OLD | NEW |
| (Empty) |
1 // Copyright (c) 2009 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "content/common/process_watcher.h" | |
6 | |
7 #include <errno.h> | |
8 #include <signal.h> | |
9 #include <sys/event.h> | |
10 #include <sys/types.h> | |
11 #include <sys/wait.h> | |
12 | |
13 #include "base/eintr_wrapper.h" | |
14 #include "base/file_util.h" | |
15 #include "base/time.h" | |
16 | |
17 namespace { | |
18 | |
19 const int kWaitBeforeKillSeconds = 2; | |
20 | |
21 // Reap |child| process. This call blocks until completion. | |
22 void BlockingReap(pid_t child) { | |
23 const pid_t result = HANDLE_EINTR(waitpid(child, NULL, 0)); | |
24 if (result == -1) { | |
25 DPLOG(ERROR) << "waitpid(" << child << ", NULL, 0)"; | |
26 } | |
27 } | |
28 | |
29 // Waits for |timeout| seconds for the given |child| to exit and reap it. If | |
30 // the child doesn't exit within the time specified, kills it. | |
31 // | |
32 // This function takes two approaches: first, it tries to use kqueue to | |
33 // observe when the process exits. kevent can monitor a kqueue with a | |
34 // timeout, so this method is preferred to wait for a specified period of | |
35 // time. Once the kqueue indicates the process has exited, waitpid will reap | |
36 // the exited child. If the kqueue doesn't provide an exit event notification, | |
37 // before the timeout expires, or if the kqueue fails or misbehaves, the | |
38 // process will be mercilessly killed and reaped. | |
39 // | |
40 // A child process passed to this function may be in one of several states: | |
41 // running, terminated and not yet reaped, and (apparently, and unfortunately) | |
42 // terminated and already reaped. Normally, a process will at least have been | |
43 // asked to exit before this function is called, but this is not required. | |
44 // If a process is terminating and unreaped, there may be a window between the | |
45 // time that kqueue will no longer recognize it and when it becomes an actual | |
46 // zombie that a non-blocking (WNOHANG) waitpid can reap. This condition is | |
47 // detected when kqueue indicates that the process is not running and a | |
48 // non-blocking waitpid fails to reap the process but indicates that it is | |
49 // still running. In this event, a blocking attempt to reap the process | |
50 // collects the known-dying child, preventing zombies from congregating. | |
51 // | |
52 // In the event that the kqueue misbehaves entirely, as it might under a | |
53 // EMFILE condition ("too many open files", or out of file descriptors), this | |
54 // function will forcibly kill and reap the child without delay. This | |
55 // eliminates another potential zombie vector. (If you're out of file | |
56 // descriptors, you're probably deep into something else, but that doesn't | |
57 // mean that zombies be allowed to kick you while you're down.) | |
58 // | |
59 // The fact that this function seemingly can be called to wait on a child | |
60 // that's not only already terminated but already reaped is a bit of a | |
61 // problem: a reaped child's pid can be reclaimed and may refer to a distinct | |
62 // process in that case. The fact that this function can seemingly be called | |
63 // to wait on a process that's not even a child is also a problem: kqueue will | |
64 // work in that case, but waitpid won't, and killing a non-child might not be | |
65 // the best approach. | |
66 void WaitForChildToDie(pid_t child, int timeout) { | |
67 DCHECK(child > 0); | |
68 DCHECK(timeout > 0); | |
69 | |
70 // DON'T ADD ANY EARLY RETURNS TO THIS FUNCTION without ensuring that | |
71 // |child| has been reaped. Specifically, even if a kqueue, kevent, or other | |
72 // call fails, this function should fall back to the last resort of trying | |
