1*6777b538SAndroid Build Coastguard Worker // Copyright 2013 The Chromium Authors
2*6777b538SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be
3*6777b538SAndroid Build Coastguard Worker // found in the LICENSE file.
4*6777b538SAndroid Build Coastguard Worker
5*6777b538SAndroid Build Coastguard Worker #include "base/process/kill.h"
6*6777b538SAndroid Build Coastguard Worker
7*6777b538SAndroid Build Coastguard Worker #include <errno.h>
8*6777b538SAndroid Build Coastguard Worker #include <signal.h>
9*6777b538SAndroid Build Coastguard Worker #include <sys/event.h>
10*6777b538SAndroid Build Coastguard Worker #include <sys/types.h>
11*6777b538SAndroid Build Coastguard Worker #include <sys/wait.h>
12*6777b538SAndroid Build Coastguard Worker
13*6777b538SAndroid Build Coastguard Worker #include "base/files/file_util.h"
14*6777b538SAndroid Build Coastguard Worker #include "base/files/scoped_file.h"
15*6777b538SAndroid Build Coastguard Worker #include "base/logging.h"
16*6777b538SAndroid Build Coastguard Worker #include "base/posix/eintr_wrapper.h"
17*6777b538SAndroid Build Coastguard Worker
18*6777b538SAndroid Build Coastguard Worker namespace base {
19*6777b538SAndroid Build Coastguard Worker
20*6777b538SAndroid Build Coastguard Worker namespace {
21*6777b538SAndroid Build Coastguard Worker
22*6777b538SAndroid Build Coastguard Worker // Reap |child| process. This call blocks until completion.
BlockingReap(pid_t child)23*6777b538SAndroid Build Coastguard Worker void BlockingReap(pid_t child) {
24*6777b538SAndroid Build Coastguard Worker const pid_t result = HANDLE_EINTR(waitpid(child, NULL, 0));
25*6777b538SAndroid Build Coastguard Worker if (result == -1) {
26*6777b538SAndroid Build Coastguard Worker DPLOG(ERROR) << "waitpid(" << child << ", NULL, 0)";
27*6777b538SAndroid Build Coastguard Worker }
28*6777b538SAndroid Build Coastguard Worker }
29*6777b538SAndroid Build Coastguard Worker
30*6777b538SAndroid Build Coastguard Worker } // namespace
31*6777b538SAndroid Build Coastguard Worker
32*6777b538SAndroid Build Coastguard Worker // Waits for |timeout| seconds for the given |child| to exit and reap it. If
33*6777b538SAndroid Build Coastguard Worker // the child doesn't exit within the time specified, kills it.
34*6777b538SAndroid Build Coastguard Worker //
35*6777b538SAndroid Build Coastguard Worker // This function takes two approaches: first, it tries to use kqueue to
36*6777b538SAndroid Build Coastguard Worker // observe when the process exits. kevent can monitor a kqueue with a
37*6777b538SAndroid Build Coastguard Worker // timeout, so this method is preferred to wait for a specified period of
38*6777b538SAndroid Build Coastguard Worker // time. Once the kqueue indicates the process has exited, waitpid will reap
39*6777b538SAndroid Build Coastguard Worker // the exited child. If the kqueue doesn't provide an exit event notification,
40*6777b538SAndroid Build Coastguard Worker // before the timeout expires, or if the kqueue fails or misbehaves, the
41*6777b538SAndroid Build Coastguard Worker // process will be mercilessly killed and reaped.
42*6777b538SAndroid Build Coastguard Worker //
43*6777b538SAndroid Build Coastguard Worker // A child process passed to this function may be in one of several states:
44*6777b538SAndroid Build Coastguard Worker // running, terminated and not yet reaped, and (apparently, and unfortunately)
45*6777b538SAndroid Build Coastguard Worker // terminated and already reaped. Normally, a process will at least have been
46*6777b538SAndroid Build Coastguard Worker // asked to exit before this function is called, but this is not required.
