Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mark fork as unsafe #1047

Closed
wants to merge 2 commits into from
Closed

mark fork as unsafe #1047

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
07913ba
mark fork as unsafe
jorickert Apr 23, 2019
6494e6a
Make documentation for fork(2) a bit more clear
jorickert Apr 29, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,9 @@ This project adheres to [Semantic Versioning](http://semver.org/).
([#1020](https://github.com/nix-rust/nix/pull/1020))
- Replaced `CmsgSpace` with the `cmsg_space` macro.
([#1020](https://github.com/nix-rust/nix/pull/1020))

- Marked `fork` as unsafe function
([#1047](https://github.com/nix-rust/nix/pull/1047))

### Fixed
- Fixed multiple bugs when using `sendmsg` and `recvmsg` with ancillary control messages
([#1020](https://github.com/nix-rust/nix/pull/1020))
Expand Down
26 changes: 18 additions & 8 deletions src/unistd.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -185,14 +185,19 @@ impl ForkResult {
/// Create a new child process duplicating the parent process ([see
/// fork(2)](http://pubs.opengroup.org/onlinepubs/9699919799/functions/fork.html)).
///
/// After calling the fork system call (successfully) two processes will
/// be created that are identical with the exception of their pid and the
/// return value of this function. As an example:
/// After calling the fork system call (successfully) a new process (child) will
/// be created that is a copy of the calling process (parent). If the parent process is
/// multithreaded, only the calling thread will be cloned.
/// The child process differs in a few aspects from the parent process, most notably the pid and the
/// return value of this function. For a list of all differences in the child and parent
/// see the [man page].
///
/// As an example:
///
/// ```no_run
/// use nix::unistd::{fork, ForkResult};
///
/// match fork() {
/// match unsafe {fork()} {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should add a section to the docs describing how to use fork safely, like this:

/// # Safety
/// 
/// To use this function safely, you must do A, B, and C.

/// Ok(ForkResult::Parent { child, .. }) => {
/// println!("Continuing execution in parent process, new child has pid: {}", child);
/// }
Expand All @@ -210,21 +215,26 @@ impl ForkResult {
/// I'm a new child process
/// ```
///
///
/// # Safety
/// Make sure to read the [man page].
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I consider that RTFM goes without saying. You can remove this sentence.

/// Fork has some properties that can lead to unintended behavior.
/// Especially the handling of mutexes and open files can be tricky.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sentence fragment.

///
/// In a multithreaded program, only [async-signal-safe] functions like `pause`
/// and `_exit` may be called by the child (the parent isn't restricted). Note
/// that memory allocation may **not** be async-signal-safe and thus must be
/// and `_exit` are safe to call by the child until it calls `execve`(the parent isn't restricted).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically, there are other functions that can take the place of execve, like fexecve. Better just to say "until it execs another program" or something like that.

/// Note that memory allocation may **not** be async-signal-safe and thus must be
/// prevented.
///
/// Those functions are only a small subset of your operating system's API, so
/// special care must be taken to only invoke code you can control and audit.
///
/// [async-signal-safe]: http://man7.org/linux/man-pages/man7/signal-safety.7.html
/// [man page]: http://man7.org/linux/man-pages/man2/fork.2.html
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For standardized functions, it's better to use the open group's man page: http://pubs.opengroup.org/onlinepubs/9699919799/functions/fork.html

#[inline]
pub fn fork() -> Result<ForkResult> {
pub unsafe fn fork() -> Result<ForkResult> {
use self::ForkResult::*;
let res = unsafe { libc::fork() };
let res = libc::fork();

Errno::result(res).map(|res| match res {
0 => Child,
Expand Down
2 changes: 1 addition & 1 deletion test/sys/test_ptrace.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ fn test_ptrace_cont() {
return;
}

match fork().expect("Error: Fork Failed") {
match unsafe {fork()}.expect("Error: Fork Failed") {
Child => {
ptrace::traceme().unwrap();
// As recommended by ptrace(2), raise SIGTRAP to pause the child
Expand Down
2 changes: 1 addition & 1 deletion test/sys/test_uio.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -207,7 +207,7 @@ fn test_process_vm_readv() {
let mut vector = vec![1u8, 2, 3, 4, 5];

let (r, w) = pipe().unwrap();
match fork().expect("Error: Fork Failed") {
match unsafe {fork()}.expect("Error: Fork Failed") {
Parent { child } => {
close(w).unwrap();
// wait for child
Expand Down
8 changes: 4 additions & 4 deletions test/sys/test_wait.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ fn test_wait_signal() {
let _ = ::FORK_MTX.lock().expect("Mutex got poisoned by another test");

// Safe: The child only calls `pause` and/or `_exit`, which are async-signal-safe.
match fork().expect("Error: Fork Failed") {
match unsafe {fork().expect("Error: Fork Failed")} {
Child => {
pause();
unsafe { _exit(123) }
Expand All @@ -27,7 +27,7 @@ fn test_wait_exit() {
let _m = ::FORK_MTX.lock().expect("Mutex got poisoned by another test");

// Safe: Child only calls `_exit`, which is async-signal-safe.
match fork().expect("Error: Fork Failed") {
match unsafe { fork()}.expect("Error: Fork Failed") {
Child => unsafe { _exit(12); },
Parent { child } => {
assert_eq!(waitpid(child, None), Ok(WaitStatus::Exited(child, 12)));
Expand All @@ -47,7 +47,7 @@ fn test_waitstatus_from_raw() {
fn test_waitstatus_pid() {
let _m = ::FORK_MTX.lock().expect("Mutex got poisoned by another test");

match fork().unwrap() {
match unsafe {fork()}.unwrap() {
Child => unsafe { _exit(0) },
Parent { child } => {
let status = waitpid(child, None).unwrap();
Expand Down Expand Up @@ -96,7 +96,7 @@ mod ptrace {
fn test_wait_ptrace() {
let _m = ::FORK_MTX.lock().expect("Mutex got poisoned by another test");

match fork().expect("Error: Fork Failed") {
match unsafe {fork()}.expect("Error: Fork Failed") {
Child => ptrace_child(),
Parent { child } => ptrace_parent(child),
}
Expand Down
6 changes: 3 additions & 3 deletions test/test_unistd.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ fn test_fork_and_waitpid() {
let _m = ::FORK_MTX.lock().expect("Mutex got poisoned by another test");

// Safe: Child only calls `_exit`, which is signal-safe
match fork().expect("Error: Fork Failed") {
match unsafe {fork()}.expect("Error: Fork Failed") {
Child => unsafe { _exit(0) },
Parent { child } => {
// assert that child was created and pid > 0
Expand Down Expand Up @@ -47,7 +47,7 @@ fn test_wait() {
let _m = ::FORK_MTX.lock().expect("Mutex got poisoned by another test");

// Safe: Child only calls `_exit`, which is signal-safe
match fork().expect("Error: Fork Failed") {
match unsafe {fork()}.expect("Error: Fork Failed") {
Child => unsafe { _exit(0) },
Parent { child } => {
let wait_status = wait();
Expand Down Expand Up @@ -191,7 +191,7 @@ macro_rules! execve_test_factory(
// Safe: Child calls `exit`, `dup`, `close` and the provided `exec*` family function.
// NOTE: Technically, this makes the macro unsafe to use because you could pass anything.
// The tests make sure not to do that, though.
match fork().unwrap() {
match unsafe {fork()}.unwrap() {
Child => {
// Close stdout.
close(1).unwrap();
Expand Down