Block signals while forking so they aren't run in the child process.

base/process/launch_posix.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/process/launch.h"
 
 #include <dirent.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <signal.h>
@@ skipping 376 matching lines @@
   InjectiveMultimap fd_shuffle1;
   InjectiveMultimap fd_shuffle2;
   fd_shuffle1.reserve(fd_shuffle_size);
   fd_shuffle2.reserve(fd_shuffle_size);
 
   scoped_ptr<char*[]> argv_cstr(new char*[argv.size() + 1]);
   scoped_ptr<char*[]> new_environ;
   if (options.environ)
     new_environ.reset(AlterEnvironment(*options.environ, GetEnvironment()));
 
+  sigset_t full_sigset;
+  sigfillset(&full_sigset);
+  sigset_t old_sigset;
+  if (pthread_sigmask(SIG_BLOCK, &full_sigset, &old_sigset) != 0) {

[Markus (顧孟勤), 2013/08/01 01:20:54]

In principle, I believe this works OK. But you are technically skirting
real-close to undefined behavior.

sigfillset() might set signals that are not actually defined. Linux happens to
have exactly 32 regular signals and 32 real-time signals. So, setting the full
mask does in fact affect exactly all signals. Not more, not less.

But this isn't necessarily true for all platforms.

Also, you are trying to block things like SIGKILL and SIGSTOP. This is not
actually possible.

In general, Linux tends to be nice and ends up doing what you meant rather than
what you told it to do (i.e. it ignores SIGKILL and SIGSTOP) in the signal mask.

Finally, glibc reserves at least one real-time signal for internal use by
pthreads. It will generally wrap all signal-related system calls to filter out
attempts to change this signal.

Summarizing all of the above, I don't actually require that you change this
code, as it is likely to work fine. But I would really like to see a unittest
that verifies that you don't get unexpected behavior.

[Markus (顧孟勤), 2013/08/01 01:20:54]

And now for a nitpick:

It is actually not possible to safely call fork() in a multi-threaded
application. So, if we were doing things correctly, you should be
single-threaded by the time you get here. And that of course means you should
have called sigprocmask() instead of pthread_sigmask().

But we all know this isn't happening :-(

[mdempsky_google, 2013/08/01 16:25:05]

https://code.google.com/p/chromium/issues/detail?id=36678 seems to suggest
Chromium depends on forking in a multi-threaded app.
Is there a difference between sigprocmask() and pthread_sigmask() on Linux? 
POSIX says they're the same except sigprocmask() can only be used in a
single-threaded process (whereas pthread_sigmask() can be used in
single-threaded or multi-threaded processes), and on OpenBSD they're backed by
the same system call.

(Well, and pthread_sigmask is in -lpthread instead of -lc, but I'm under the
possibly mistaken impression that Chromium code will be linking against
-lpthread anyway.)

[mdempsky_google, 2013/08/01 16:25:05]

I expect sigfillset() + pthread_sigmask() should be safe, but I'll check with
the austin group mailing list to be sure.
Agreed, but also it's not an error:

"It is not possible to block those signals which cannot be ignored. This shall
be enforced by the system without causing an error to be indicated."

http://pubs.opengroup.org/onlinepubs/009695399/functions/sigprocmask.html
Yep, OpenBSD does that too.  I don't think it should be a problem here though.
Sure.  What sort of unittest did you have in mind?

+    DPLOG(ERROR) << "pthread_sigmask";
+    return false;
+  }
+
   pid_t pid;
 #if defined(OS_LINUX)
   if (options.clone_flags) {
     pid = syscall(__NR_clone, options.clone_flags, 0, 0, 0);

[Markus (顧孟勤), 2013/08/01 01:20:54]

Do you by chance happen to know if we use this code? There is only a small
subset of clone_flags that can safely be called from syscall(). There is another
API for calling sys_clone() that works more generically.

It would be nice to have a CHECK() that clone_flags doesn't include CLONE_THREAD
or CLONE_VM.

Again, I am perfectly happy, if you think this shouldn't go into this CL at this
time.

[mdempsky_google, 2013/08/01 16:25:05]

Not really.  According to cs.chromium.org, the only use I found was in
components/nacl/zygote/nacl_fork_delegate_linux.cc: "options.clone_flags =
CLONE_FS | SIGCHLD;"
I can add that.

   } else
 #endif
   {
     pid = fork();
   }
 
+  if (pid != 0) {
+    if (pthread_sigmask(SIG_SETMASK, &old_sigset, NULL) != 0) {
+      NOTREACHED();
+    }
+  }
+
   if (pid < 0) {
     DPLOG(ERROR) << "fork";
     return false;
   } else if (pid == 0) {
     // Child process
 
     // DANGER: fork() rule: in the child, if you don't end up doing exec*(),
     // you call _exit() instead of exit(). This is because _exit() does not
     // call any previously-registered (in the parent) exit handlers, which
     // might do things like block waiting for threads that don't even exist
@@ skipping 45 matching lines @@
           }
         }
       }
     }
 
 #if defined(OS_MACOSX)
     RestoreDefaultExceptionHandler();
 #endif  // defined(OS_MACOSX)
 
     ResetChildSignalHandlersToDefaults();
+    if (pthread_sigmask(SIG_SETMASK, &old_sigset, NULL) != 0) {
+      NOTREACHED();
+    }
 
 #if 0
     // When debugging it can be helpful to check that we really aren't making
     // any hidden calls to malloc.
     void *malloc_thunk =
         reinterpret_cast<void*>(reinterpret_cast<intptr_t>(malloc) & ~4095);
     mprotect(malloc_thunk, 4096, PROT_READ | PROT_WRITE | PROT_EXEC);
     memset(reinterpret_cast<void*>(malloc), 0xff, 8);
 #endif  // 0
 
@@ skipping 238 matching lines @@
                               std::string* output,
                               int* exit_code) {
   // Run |execve()| with the current environment and store "unlimited" data.
   GetAppOutputInternalResult result = GetAppOutputInternal(
       cl.argv(), NULL, output, std::numeric_limits<std::size_t>::max(), true,
       exit_code);
   return result == EXECUTE_SUCCESS;
 }
 
 }  // namespace base