47*6777b538SAndroid Build Coastguard Worker // If a process is terminating and unreaped, there may be a window between the
48*6777b538SAndroid Build Coastguard Worker // time that kqueue will no longer recognize it and when it becomes an actual
49*6777b538SAndroid Build Coastguard Worker // zombie that a non-blocking (WNOHANG) waitpid can reap. This condition is
50*6777b538SAndroid Build Coastguard Worker // detected when kqueue indicates that the process is not running and a
51*6777b538SAndroid Build Coastguard Worker // non-blocking waitpid fails to reap the process but indicates that it is
52*6777b538SAndroid Build Coastguard Worker // still running. In this event, a blocking attempt to reap the process
53*6777b538SAndroid Build Coastguard Worker // collects the known-dying child, preventing zombies from congregating.
54*6777b538SAndroid Build Coastguard Worker //
55*6777b538SAndroid Build Coastguard Worker // In the event that the kqueue misbehaves entirely, as it might under a
56*6777b538SAndroid Build Coastguard Worker // EMFILE condition ("too many open files", or out of file descriptors), this
57*6777b538SAndroid Build Coastguard Worker // function will forcibly kill and reap the child without delay. This
58*6777b538SAndroid Build Coastguard Worker // eliminates another potential zombie vector. (If you're out of file
59*6777b538SAndroid Build Coastguard Worker // descriptors, you're probably deep into something else, but that doesn't
60*6777b538SAndroid Build Coastguard Worker // mean that zombies be allowed to kick you while you're down.)
61*6777b538SAndroid Build Coastguard Worker //
62*6777b538SAndroid Build Coastguard Worker // The fact that this function seemingly can be called to wait on a child
63*6777b538SAndroid Build Coastguard Worker // that's not only already terminated but already reaped is a bit of a
64*6777b538SAndroid Build Coastguard Worker // problem: a reaped child's pid can be reclaimed and may refer to a distinct
65*6777b538SAndroid Build Coastguard Worker // process in that case. The fact that this function can seemingly be called
66*6777b538SAndroid Build Coastguard Worker // to wait on a process that's not even a child is also a problem: kqueue will
67*6777b538SAndroid Build Coastguard Worker // work in that case, but waitpid won't, and killing a non-child might not be
68*6777b538SAndroid Build Coastguard Worker // the best approach.
WaitForChildToDie(pid_t child,int timeout)69*6777b538SAndroid Build Coastguard Worker void WaitForChildToDie(pid_t child, int timeout) {
70*6777b538SAndroid Build Coastguard Worker DCHECK_GT(child, 0);
71*6777b538SAndroid Build Coastguard Worker DCHECK_GT(timeout, 0);
72*6777b538SAndroid Build Coastguard Worker
73*6777b538SAndroid Build Coastguard Worker // DON'T ADD ANY EARLY RETURNS TO THIS FUNCTION without ensuring that
74*6777b538SAndroid Build Coastguard Worker // |child| has been reaped. Specifically, even if a kqueue, kevent, or other
75*6777b538SAndroid Build Coastguard Worker // call fails, this function should fall back to the last resort of trying
76*6777b538SAndroid Build Coastguard Worker // to kill and reap the process. Not observing this rule will resurrect
77*6777b538SAndroid Build Coastguard Worker // zombies.