73 // to kill and reap the process. Not observing this rule will resurrect | |
74 // zombies. | |
75 | |
76 int result; | |
77 | |
78 int kq = HANDLE_EINTR(kqueue()); | |
79 if (kq == -1) { | |
80 DPLOG(ERROR) << "kqueue()"; | |
81 } else { | |
82 file_util::ScopedFD auto_close_kq(&kq); | |
83 | |
84 struct kevent change = {0}; | |
85 EV_SET(&change, child, EVFILT_PROC, EV_ADD, NOTE_EXIT, 0, NULL); | |
86 result = HANDLE_EINTR(kevent(kq, &change, 1, NULL, 0, NULL)); | |
87 | |
88 if (result == -1) { | |
89 if (errno != ESRCH) { | |
90 DPLOG(ERROR) << "kevent (setup " << child << ")"; | |
91 } else { | |
92 // At this point, one of the following has occurred: | |
93 // 1. The process has died but has not yet been reaped. | |
94 // 2. The process has died and has already been reaped. | |
95 // 3. The process is in the process of dying. It's no longer | |
96 // kqueueable, but it may not be waitable yet either. Mark calls | |
97 // this case the "zombie death race". | |
98 | |
99 result = HANDLE_EINTR(waitpid(child, NULL, WNOHANG)); | |
100 | |
101 if (result != 0) { | |
102 // A positive result indicates case 1. waitpid succeeded and reaped | |
103 // the child. A result of -1 indicates case 2. The child has already | |
104 // been reaped. In both of these cases, no further action is | |
105 // necessary. | |
106 return; | |
107 } | |
108 | |
109 // |result| is 0, indicating case 3. The process will be waitable in | |
110 // short order. Fall back out of the kqueue code to kill it (for good | |
111 // measure) and reap it. | |
112 } | |
113 } else { | |
114 // Keep track of the elapsed time to be able to restart kevent if it's | |
115 // interrupted. | |
116 base::TimeDelta remaining_delta = base::TimeDelta::FromSeconds(timeout); | |
117 base::Time deadline = base::Time::Now() + remaining_delta; | |
118 result = -1; | |
119 struct kevent event = {0}; | |
120 while (remaining_delta.InMilliseconds() > 0) { | |
121 const struct timespec remaining_timespec = remaining_delta.ToTimeSpec(); | |
122 result = kevent(kq, NULL, 0, &event, 1, &remaining_timespec); | |
123 if (result == -1 && errno == EINTR) { | |
124 remaining_delta = deadline - base::Time::Now(); | |
125 result = 0; | |
126 } else { | |
127 break; | |
128 } | |
129 } | |
130 | |
131 if (result == -1) { | |
132 DPLOG(ERROR) << "kevent (wait " << child << ")"; | |
133 } else if (result > 1) { | |
134 DLOG(ERROR) << "kevent (wait " << child << "): unexpected result " | |
135 << result; | |
136 } else if (result == 1) { | |
137 if ((event.fflags & NOTE_EXIT) && | |
138 (event.ident == static_cast<uintptr_t>(child))) { | |
139 // The process is dead or dying. This won't block for long, if at | |
140 // all. | |
141 BlockingReap(child); | |
142 return; | |
143 } else { | |
144 DLOG(ERROR) << "kevent (wait " << child | |
145 << "): unexpected event: fflags=" << event.fflags | |
146 << ", ident=" << event.ident; | |
147 } | |
148 } | |
149 } | |
150 } | |
151 | |
152 // The child is still alive, or is very freshly dead. Be sure by sending it | |
153 // a signal. This is safe even if it's freshly dead, because it will be a | |
154 // zombie (or on the way to zombiedom) and kill will return 0 even if the | |
155 // signal is not delivered to a live process. | |
156 result = kill(child, SIGKILL); | |
157 if (result == -1) { | |
158 DPLOG(ERROR) << "kill(" << child << ", SIGKILL)"; | |
159 } else { | |
160 // The child is definitely on the way out now. BlockingReap won't need to | |
161 // wait for long, if at all. | |
162 BlockingReap(child); | |
163 } | |
164 } | |
165 | |
166 } // namespace | |
167 | |
168 void ProcessWatcher::EnsureProcessTerminated(base::ProcessHandle process) { | |
169 WaitForChildToDie(process, kWaitBeforeKillSeconds); | |
170 } | |
OLD | NEW |