Block signals while forking so they aren't run in the child process.

base/process/launch_posix.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/process/launch.h"
 
 #include <dirent.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <signal.h>
@@ skipping 59 matching lines @@
 // Set the process's "environment" (i.e. the thing that setenv/getenv
 // work with).
 void SetEnvironment(char** env) {
 #if defined(OS_MACOSX)
   *_NSGetEnviron() = env;
 #else
   environ = env;
 #endif
 }
 
+// Set the calling thread's signal mask to *new_set, and set *old_set
+// to the previous signal mask.  Returns true if successful.
+bool SetSignalMask(const sigset_t *new_set, sigset_t *old_set) {
+  int error;
+#if defined(OS_ANDROID)
+  // POSIX says pthread_sigmask() must be used in multi-threaded processes,
+  // but Android's pthread_sigmask() was broken until 4.1:
+  // https://code.google.com/p/android/issues/detail?id=15337
+  // http://stackoverflow.com/questions/13777109/pthread-sigmask-on-android-not-working
+  error = sigprocmask(SIG_SETMASK, new_set, old_set);
+#else
+  error = pthread_sigmask(SIG_SETMASK, new_set, old_set);
+  if (error != 0) {
+    errno = error;
+  }
+#endif
+  if (error != 0) {
+    DPLOG(ERROR) << "SetSignalMask failed";
+    return false;
+  }
+  return true;
+}
+
 #if !defined(OS_LINUX) || \
     (!defined(__i386__) && !defined(__x86_64__) && !defined(__arm__))
 void ResetChildSignalHandlersToDefaults() {
   // The previous signal handlers are likely to be meaningless in the child's
   // context so we reset them to the defaults for now. http://crbug.com/44953
   // These signal handlers are set up at least in browser_main_posix.cc:
   // BrowserMainPartsPosix::PreEarlyInitialization and stack_trace_posix.cc:
   // EnableInProcessStackDumping.
   signal(SIGHUP, SIG_DFL);
   signal(SIGINT, SIG_DFL);
@@ skipping 297 matching lines @@
   InjectiveMultimap fd_shuffle1;
   InjectiveMultimap fd_shuffle2;
   fd_shuffle1.reserve(fd_shuffle_size);
   fd_shuffle2.reserve(fd_shuffle_size);
 
   scoped_ptr<char*[]> argv_cstr(new char*[argv.size() + 1]);
   scoped_ptr<char*[]> new_environ;
   if (options.environ)
     new_environ.reset(AlterEnvironment(*options.environ, GetEnvironment()));
 
+  sigset_t full_sigset;
+  sigfillset(&full_sigset);
+  sigset_t old_sigset;
+  if (!SetSignalMask(&full_sigset, &old_sigset)) {
+    return false;
+  }
+
   pid_t pid;
 #if defined(OS_LINUX)
   if (options.clone_flags) {
+    CHECK_EQ(0, options.clone_flags & (CLONE_THREAD | CLONE_VM));

[jln (very slow on Chromium), 2013/08/02 05:28:47]

RAW_CHECK

[mdempsky_google, 2013/08/02 18:45:00]

Done.

     pid = syscall(__NR_clone, options.clone_flags, 0, 0, 0);
   } else
 #endif
   {
     pid = fork();
   }
 

[jln (very slow on Chromium), 2013/08/02 05:28:47]

// Always restore the signal mask in the parent.

[mdempsky_google, 2013/08/02 18:45:00]

Done.

+  if (pid != 0) {
+    if (!SetSignalMask(&old_sigset, NULL)) {
+      NOTREACHED();

[jln (very slow on Chromium), 2013/08/02 05:28:47]

RAW_CHECK

[mdempsky_google, 2013/08/02 16:12:51]

Is RAW_CHECK(x) guaranteed to always evaluate x?  Should I put this as

    RAW_CHECK(SetSignalMask(&old_sigset, NULL));

or like

    bool mask_restored = SetSignalMask(&old_sigset, NULL);
    RAW_CHECK(mask_restored);

or something else?

[mdempsky_google, 2013/08/02 18:45:00]

I moved the RAW_CHECK()s directly into SetSignalMask(), so the API is slightly
simpler now.