78*6777b538SAndroid Build Coastguard Worker
79*6777b538SAndroid Build Coastguard Worker int result;
80*6777b538SAndroid Build Coastguard Worker
81*6777b538SAndroid Build Coastguard Worker ScopedFD kq(HANDLE_EINTR(kqueue()));
82*6777b538SAndroid Build Coastguard Worker if (!kq.is_valid()) {
83*6777b538SAndroid Build Coastguard Worker DPLOG(ERROR) << "kqueue()";
84*6777b538SAndroid Build Coastguard Worker } else {
85*6777b538SAndroid Build Coastguard Worker struct kevent change = {0};
86*6777b538SAndroid Build Coastguard Worker EV_SET(&change, child, EVFILT_PROC, EV_ADD, NOTE_EXIT, 0, NULL);
87*6777b538SAndroid Build Coastguard Worker result = HANDLE_EINTR(kevent(kq.get(), &change, 1, NULL, 0, NULL));
88*6777b538SAndroid Build Coastguard Worker
89*6777b538SAndroid Build Coastguard Worker if (result == -1) {
90*6777b538SAndroid Build Coastguard Worker if (errno != ESRCH) {
91*6777b538SAndroid Build Coastguard Worker DPLOG(ERROR) << "kevent (setup " << child << ")";
92*6777b538SAndroid Build Coastguard Worker } else {
93*6777b538SAndroid Build Coastguard Worker // At this point, one of the following has occurred:
94*6777b538SAndroid Build Coastguard Worker // 1. The process has died but has not yet been reaped.
95*6777b538SAndroid Build Coastguard Worker // 2. The process has died and has already been reaped.
96*6777b538SAndroid Build Coastguard Worker // 3. The process is in the process of dying. It's no longer
97*6777b538SAndroid Build Coastguard Worker // kqueueable, but it may not be waitable yet either. Mark calls
98*6777b538SAndroid Build Coastguard Worker // this case the "zombie death race".
99*6777b538SAndroid Build Coastguard Worker
100*6777b538SAndroid Build Coastguard Worker result = HANDLE_EINTR(waitpid(child, NULL, WNOHANG));
101*6777b538SAndroid Build Coastguard Worker
102*6777b538SAndroid Build Coastguard Worker if (result != 0) {
103*6777b538SAndroid Build Coastguard Worker // A positive result indicates case 1. waitpid succeeded and reaped
104*6777b538SAndroid Build Coastguard Worker // the child. A result of -1 indicates case 2. The child has already
105*6777b538SAndroid Build Coastguard Worker // been reaped. In both of these cases, no further action is
106*6777b538SAndroid Build Coastguard Worker // necessary.
107*6777b538SAndroid Build Coastguard Worker return;
108*6777b538SAndroid Build Coastguard Worker }
109*6777b538SAndroid Build Coastguard Worker
110*6777b538SAndroid Build Coastguard Worker // |result| is 0, indicating case 3. The process will be waitable in
111*6777b538SAndroid Build Coastguard Worker // short order. Fall back out of the kqueue code to kill it (for good
112*6777b538SAndroid Build Coastguard Worker // measure) and reap it.
113*6777b538SAndroid Build Coastguard Worker }
114*6777b538SAndroid Build Coastguard Worker } else {
115*6777b538SAndroid Build Coastguard Worker // Keep track of the elapsed time to be able to restart kevent if it's
116*6777b538SAndroid Build Coastguard Worker // interrupted.
117*6777b538SAndroid Build Coastguard Worker TimeDelta remaining_delta = Seconds(timeout);
118*6777b538SAndroid Build Coastguard Worker TimeTicks deadline = TimeTicks::Now() + remaining_delta;
119*6777b538SAndroid Build Coastguard Worker result = -1;
120*6777b538SAndroid Build Coastguard Worker struct kevent event = {0};
121*6777b538SAndroid Build Coastguard Worker while (remaining_delta.InMilliseconds() > 0) {
122*6777b538SAndroid Build Coastguard Worker const struct timespec remaining_timespec = remaining_delta.ToTimeSpec();
123*6777b538SAndroid Build Coastguard Worker result = kevent(kq.get(), NULL, 0, &event, 1, &remaining_timespec);
124*6777b538SAndroid Build Coastguard Worker if (result == -1 && errno == EINTR) {
125*6777b538SAndroid Build Coastguard Worker remaining_delta = deadline - TimeTicks::Now();
126*6777b538SAndroid Build Coastguard Worker result = 0;
127*6777b538SAndroid Build Coastguard Worker } else {
128*6777b538SAndroid Build Coastguard Worker break;
129*6777b538SAndroid Build Coastguard Worker }
130*6777b538SAndroid Build Coastguard Worker }
131*6777b538SAndroid Build Coastguard Worker
132*6777b538SAndroid Build Coastguard Worker if (result == -1) {
133*6777b538SAndroid Build Coastguard Worker DPLOG(ERROR) << "kevent (wait " << child << ")";
134*6777b538SAndroid Build Coastguard Worker } else if (result > 1) {
135*6777b538SAndroid Build Coastguard Worker DLOG(ERROR) << "kevent (wait " << child << "): unexpected result "
136*6777b538SAndroid Build Coastguard Worker << result;
137*6777b538SAndroid Build Coastguard Worker } else if (result == 1) {
138*6777b538SAndroid Build Coastguard Worker if ((event.fflags & NOTE_EXIT) &&
139*6777b538SAndroid Build Coastguard Worker (event.ident == static_cast<uintptr_t>(child))) {
140*6777b538SAndroid Build Coastguard Worker // The process is dead or dying. This won't block for long, if at
141*6777b538SAndroid Build Coastguard Worker // all.
