Nagram/TMessagesProj/jni/voip/webrtc/base/process/kill_mac.cc

// Copyright (c) 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "base/process/kill.h"

#include <errno.h>
#include <signal.h>
#include <sys/event.h>
#include <sys/types.h>
#include <sys/wait.h>

#include "base/files/file_util.h"
#include "base/files/scoped_file.h"
#include "base/logging.h"
#include "base/posix/eintr_wrapper.h"

namespace base {

namespace {

const int kWaitBeforeKillSeconds = 2;

// Reap |child| process. This call blocks until completion.
void BlockingReap(pid_t child) {
  const pid_t result = HANDLE_EINTR(waitpid(child, NULL, 0));
  if (result == -1) {
    DPLOG(ERROR) << "waitpid(" << child << ", NULL, 0)";
  }
}

// Waits for |timeout| seconds for the given |child| to exit and reap it. If
// the child doesn't exit within the time specified, kills it.
//
// This function takes two approaches: first, it tries to use kqueue to
// observe when the process exits. kevent can monitor a kqueue with a
// timeout, so this method is preferred to wait for a specified period of
// time. Once the kqueue indicates the process has exited, waitpid will reap
// the exited child. If the kqueue doesn't provide an exit event notification,
// before the timeout expires, or if the kqueue fails or misbehaves, the
// process will be mercilessly killed and reaped.
//
// A child process passed to this function may be in one of several states:
// running, terminated and not yet reaped, and (apparently, and unfortunately)
// terminated and already reaped. Normally, a process will at least have been
// asked to exit before this function is called, but this is not required.
// If a process is terminating and unreaped, there may be a window between the
// time that kqueue will no longer recognize it and when it becomes an actual
// zombie that a non-blocking (WNOHANG) waitpid can reap. This condition is
// detected when kqueue indicates that the process is not running and a
// non-blocking waitpid fails to reap the process but indicates that it is
// still running. In this event, a blocking attempt to reap the process
// collects the known-dying child, preventing zombies from congregating.
//
// In the event that the kqueue misbehaves entirely, as it might under a
// EMFILE condition ("too many open files", or out of file descriptors), this
// function will forcibly kill and reap the child without delay. This
// eliminates another potential zombie vector. (If you're out of file
// descriptors, you're probably deep into something else, but that doesn't
// mean that zombies be allowed to kick you while you're down.)
//
// The fact that this function seemingly can be called to wait on a child
// that's not only already terminated but already reaped is a bit of a
// problem: a reaped child's pid can be reclaimed and may refer to a distinct
// process in that case. The fact that this function can seemingly be called
// to wait on a process that's not even a child is also a problem: kqueue will
// work in that case, but waitpid won't, and killing a non-child might not be
// the best approach.
void WaitForChildToDie(pid_t child, int timeout) {
  DCHECK_GT(child, 0);
  DCHECK_GT(timeout, 0);

  // DON'T ADD ANY EARLY RETURNS TO THIS FUNCTION without ensuring that
  // |child| has been reaped. Specifically, even if a kqueue, kevent, or other
  // call fails, this function should fall back to the last resort of trying
  // to kill and reap the process. Not observing this rule will resurrect
  // zombies.

  int result;

  ScopedFD kq(HANDLE_EINTR(kqueue()));
  if (!kq.is_valid()) {
    DPLOG(ERROR) << "kqueue()";
  } else {
    struct kevent change = {0};
    EV_SET(&change, child, EVFILT_PROC, EV_ADD, NOTE_EXIT, 0, NULL);
    result = HANDLE_EINTR(kevent(kq.get(), &change, 1, NULL, 0, NULL));

    if (result == -1) {
      if (errno != ESRCH) {
        DPLOG(ERROR) << "kevent (setup " << child << ")";
      } else {
        // At this point, one of the following has occurred:
        // 1. The process has died but has not yet been reaped.
        // 2. The process has died and has already been reaped.
        // 3. The process is in the process of dying. It's no longer
        //    kqueueable, but it may not be waitable yet either. Mark calls
        //    this case the "zombie death race".

        result = HANDLE_EINTR(waitpid(child, NULL, WNOHANG));

        if (result != 0) {
          // A positive result indicates case 1. waitpid succeeded and reaped
          // the child. A result of -1 indicates case 2. The child has already
          // been reaped. In both of these cases, no further action is
          // necessary.
          return;
        }

