[Mac] Fix ProcessUtilTest.FDRemapping for 10.9 and later.

base/process/process_util_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #define _CRT_SECURE_NO_WARNINGS
 
 #include <limits>
 
 #include "base/command_line.h"
 #include "base/debug/alias.h"
@@ skipping 32 matching lines @@
 #include <sys/socket.h>
 #include <sys/wait.h>
 #endif
 #if defined(OS_WIN)
 #include <windows.h>
 #include "base/win/windows_version.h"
 #endif
 #if defined(OS_MACOSX)
 #include <mach/vm_param.h>
 #include <malloc/malloc.h>
+#include "base/mac/mac_util.h"
 #endif
 
 using base::FilePath;
 
 namespace {
 
 #if defined(OS_ANDROID)
 const char kShellPath[] = "/system/bin/sh";
 const char kPosixShell[] = "sh";
 #else
@@ skipping 399 matching lines @@
   rlim_t max_int = static_cast<rlim_t>(std::numeric_limits<int32>::max());
   if (rlim.rlim_cur > max_int) {
     return max_int;
   }
 
   return rlim.rlim_cur;
 }
 
 const int kChildPipe = 20;  // FD # for write end of pipe in child process.
 
+#if defined(OS_MACOSX)
+
+// <http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/sys/guarded.h>
+#if !defined(_GUARDID_T)
+#define _GUARDID_T
+typedef __uint64_t guardid_t;
+#endif  // _GUARDID_T
+
+// From .../MacOSX10.9.sdk/usr/include/sys/syscall.h
+#if !defined(SYS_change_fdguard_np)
+#define SYS_change_fdguard_np 444
+#endif
+
+// <http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/sys/guarded.h>
+#if !defined(GUARD_DUP)
+#define GUARD_DUP (1u << 1)
+#endif
+
+// <http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/kern/kern_guarded.c?txt>
+//
+// Atomically replaces |guard|/|guardflags| with |nguard|/|nguardflags| on |fd|.
+int my_change_fdguard_np(int fd,
+                         const guardid_t *guard, u_int guardflags,
+                         const guardid_t *nguard, u_int nguardflags,
+                         int *fdflagsp) {
+  // TODO(shess): Citation needed.
+  // TODO(shess): What about older kernels?
+  // TODO(shess): Insanity much?
+  return syscall(SYS_change_fdguard_np, fd, guard, guardflags,
+                 nguard, nguardflags, fdflagsp);
+}
+
+// Attempt to set a file-descriptor guard on |fd|.  In case of success, remove
+// it and return |true| to indicate that it is now unguarded.  Returning |false|
+// means either that |fd| is guarded, or more likely EBADF.
+//
+// Starting with 10.9, libdispatch began setting GUARD_DUP on a file descriptor.
+// Unfortunately, it is spun up as part of +[NSApplication initialize], which is
+// not really something that Chromium can avoid using on OSX.  See
+// <http://crbug.com/338157>.  This function allows querying whether the file
+// descriptor is guarded before attempting to close it.
+bool is_fd_unguarded(int fd) {

[Mark Mentovai, 2014/07/25 13:23:43]

Naming.

[Scott Hess - ex-Googler, 2014/07/28 19:58:03]

Done.

I also changed my_guard_fdguard_np -> guard_fdguard_np because it really doesn't
need a real namespace _and_ namespace-by-convention.

+  // The syscall is first provided in 10.9/Mavericks.
+  if (!base::mac::IsOSMavericksOrLater())
+    return true;
+
+  // Saves the original flags to reset later.
+  int original_fdflags = 0;

[Mark Mentovai, 2014/07/25 13:23:43]

The kernel calls these unsigned ints, might as well do the same.

[Scott Hess - ex-Googler, 2014/07/28 19:58:03]

The guard flags are unsigned, but the fdflags are signed:

extern int change_fdguard_np(int fd, const guardid_t *guard, u_int guardflags,
	const guardid_t *nguard, u_int nguardflags, int *fdflagsp);

+
+  // This can be any value at all, it just has to match up between the two
+  // calls.
+  const guardid_t kGuard = 15;
+
+  // Attempt to change the guard.  This can fail with EBADF if the file
+  // descriptor is bad, or EINVAL if the fd already has a guard set.
+  int ret = HANDLE_EINTR(my_change_fdguard_np(

[Mark Mentovai, 2014/07/25 13:23:43]

I don’t think HANDLE_EINTR is really needed around the guard operations.

[Scott Hess - ex-Googler, 2014/07/28 19:58:03]

Done.

+      fd, NULL, 0, &kGuard, GUARD_DUP, &original_fdflags));
+  if (ret == -1)
+    return false;
+
+  // Remove the guard.  It should not be possible to fail in removing the guard
+  // just added.
+  ret = HANDLE_EINTR(my_change_fdguard_np(
+      fd, &kGuard, GUARD_DUP, NULL, 0, &original_fdflags));
+  DPCHECK(ret == 0);
+
+  return true;
+}
+#endif  // OS_MACOSX
+
 }  // namespace
 
 MULTIPROCESS_TEST_MAIN(ProcessUtilsLeakFDChildProcess) {
   // This child process counts the number of open FDs, it then writes that
   // number out to a pipe connected to the parent.
   int num_open_files = 0;
   int write_pipe = kChildPipe;
   int max_files = GetMaxFilesOpenInProcess();
   for (int i = STDERR_FILENO + 1; i < max_files; i++) {
+#if defined(OS_MACOSX)
+    // Ignore guarded file descriptors.
+    if (!is_fd_unguarded(i))

[Mark Mentovai, 2014/07/25 13:23:43]

This is kind of a double negative, and considering that this is the only place
the function is called, it makes sense to negate the name itself.

[Scott Hess - ex-Googler, 2014/07/28 19:58:03]

Changed to CanGuardFd().  The reason for this sense of test is because if an
undocumented syscall fails, it's unclear whether a strong assertion can be made
to the specific reasons for the failure, so I want to act on the positive case
only.

I could rewrite the test below to account for this case, since EBADF is already
handled, but leaving the cross-platform code alone seems better.

+      continue;
+#endif
+
     if (i != kChildPipe) {
       int fd;
       if ((fd = HANDLE_EINTR(dup(i))) != -1) {
         close(fd);
         num_open_files += 1;
       }
     }
   }
 
   int written = HANDLE_EINTR(write(write_pipe, &num_open_files,
@@ skipping 384 matching lines @@
   // Check that process was really killed.
   EXPECT_TRUE(IsProcessDead(child_process));
   base::CloseProcessHandle(child_process);
 }
 
 MULTIPROCESS_TEST_MAIN(process_util_test_die_immediately) {
   return 0;
 }
 
 #endif  // defined(OS_POSIX)