xref: /aosp_15_r20/external/cronet/base/process/kill_mac.cc (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2013 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "base/process/kill.h"
6 
7 #include <errno.h>
8 #include <signal.h>
9 #include <sys/event.h>
10 #include <sys/types.h>
11 #include <sys/wait.h>
12 
13 #include "base/files/file_util.h"
14 #include "base/files/scoped_file.h"
15 #include "base/logging.h"
16 #include "base/posix/eintr_wrapper.h"
17 
18 namespace base {
19 
20 namespace {
21 
22 // Reap |child| process. This call blocks until completion.
BlockingReap(pid_t child)23 void BlockingReap(pid_t child) {
24   const pid_t result = HANDLE_EINTR(waitpid(child, NULL, 0));
25   if (result == -1) {
26     DPLOG(ERROR) << "waitpid(" << child << ", NULL, 0)";
27   }
28 }
29 
30 }  // namespace
31 
32 // Waits for |timeout| seconds for the given |child| to exit and reap it. If
33 // the child doesn't exit within the time specified, kills it.
34 //
35 // This function takes two approaches: first, it tries to use kqueue to
36 // observe when the process exits. kevent can monitor a kqueue with a
37 // timeout, so this method is preferred to wait for a specified period of
38 // time. Once the kqueue indicates the process has exited, waitpid will reap
39 // the exited child. If the kqueue doesn't provide an exit event notification,
40 // before the timeout expires, or if the kqueue fails or misbehaves, the
41 // process will be mercilessly killed and reaped.
42 //
43 // A child process passed to this function may be in one of several states:
44 // running, terminated and not yet reaped, and (apparently, and unfortunately)
45 // terminated and already reaped. Normally, a process will at least have been
46 // asked to exit before this function is called, but this is not required.
47 // If a process is terminating and unreaped, there may be a window between the
48 // time that kqueue will no longer recognize it and when it becomes an actual
49 // zombie that a non-blocking (WNOHANG) waitpid can reap. This condition is
50 // detected when kqueue indicates that the process is not running and a
51 // non-blocking waitpid fails to reap the process but indicates that it is
52 // still running. In this event, a blocking attempt to reap the process
53 // collects the known-dying child, preventing zombies from congregating.
54 //
55 // In the event that the kqueue misbehaves entirely, as it might under a
56 // EMFILE condition ("too many open files", or out of file descriptors), this
57 // function will forcibly kill and reap the child without delay. This
58 // eliminates another potential zombie vector. (If you're out of file
59 // descriptors, you're probably deep into something else, but that doesn't
60 // mean that zombies be allowed to kick you while you're down.)
61 //
62 // The fact that this function seemingly can be called to wait on a child
63 // that's not only already terminated but already reaped is a bit of a
64 // problem: a reaped child's pid can be reclaimed and may refer to a distinct
65 // process in that case. The fact that this function can seemingly be called
66 // to wait on a process that's not even a child is also a problem: kqueue will
67 // work in that case, but waitpid won't, and killing a non-child might not be
68 // the best approach.
WaitForChildToDie(pid_t child,int timeout)69 void WaitForChildToDie(pid_t child, int timeout) {
70   DCHECK_GT(child, 0);
71   DCHECK_GT(timeout, 0);
72 
73   // DON'T ADD ANY EARLY RETURNS TO THIS FUNCTION without ensuring that
74   // |child| has been reaped. Specifically, even if a kqueue, kevent, or other
75   // call fails, this function should fall back to the last resort of trying
76   // to kill and reap the process. Not observing this rule will resurrect
77   // zombies.
78 
79   int result;
80 
81   ScopedFD kq(HANDLE_EINTR(kqueue()));
82   if (!kq.is_valid()) {
83     DPLOG(ERROR) << "kqueue()";
84   } else {
85     struct kevent change = {0};
86     EV_SET(&change, child, EVFILT_PROC, EV_ADD, NOTE_EXIT, 0, NULL);
87     result = HANDLE_EINTR(kevent(kq.get(), &change, 1, NULL, 0, NULL));
88 
89     if (result == -1) {
90       if (errno != ESRCH) {
91         DPLOG(ERROR) << "kevent (setup " << child << ")";
92       } else {
93         // At this point, one of the following has occurred:
94         // 1. The process has died but has not yet been reaped.
95         // 2. The process has died and has already been reaped.
96         // 3. The process is in the process of dying. It's no longer
97         //    kqueueable, but it may not be waitable yet either. Mark calls
98         //    this case the "zombie death race".
99 
100         result = HANDLE_EINTR(waitpid(child, NULL, WNOHANG));
101 
102         if (result != 0) {
103           // A positive result indicates case 1. waitpid succeeded and reaped
104           // the child. A result of -1 indicates case 2. The child has already
105           // been reaped. In both of these cases, no further action is
106           // necessary.
107           return;
108         }
109 
110         // |result| is 0, indicating case 3. The process will be waitable in
111         // short order. Fall back out of the kqueue code to kill it (for good
112         // measure) and reap it.
113       }
114     } else {
115       // Keep track of the elapsed time to be able to restart kevent if it's
116       // interrupted.
117       TimeDelta remaining_delta = Seconds(timeout);
118       TimeTicks deadline = TimeTicks::Now() + remaining_delta;
119       result = -1;
120       struct kevent event = {0};
121       while (remaining_delta.InMilliseconds() > 0) {
122         const struct timespec remaining_timespec = remaining_delta.ToTimeSpec();
123         result = kevent(kq.get(), NULL, 0, &event, 1, &remaining_timespec);
124         if (result == -1 && errno == EINTR) {
125           remaining_delta = deadline - TimeTicks::Now();
126           result = 0;
127         } else {
128           break;
129         }
130       }
131 
132       if (result == -1) {
133         DPLOG(ERROR) << "kevent (wait " << child << ")";
134       } else if (result > 1) {
135         DLOG(ERROR) << "kevent (wait " << child << "): unexpected result "
136                     << result;
137       } else if (result == 1) {
138         if ((event.fflags & NOTE_EXIT) &&
139             (event.ident == static_cast<uintptr_t>(child))) {
140           // The process is dead or dying. This won't block for long, if at
141           // all.
142           BlockingReap(child);
143           return;
144         } else {
145           DLOG(ERROR) << "kevent (wait " << child
146                       << "): unexpected event: fflags=" << event.fflags
147                       << ", ident=" << event.ident;
148         }
149       }
150     }
151   }
152 
153   // The child is still alive, or is very freshly dead. Be sure by sending it
154   // a signal. This is safe even if it's freshly dead, because it will be a
155   // zombie (or on the way to zombiedom) and kill will return 0 even if the
156   // signal is not delivered to a live process.
157   result = kill(child, SIGKILL);
158   if (result == -1) {
159     DPLOG(ERROR) << "kill(" << child << ", SIGKILL)";
160   } else {
161     // The child is definitely on the way out now. BlockingReap won't need to
162     // wait for long, if at all.
163     BlockingReap(child);
164   }
165 }
166 
167 #if !BUILDFLAG(IS_IOS)
EnsureProcessTerminated(Process process)168 void EnsureProcessTerminated(Process process) {
169   constexpr int kWaitBeforeKillSeconds = 2;
170   WaitForChildToDie(process.Pid(), kWaitBeforeKillSeconds);
171 }
172 #endif  // !BUILDFLAG(IS_IOS)
173 
174 }  // namespace base
175