+    }
+  }
+
   if (pid < 0) {
     DPLOG(ERROR) << "fork";
     return false;
   } else if (pid == 0) {
     // Child process
 
     // DANGER: fork() rule: in the child, if you don't end up doing exec*(),
     // you call _exit() instead of exit(). This is because _exit() does not
     // call any previously-registered (in the parent) exit handlers, which
     // might do things like block waiting for threads that don't even exist
@@ skipping 24 matching lines @@
       }
     }
 
     // Stop type-profiler.
     // The profiler should be stopped between fork and exec since it inserts
     // locks at new/delete expressions.  See http://crbug.com/36678.
     base::type_profiler::Controller::Stop();
 
     if (options.maximize_rlimits) {
       // Some resource limits need to be maximal in this child.
       std::set<int>::const_iterator resource;

[jln (very slow on Chromium), 2013/08/02 05:28:47]

This could clearly allocate memory :(

crbug.com/267342

[mdempsky_google, 2013/08/02 16:12:51]

Iterating over a set can allocate memory?

       for (resource = options.maximize_rlimits->begin();
            resource != options.maximize_rlimits->end();
            ++resource) {
         struct rlimit limit;
         if (getrlimit(*resource, &limit) < 0) {
           RAW_LOG(WARNING, "getrlimit failed");
         } else if (limit.rlim_cur < limit.rlim_max) {
           limit.rlim_cur = limit.rlim_max;
           if (setrlimit(*resource, &limit) < 0) {
             RAW_LOG(WARNING, "setrlimit failed");
           }
         }
       }
     }
 
 #if defined(OS_MACOSX)
     RestoreDefaultExceptionHandler();
 #endif  // defined(OS_MACOSX)
 
     ResetChildSignalHandlersToDefaults();
+    if (!SetSignalMask(&old_sigset, NULL)) {
+      NOTREACHED();

[jln (very slow on Chromium), 2013/08/02 05:28:47]

RAW_CHECK

+    }
 
 #if 0
     // When debugging it can be helpful to check that we really aren't making

[jln (very slow on Chromium), 2013/08/02 05:28:47]

I guess this was intended right after the fork() but has regressed.

     // any hidden calls to malloc.
     void *malloc_thunk =
         reinterpret_cast<void*>(reinterpret_cast<intptr_t>(malloc) & ~4095);
     mprotect(malloc_thunk, 4096, PROT_READ | PROT_WRITE | PROT_EXEC);
     memset(reinterpret_cast<void*>(malloc), 0xff, 8);
 #endif  // 0
 
     // DANGER: no calls to malloc are allowed from now on:
     // http://crbug.com/36678
 
 #if defined(OS_CHROMEOS)
     if (options.ctrl_terminal_fd >= 0) {
       // Set process' controlling terminal.
       if (HANDLE_EINTR(setsid()) != -1) {
         if (HANDLE_EINTR(
                 ioctl(options.ctrl_terminal_fd, TIOCSCTTY, NULL)) == -1) {
           RAW_LOG(WARNING, "ioctl(TIOCSCTTY), ctrl terminal not set");
         }
       } else {
         RAW_LOG(WARNING, "setsid failed, ctrl terminal not set");
       }
     }
 #endif  // defined(OS_CHROMEOS)
 
     if (options.fds_to_remap) {
       for (FileHandleMappingVector::const_iterator

[jln (very slow on Chromium), 2013/08/02 05:28:47]

Again, this can clearly allocate.

                it = options.fds_to_remap->begin();
            it != options.fds_to_remap->end(); ++it) {
         fd_shuffle1.push_back(InjectionArc(it->first, it->second, false));
         fd_shuffle2.push_back(InjectionArc(it->first, it->second, false));
       }
     }
 
     if (options.environ)
       SetEnvironment(new_environ.get());
 
@@ skipping 209 matching lines @@
                               std::string* output,
                               int* exit_code) {
   // Run |execve()| with the current environment and store "unlimited" data.
   GetAppOutputInternalResult result = GetAppOutputInternal(
       cl.argv(), NULL, output, std::numeric_limits<std::size_t>::max(), true,
       exit_code);
   return result == EXECUTE_SUCCESS;
 }
 
 }  // namespace base