142*6777b538SAndroid Build Coastguard Worker BlockingReap(child);
143*6777b538SAndroid Build Coastguard Worker return;
144*6777b538SAndroid Build Coastguard Worker } else {
145*6777b538SAndroid Build Coastguard Worker DLOG(ERROR) << "kevent (wait " << child
146*6777b538SAndroid Build Coastguard Worker << "): unexpected event: fflags=" << event.fflags
147*6777b538SAndroid Build Coastguard Worker << ", ident=" << event.ident;
148*6777b538SAndroid Build Coastguard Worker }
149*6777b538SAndroid Build Coastguard Worker }
150*6777b538SAndroid Build Coastguard Worker }
151*6777b538SAndroid Build Coastguard Worker }
152*6777b538SAndroid Build Coastguard Worker
153*6777b538SAndroid Build Coastguard Worker // The child is still alive, or is very freshly dead. Be sure by sending it
154*6777b538SAndroid Build Coastguard Worker // a signal. This is safe even if it's freshly dead, because it will be a
155*6777b538SAndroid Build Coastguard Worker // zombie (or on the way to zombiedom) and kill will return 0 even if the
156*6777b538SAndroid Build Coastguard Worker // signal is not delivered to a live process.
157*6777b538SAndroid Build Coastguard Worker result = kill(child, SIGKILL);
158*6777b538SAndroid Build Coastguard Worker if (result == -1) {
159*6777b538SAndroid Build Coastguard Worker DPLOG(ERROR) << "kill(" << child << ", SIGKILL)";
160*6777b538SAndroid Build Coastguard Worker } else {
161*6777b538SAndroid Build Coastguard Worker // The child is definitely on the way out now. BlockingReap won't need to
162*6777b538SAndroid Build Coastguard Worker // wait for long, if at all.
163*6777b538SAndroid Build Coastguard Worker BlockingReap(child);
164*6777b538SAndroid Build Coastguard Worker }
165*6777b538SAndroid Build Coastguard Worker }
166*6777b538SAndroid Build Coastguard Worker
167*6777b538SAndroid Build Coastguard Worker #if !BUILDFLAG(IS_IOS)
EnsureProcessTerminated(Process process)168*6777b538SAndroid Build Coastguard Worker void EnsureProcessTerminated(Process process) {
169*6777b538SAndroid Build Coastguard Worker constexpr int kWaitBeforeKillSeconds = 2;
170*6777b538SAndroid Build Coastguard Worker WaitForChildToDie(process.Pid(), kWaitBeforeKillSeconds);
171*6777b538SAndroid Build Coastguard Worker }
172*6777b538SAndroid Build Coastguard Worker #endif // !BUILDFLAG(IS_IOS)
173*6777b538SAndroid Build Coastguard Worker
174*6777b538SAndroid Build Coastguard Worker } // namespace base
175