process_watcher_posix_sigchld.cc

Enable keyboard shortcuts

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */

/* vim: set ts=8 sts=2 et sw=2 tw=80: */

/* This Source Code Form is subject to the terms of the Mozilla Public

 * License, v. 2.0. If a copy of the MPL was not distributed with this

 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include <errno.h>

#include <signal.h>

#include <sys/types.h>

#include <sys/wait.h>

#include <unistd.h>

#include <time.h>

#include "base/eintr_wrapper.h"

#include "base/message_loop.h"

#include "base/process_util.h"

#include "prenv.h"

#include "chrome/common/process_watcher.h"

// Maximum amount of time (in milliseconds) to wait for the process to exit.

// XXX/cjones: fairly arbitrary, chosen to match process_watcher_win.cc

static constexpr int kMaxWaitMs = 2000;

// This is also somewhat arbitrary, but loosely based on Try results.

// See also toolkit.asyncshutdown.crash_timeout (currently 60s) after

// which the parent process will be killed.

#ifdef MOZ_CODE_COVERAGE

// Code coverage instrumentation can be slow (especially when writing

// out data, which has to take a lock on the data files).

static constexpr int kShutdownWaitMs = 80000;

#elif defined(MOZ_ASAN) || defined(MOZ_TSAN)

// Sanitizers slow things down in some cases; see bug 1806224.

static constexpr int kShutdownWaitMs = 40000;

#else

static constexpr int kShutdownWaitMs = 8000;

#endif

namespace {

class ChildReaper : public base::MessagePumpLibevent::SignalEvent,

                    public base::MessagePumpLibevent::SignalWatcher {

 public:

  explicit ChildReaper(pid_t process) : process_(process) {}

  virtual ~ChildReaper() {

    // subclasses should have cleaned up |process_| already

    DCHECK(!process_);

    // StopCatching() is implicit

  virtual void OnSignal(int sig) override {

    DCHECK(SIGCHLD == sig);

    DCHECK(process_);

    // this may be the SIGCHLD for a process other than |process_|

    if (base::IsProcessDead(process_)) {

      process_ = 0;

      StopCatching();

 protected:

  void WaitForChildExit() {

    CHECK(process_);

    while (!base::IsProcessDead(process_, true)) {

      // It doesn't matter if this is interrupted; we just need to

      // wait for some amount of time while the other process status

      // event is (hopefully) handled.  This is used only during an

      // error case at shutdown, so a 1s wait won't be too noticeable.

      sleep(1);

  pid_t process_;

 private:

  ChildReaper(const ChildReaper&) = delete;

  const ChildReaper& operator=(const ChildReaper&) = delete;

};

// Fear the reaper

class ChildGrimReaper : public ChildReaper, public mozilla::Runnable {

 public:

  explicit ChildGrimReaper(pid_t process)

      : ChildReaper(process), mozilla::Runnable("ChildGrimReaper") {}

  virtual ~ChildGrimReaper() {

    if (process_) KillProcess();

  NS_IMETHOD Run() override {

    // we may have already been signaled by the time this runs

    if (process_) KillProcess();

    return NS_OK;

 private:

  void KillProcess() {

    DCHECK(process_);

    if (base::IsProcessDead(process_)) {

      process_ = 0;

      return;

    if (0 == kill(process_, SIGKILL)) {

      // XXX this will block for whatever amount of time it takes the

      // XXX OS to tear down the process's resources.  might need to

      // XXX rethink this if it proves expensive

      WaitForChildExit();

    } else {

      CHROMIUM_LOG(ERROR) << "Failed to deliver SIGKILL to " << process_ << "!"

                          << "(" << errno << ").";

    process_ = 0;

  ChildGrimReaper(const ChildGrimReaper&) = delete;

  const ChildGrimReaper& operator=(const ChildGrimReaper&) = delete;

};

class ChildLaxReaper : public ChildReaper,

                       public MessageLoop::DestructionObserver {

 public:

  explicit ChildLaxReaper(pid_t process) : ChildReaper(process) {}

  virtual ~ChildLaxReaper() {

    // WillDestroyCurrentMessageLoop() should have reaped process_ already

    DCHECK(!process_);

  virtual void OnSignal(int sig) override {

    ChildReaper::OnSignal(sig);

    if (!process_) {

      MessageLoop::current()->RemoveDestructionObserver(this);

      delete this;

  virtual void WillDestroyCurrentMessageLoop() override {

    DCHECK(process_);

    if (!process_) {

      return;

    // Exception for the fake hang tests in ipc/glue/test/browser

    if (!PR_GetEnv("MOZ_TEST_CHILD_EXIT_HANG")) {

      CrashProcessIfHanging();

    if (process_) {

      WaitForChildExit();

      process_ = 0;

    // XXX don't think this is necessary, since destruction can only

    // be observed once, but can't hurt

    MessageLoop::current()->RemoveDestructionObserver(this);

    delete this;

 private:

  ChildLaxReaper(const ChildLaxReaper&) = delete;

  void CrashProcessIfHanging() {

    if (base::IsProcessDead(process_)) {

      process_ = 0;

      return;

    // If child processes seems to be hanging on shutdown, wait for a

    // reasonable time.  The wait is global instead of per-process

    // because the child processes should be shutting down in

    // parallel, and also we're potentially racing global timeouts

    // like nsTerminator.  (The counter doesn't need to be atomic;

    // this is always called on the I/O thread.)

    static int sWaitMs = kShutdownWaitMs;

    if (sWaitMs > 0) {

      CHROMIUM_LOG(WARNING)

          << "Process " << process_

          << " may be hanging at shutdown; will wait for up to " << sWaitMs

          << "ms";

    // There isn't a way to do a time-limited wait that's both

    // portable and doesn't require messing with signals.  Instead, we

    // sleep in short increments and poll the process status.

    while (sWaitMs > 0) {

      static constexpr int kWaitTickMs = 200;

      struct timespec ts = {kWaitTickMs / 1000, (kWaitTickMs % 1000) * 1000000};

      HANDLE_EINTR(nanosleep(&ts, &ts));

      sWaitMs -= kWaitTickMs;

      if (base::IsProcessDead(process_)) {

        process_ = 0;

        return;

    // We want TreeHerder to flag this log line as an error, so that

    // this is more obviously a deliberate crash; "fatal error" is one

    // of the strings it looks for.

    CHROMIUM_LOG(ERROR)

        << "Process " << process_

        << " hanging at shutdown; attempting crash report (fatal error).";

    kill(process_, SIGABRT);

  const ChildLaxReaper& operator=(const ChildLaxReaper&) = delete;

};

}  // namespace

/**

 * Do everything possible to ensure that |process| has been reaped

 * before this process exits.

 * |grim| decides how strict to be with the child's shutdown.

 *                | child exit timeout | upon parent shutdown:

 *                +--------------------+----------------------------------

 *   force=true   | 2 seconds          | kill(child, SIGKILL)

 *   force=false  | infinite           | waitpid(child)

 * If a child process doesn't shut down properly, and |grim=false|

 * used, then the parent will wait on the child forever.  So,

 * |force=false| is expected to be used when an external entity can be

 * responsible for terminating hung processes, e.g. automated test

 * harnesses.

*/

void ProcessWatcher::EnsureProcessTerminated(base::ProcessHandle process,

                                             bool force) {

  DCHECK(process != base::GetCurrentProcId());

  DCHECK(process > 0);

  if (base::IsProcessDead(process)) return;

  MessageLoopForIO* loop = MessageLoopForIO::current();

  if (force) {

    RefPtr<ChildGrimReaper> reaper = new ChildGrimReaper(process);

    loop->CatchSignal(SIGCHLD, reaper, reaper);

    // |loop| takes ownership of |reaper|

    loop->PostDelayedTask(reaper.forget(), kMaxWaitMs);

  } else {

    ChildLaxReaper* reaper = new ChildLaxReaper(process);

    loop->CatchSignal(SIGCHLD, reaper, reaper);

    // |reaper| destroys itself after destruction notification

    loop->AddDestructionObserver(reaper);