Support setting signal masks for child processes on Unix #100737
Conversation
rustbot
added
the
T-libs
|
(rust-highfive has picked a reviewer for you, use r? to override) |
rust-highfive
added
the
S-waiting-on-review
|
Ah I'm not sure if there should be a reviewer at the moment, this is meant to be a draft PR :) |
sunshowers
force-pushed
the
signal-mask
branch
from
2513ed2
to
7e08f95
Compare
jyn514
added
S-experimental
|
@sunshowers I've unassigned a reviewer for now, but please do run |
| @@ -128,6 +169,47 @@ pub enum Stdio { | |||
| Fd(FileDesc), | |||
| } | |||
|
|
|||
| pub struct SignalSet { | |||
There was a problem hiding this comment.
It follows the pattern of the other items in the module which are all declared pub (though they actually resolve to pub(crate)).
sunshowers
force-pushed
the
signal-mask
branch
from
7e08f95
to
8e6e778
Compare
|
Updates:
I think this is ready for review now. |
|
Hey! It looks like you've submitted a new PR for the library teams! If this PR contains changes to any Examples of
|
|
r? rust-lang/libs-api |
|
(I still need to write up the change proposal I guess!) edit: done: rust-lang/libs-team#88 |
sunshowers
changed the title
I guess the problem would be that it changes the documented contract of the That said, I'm not sure if this is worth marking as unsafe, it seems unfortunate if so, but it's probably worth considering carefully if we aren't going to, to avoid a footgun. That said, there's probably enough time to get this right prior to stabilizing, so I don't know that this is a blocker. |
Yeah, that makes sense. Note that existing code won't be affected though -- only users of both |
|
Yeah, so I suppose we could adjust the safety contract of |
|
(whoops, closed by accident) The other issue with safety I was thinking of is: what happens if the child itself has a segfault unrelated to the parent, and the parent has masked |
In general it doesn't. It's totally safe to spawn processes that crash or do other UB ( That said, fork/exec stuff is ofc where the line gets blurry here (for example, technically |
We're going to need this for upcoming signal mask support.
|
I've put up #101077 as a dependent PR on top of this one. |
sunshowers
force-pushed
the
signal-mask
branch
from
da45dc3
to
aa251cf
Compare
This commit implements basic support for setting signal masks during process spawning. * With the `posix_spawn` code path, this means setting `posix_spawnattr_setsigmask`. * With the `fork/exec` path, this means calling `pthread_sigmask` in the child before executing it. This also fixes a bug: previously, we were always setting the signal mask to the empty set, breaking tools like `nohup`. With this change, we inherit the signal mask from the parent by default.
sunshowers
force-pushed
the
signal-mask
branch
from
aa251cf
to
ac8fac2
Compare
| @@ -296,6 +396,10 @@ impl Command { | |||
| pub fn get_pgroup(&self) -> Option<pid_t> { | |||
| self.pgroup | |||
| } | |||
| #[allow(dead_code)] | |||
| pub fn get_signal_mask(&self) -> io::Result<&SignalSet> { | |||
| self.signal_mask.get_or_try_init(SignalSet::empty) | |||
There was a problem hiding this comment.
We'll want to remove the OnceLock from this if the other PR's FCP doesn't get accepted.
|
I'm going to mark this as blocked on the other PR, as it's unlikely that we want this impl without that (and the resolution there may change how we approach this API). |
thomcc
added
the
S-blocked
|
☔ The latest upstream changes (presumably #100786) made this pull request unmergeable. Please resolve the merge conflicts. |
| /// success and has no effect. | ||
| /// | ||
| /// Blocking some signals like `SIGSEGV` can lead to undefined behavior in | ||
| /// the child. See the [`pthread_sigmask`] man page for more information. |
There was a problem hiding this comment.
sigprocmask is probably the more canonical reference.
Also, while the manpage may say that the effect of blocking synchronous traps (ie, SEGV/BUS/FPE/ILL raised while executing an instruction) is undefined, I wouldn't read that as being the same as UB at the Rust/llvm level.
In practice I think it would either deliver the signal as SIG_DFL (ie, Linux), or endlessly re-trap on the same instruction (what x86 macOS seems to do) - either way the program has effectively terminated and won't enter any UB states as far as the program semantics are concerned.
There was a problem hiding this comment.
Heh it's actually the same man page for both pthread_sigmask and sigprocmask. I can change the reference in the docs to be sigprocmask though.
There was a problem hiding this comment.
Huh - on Fedora they're separate, but pthread_sigmask has almost no content and refers to sigprocmask for discussion of the detailed semantics.
There was a problem hiding this comment.
(I was referring to the man pages from the official POSIX spec here, as linked in the comment)
Align android `sigaddset` impl with the reference impl from Bionic In rust-lang/rust#100737 I noticed we were treating the sigset_t as an array of bytes, while referencing code from android (https://github.com/aosp-mirror/platform_bionic/blob/ad8dcd6023294b646e5a8288c0ed431b0845da49/libc/include/android/legacy_signal_inlines.h) which treats it as an array of unsigned long. That said, the behavior difference is so subtle here that it's not hard to see why nobody noticed. This fixes the implementation to be equivalent to the one in bionic.
JohnCSimon
added
S-waiting-on-review
Dylan-DPC
removed
the
S-waiting-on-review
|
I think this is no longer blocked. |
thomcc
added
S-waiting-on-author
|
Yep, planning to get to it soon. Meanwhile I've worked around it on beta Rust (1.66) by calling pthread_sigmask before and after process spawning, which appears to work. |
|
No rush, just got a ping on it from someone. |
|
@sunshowers FYI: when a PR is ready for review, send a message containing |
|
Closing this due to inactivity. Feel free to make a new pr if you wish to continue this. |
Dylan-DPC
added
S-inactive
|
Apologies, I started a new full-time job since I originally wrote this and haven't had the time to follow up on it. After #101077, I also figured out a way to do this without needing to add new API surface to std:
(and use a scope guard to ensure that the sigmask is unset in case of panic.) This means that I'm probably not going to pursue this further. However, someone else is welcome to. |
This commit implements basic support for setting signal masks during process spawning.
posix_spawncode path, this means settingposix_spawnattr_setsigmask.fork/execpath, this means callingpthread_sigmaskin the child before executing it.This PR retains the default behavior (empty signal mask). I've also put up #101077 as a dependent PR to change the default behavior.
API change proposal:
Unresolved questions:
SIGSEGVetc (documented in the POSIX spec) enough reason to mark this unsafe?