling |
explain mem::forget(env_lock) in fork/exec I stumbled upon this while doing triage for rust-lang#64718.
explain mem::forget(env_lock) in fork/exec I stumbled upon this while doing triage for rust-lang/rust#64718.
Update (2022-12-12): The issue description is outdated, but some problems remain.
These lines from spawn can cause a deadlock. It's wrong to assume that you can lock in the parent and the unlock in the child. Read man 2 fork and man 7 signal-safety on Linux.
Qumulo has a custom thread library which exposes this issue.
The text was updated successfully, but these errors were encountered: