close(fd[1]);
}
-#ifndef GIT_WINDOWS_NATIVE
-static inline void dup_devnull(int to)
+int is_executable(const char *name)
{
- int fd = open("/dev/null", O_RDWR);
- if (fd < 0)
- die_errno(_("open /dev/null failed"));
- if (dup2(fd, to) < 0)
- die_errno(_("dup2(%d,%d) failed"), fd, to);
- close(fd);
+ struct stat st;
+
+ if (stat(name, &st) || /* stat, not lstat */
+ !S_ISREG(st.st_mode))
+ return 0;
+
+#if defined(GIT_WINDOWS_NATIVE)
+ /*
+ * On Windows there is no executable bit. The file extension
+ * indicates whether it can be run as an executable, and Git
+ * has special-handling to detect scripts and launch them
+ * through the indicated script interpreter. We test for the
+ * file extension first because virus scanners may make
+ * it quite expensive to open many files.
+ */
+ if (ends_with(name, ".exe"))
+ return S_IXUSR;
+
+{
+ /*
+ * Now that we know it does not have an executable extension,
+ * peek into the file instead.
+ */
+ char buf[3] = { 0 };
+ int n;
+ int fd = open(name, O_RDONLY);
+ st.st_mode &= ~S_IXUSR;
+ if (fd >= 0) {
+ n = read(fd, buf, 2);
+ if (n == 2)
+ /* look for a she-bang */
+ if (!strcmp(buf, "#!"))
+ st.st_mode |= S_IXUSR;
+ close(fd);
+ }
}
#endif
+ return st.st_mode & S_IXUSR;
+}
+/*
+ * Search $PATH for a command. This emulates the path search that
+ * execvp would perform, without actually executing the command so it
+ * can be used before fork() to prepare to run a command using
+ * execve() or after execvp() to diagnose why it failed.
+ *
+ * The caller should ensure that file contains no directory
+ * separators.
+ *
+ * Returns the path to the command, as found in $PATH or NULL if the
+ * command could not be found. The caller inherits ownership of the memory
+ * used to store the resultant path.
+ *
+ * This should not be used on Windows, where the $PATH search rules
+ * are more complicated (e.g., a search for "foo" should find
+ * "foo.exe").
+ */
static char *locate_in_PATH(const char *file)
{
const char *p = getenv("PATH");
}
strbuf_addstr(&buf, file);
- if (!access(buf.buf, F_OK))
+ if (is_executable(buf.buf))
return strbuf_detach(&buf, NULL);
if (!*end)
#ifndef GIT_WINDOWS_NATIVE
static int child_notifier = -1;
-static void notify_parent(void)
+enum child_errcode {
+ CHILD_ERR_CHDIR,
+ CHILD_ERR_DUP2,
+ CHILD_ERR_CLOSE,
+ CHILD_ERR_SIGPROCMASK,
+ CHILD_ERR_ENOENT,
+ CHILD_ERR_SILENT,
+ CHILD_ERR_ERRNO
+};
+
+struct child_err {
+ enum child_errcode err;
+ int syserr; /* errno */
+};
+
+static void child_die(enum child_errcode err)
{
- /*
- * execvp failed. If possible, we'd like to let start_command
- * know, so failures like ENOENT can be handled right away; but
- * otherwise, finish_command will still report the error.
- */
- xwrite(child_notifier, "", 1);
+ struct child_err buf;
+
+ buf.err = err;
+ buf.syserr = errno;
+
+ /* write(2) on buf smaller than PIPE_BUF (min 512) is atomic: */
+ xwrite(child_notifier, &buf, sizeof(buf));
+ _exit(1);
+}
+
+static void child_dup2(int fd, int to)
+{
+ if (dup2(fd, to) < 0)
+ child_die(CHILD_ERR_DUP2);
+}
+
+static void child_close(int fd)
+{
+ if (close(fd))
+ child_die(CHILD_ERR_CLOSE);
+}
+
+static void child_close_pair(int fd[2])
+{
+ child_close(fd[0]);
+ child_close(fd[1]);
+}
+
+/*
+ * parent will make it look like the child spewed a fatal error and died
+ * this is needed to prevent changes to t0061.
+ */
+static void fake_fatal(const char *err, va_list params)
+{
+ vreportf("fatal: ", err, params);
+}
+
+static void child_error_fn(const char *err, va_list params)
+{
+ const char msg[] = "error() should not be called in child\n";
+ xwrite(2, msg, sizeof(msg) - 1);
+}
+
+static void child_warn_fn(const char *err, va_list params)
+{
+ const char msg[] = "warn() should not be called in child\n";
+ xwrite(2, msg, sizeof(msg) - 1);
+}
+
+static void NORETURN child_die_fn(const char *err, va_list params)
+{
+ const char msg[] = "die() should not be called in child\n";
+ xwrite(2, msg, sizeof(msg) - 1);
+ _exit(2);
+}
+
+/* this runs in the parent process */
+static void child_err_spew(struct child_process *cmd, struct child_err *cerr)
+{
+ static void (*old_errfn)(const char *err, va_list params);
+
+ old_errfn = get_error_routine();
+ set_error_routine(fake_fatal);
+ errno = cerr->syserr;
+
+ switch (cerr->err) {
+ case CHILD_ERR_CHDIR:
+ error_errno("exec '%s': cd to '%s' failed",
+ cmd->argv[0], cmd->dir);
+ break;
+ case CHILD_ERR_DUP2:
+ error_errno("dup2() in child failed");
+ break;
+ case CHILD_ERR_CLOSE:
+ error_errno("close() in child failed");
+ break;
+ case CHILD_ERR_SIGPROCMASK:
+ error_errno("sigprocmask failed restoring signals");
+ break;
+ case CHILD_ERR_ENOENT:
+ error_errno("cannot run %s", cmd->argv[0]);
+ break;
+ case CHILD_ERR_SILENT:
+ break;
+ case CHILD_ERR_ERRNO:
+ error_errno("cannot exec '%s'", cmd->argv[0]);
+ break;
+ }
+ set_error_routine(old_errfn);
}
static void prepare_cmd(struct argv_array *out, const struct child_process *cmd)
strbuf_release(&key);
return childenv;
}
+
+struct atfork_state {
+#ifndef NO_PTHREADS
+ int cs;
+#endif
+ sigset_t old;
+};
+
+#ifndef NO_PTHREADS
+static void bug_die(int err, const char *msg)
+{
+ if (err) {
+ errno = err;
+ die_errno("BUG: %s", msg);
+ }
+}
+#endif
+
+static void atfork_prepare(struct atfork_state *as)
+{
+ sigset_t all;
+
+ if (sigfillset(&all))
+ die_errno("sigfillset");
+#ifdef NO_PTHREADS
+ if (sigprocmask(SIG_SETMASK, &all, &as->old))
+ die_errno("sigprocmask");
+#else
+ bug_die(pthread_sigmask(SIG_SETMASK, &all, &as->old),
+ "blocking all signals");
+ bug_die(pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &as->cs),
+ "disabling cancellation");
+#endif
+}
+
+static void atfork_parent(struct atfork_state *as)
+{
+#ifdef NO_PTHREADS
+ if (sigprocmask(SIG_SETMASK, &as->old, NULL))
+ die_errno("sigprocmask");
+#else
+ bug_die(pthread_setcancelstate(as->cs, NULL),
+ "re-enabling cancellation");
+ bug_die(pthread_sigmask(SIG_SETMASK, &as->old, NULL),
+ "restoring signal mask");
#endif
+}
+#endif /* GIT_WINDOWS_NATIVE */
static inline void set_cloexec(int fd)
{
code += 128;
} else if (WIFEXITED(status)) {
code = WEXITSTATUS(status);
- /*
- * Convert special exit code when execvp failed.
- */
- if (code == 127) {
- code = -1;
- failed_errno = ENOENT;
- }
} else {
error("waitpid is confused (%s)", argv0);
}
#ifndef GIT_WINDOWS_NATIVE
{
int notify_pipe[2];
+ int null_fd = -1;
char **childenv;
struct argv_array argv = ARGV_ARRAY_INIT;
+ struct child_err cerr;
+ struct atfork_state as;
if (pipe(notify_pipe))
notify_pipe[0] = notify_pipe[1] = -1;
+ if (cmd->no_stdin || cmd->no_stdout || cmd->no_stderr) {
+ null_fd = open("/dev/null", O_RDWR | O_CLOEXEC);
+ if (null_fd < 0)
+ die_errno(_("open /dev/null failed"));
+ set_cloexec(null_fd);
+ }
+
prepare_cmd(&argv, cmd);
childenv = prep_childenv(cmd->env);
+ atfork_prepare(&as);
+ /*
+ * NOTE: In order to prevent deadlocking when using threads special
+ * care should be taken with the function calls made in between the
+ * fork() and exec() calls. No calls should be made to functions which
+ * require acquiring a lock (e.g. malloc) as the lock could have been
+ * held by another thread at the time of forking, causing the lock to
+ * never be released in the child process. This means only
+ * Async-Signal-Safe functions are permitted in the child.
+ */
cmd->pid = fork();
failed_errno = errno;
if (!cmd->pid) {
+ int sig;
/*
- * Redirect the channel to write syscall error messages to
- * before redirecting the process's stderr so that all die()
- * in subsequent call paths use the parent's stderr.
+ * Ensure the default die/error/warn routines do not get
+ * called, they can take stdio locks and malloc.
*/
- if (cmd->no_stderr || need_err) {
- int child_err = dup(2);
- set_cloexec(child_err);
- set_error_handle(fdopen(child_err, "w"));
- }
+ set_die_routine(child_die_fn);
+ set_error_routine(child_error_fn);
+ set_warn_routine(child_warn_fn);
close(notify_pipe[0]);
set_cloexec(notify_pipe[1]);
child_notifier = notify_pipe[1];
- atexit(notify_parent);
if (cmd->no_stdin)
- dup_devnull(0);
+ child_dup2(null_fd, 0);
else if (need_in) {
- dup2(fdin[0], 0);
- close_pair(fdin);
+ child_dup2(fdin[0], 0);
+ child_close_pair(fdin);
} else if (cmd->in) {
- dup2(cmd->in, 0);
- close(cmd->in);
+ child_dup2(cmd->in, 0);
+ child_close(cmd->in);
}
if (cmd->no_stderr)
- dup_devnull(2);
+ child_dup2(null_fd, 2);
else if (need_err) {
- dup2(fderr[1], 2);
- close_pair(fderr);
+ child_dup2(fderr[1], 2);
+ child_close_pair(fderr);
} else if (cmd->err > 1) {
- dup2(cmd->err, 2);
- close(cmd->err);
+ child_dup2(cmd->err, 2);
+ child_close(cmd->err);
}
if (cmd->no_stdout)
- dup_devnull(1);
+ child_dup2(null_fd, 1);
else if (cmd->stdout_to_stderr)
- dup2(2, 1);
+ child_dup2(2, 1);
else if (need_out) {
- dup2(fdout[1], 1);
- close_pair(fdout);
+ child_dup2(fdout[1], 1);
+ child_close_pair(fdout);
} else if (cmd->out > 1) {
- dup2(cmd->out, 1);
- close(cmd->out);
+ child_dup2(cmd->out, 1);
+ child_close(cmd->out);
}
if (cmd->dir && chdir(cmd->dir))
- die_errno("exec '%s': cd to '%s' failed", cmd->argv[0],
- cmd->dir);
+ child_die(CHILD_ERR_CHDIR);
+
+ /*
+ * restore default signal handlers here, in case
+ * we catch a signal right before execve below
+ */
+ for (sig = 1; sig < NSIG; sig++) {
+ /* ignored signals get reset to SIG_DFL on execve */
+ if (signal(sig, SIG_DFL) == SIG_IGN)
+ signal(sig, SIG_IGN);
+ }
+
+ if (sigprocmask(SIG_SETMASK, &as.old, NULL) != 0)
+ child_die(CHILD_ERR_SIGPROCMASK);
/*
* Attempt to exec using the command and arguments starting at
(char *const *) childenv);
if (errno == ENOENT) {
- if (!cmd->silent_exec_failure)
- error("cannot run %s: %s", cmd->argv[0],
- strerror(ENOENT));
- exit(127);
+ if (cmd->silent_exec_failure)
+ child_die(CHILD_ERR_SILENT);
+ child_die(CHILD_ERR_ENOENT);
} else {
- die_errno("cannot exec '%s'", cmd->argv[0]);
+ child_die(CHILD_ERR_ERRNO);
}
}
+ atfork_parent(&as);
if (cmd->pid < 0)
error_errno("cannot fork() for %s", cmd->argv[0]);
else if (cmd->clean_on_exit)
/*
* Wait for child's exec. If the exec succeeds (or if fork()
* failed), EOF is seen immediately by the parent. Otherwise, the
- * child process sends a single byte.
+ * child process sends a child_err struct.
* Note that use of this infrastructure is completely advisory,
* therefore, we keep error checks minimal.
*/
close(notify_pipe[1]);
- if (read(notify_pipe[0], ¬ify_pipe[1], 1) == 1) {
+ if (xread(notify_pipe[0], &cerr, sizeof(cerr)) == sizeof(cerr)) {
/*
* At this point we know that fork() succeeded, but exec()
* failed. Errors have been reported to our stderr.
*/
wait_or_whine(cmd->pid, cmd->argv[0], 0);
+ child_err_spew(cmd, &cerr);
failed_errno = errno;
cmd->pid = -1;
}
close(notify_pipe[0]);
+ if (null_fd >= 0)
+ close(null_fd);
argv_array_clear(&argv);
free(childenv);
}