        // |result| is 0, indicating case 3. The process will be waitable in
        // short order. Fall back out of the kqueue code to kill it (for good
        // measure) and reap it.
      }
    } else {
      // Keep track of the elapsed time to be able to restart kevent if it's
      // interrupted.
      TimeDelta remaining_delta = TimeDelta::FromSeconds(timeout);
      TimeTicks deadline = TimeTicks::Now() + remaining_delta;
      result = -1;
      struct kevent event = {0};
      while (remaining_delta.InMilliseconds() > 0) {
        const struct timespec remaining_timespec = remaining_delta.ToTimeSpec();
        result = kevent(kq.get(), NULL, 0, &event, 1, &remaining_timespec);
        if (result == -1 && errno == EINTR) {
          remaining_delta = deadline - TimeTicks::Now();
          result = 0;
        } else {
          break;
        }
      }

      if (result == -1) {
        DPLOG(ERROR) << "kevent (wait " << child << ")";
      } else if (result > 1) {
        DLOG(ERROR) << "kevent (wait " << child << "): unexpected result "
                    << result;
      } else if (result == 1) {
        if ((event.fflags & NOTE_EXIT) &&
            (event.ident == static_cast<uintptr_t>(child))) {
          // The process is dead or dying. This won't block for long, if at
          // all.
          BlockingReap(child);
          return;
        } else {
          DLOG(ERROR) << "kevent (wait " << child
                      << "): unexpected event: fflags=" << event.fflags
                      << ", ident=" << event.ident;
        }
      }
    }
  }

  // The child is still alive, or is very freshly dead. Be sure by sending it
  // a signal. This is safe even if it's freshly dead, because it will be a
  // zombie (or on the way to zombiedom) and kill will return 0 even if the
  // signal is not delivered to a live process.
  result = kill(child, SIGKILL);
  if (result == -1) {
    DPLOG(ERROR) << "kill(" << child << ", SIGKILL)";
  } else {
    // The child is definitely on the way out now. BlockingReap won't need to
    // wait for long, if at all.
    BlockingReap(child);
  }
}

}  // namespace

void EnsureProcessTerminated(Process process) {
  WaitForChildToDie(process.Pid(), kWaitBeforeKillSeconds);
}

}  // namespace base
Update to 7.0.0 (2060) 2020-08-14 16:58:22 +00:00			`// Copyright (c) 2013 The Chromium Authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style license that can be`
			`// found in the LICENSE file.`

			`#include "base/process/kill.h"`

			`#include <errno.h>`
			`#include <signal.h>`
			`#include <sys/event.h>`
			`#include <sys/types.h>`
			`#include <sys/wait.h>`

			`#include "base/files/file_util.h"`
			`#include "base/files/scoped_file.h"`
			`#include "base/logging.h"`
			`#include "base/posix/eintr_wrapper.h"`

			`namespace base {`

			`namespace {`

			`const int kWaitBeforeKillSeconds = 2;`

			`// Reap \|child\| process. This call blocks until completion.`
			`void BlockingReap(pid_t child) {`
			`const pid_t result = HANDLE_EINTR(waitpid(child, NULL, 0));`
			`if (result == -1) {`
			`DPLOG(ERROR) << "waitpid(" << child << ", NULL, 0)";`
			`}`
			`}`

			`// Waits for \|timeout\| seconds for the given \|child\| to exit and reap it. If`
			`// the child doesn't exit within the time specified, kills it.`
			`//`
			`// This function takes two approaches: first, it tries to use kqueue to`
			`// observe when the process exits. kevent can monitor a kqueue with a`
			`// timeout, so this method is preferred to wait for a specified period of`
			`// time. Once the kqueue indicates the process has exited, waitpid will reap`
			`// the exited child. If the kqueue doesn't provide an exit event notification,`
			`// before the timeout expires, or if the kqueue fails or misbehaves, the`
			`// process will be mercilessly killed and reaped.`
			`//`
			`// A child process passed to this function may be in one of several states:`
			`// running, terminated and not yet reaped, and (apparently, and unfortunately)`
			`// terminated and already reaped. Normally, a process will at least have been`
			`// asked to exit before this function is called, but this is not required.`
			`// If a process is terminating and unreaped, there may be a window between the`
			`// time that kqueue will no longer recognize it and when it becomes an actual`
			`// zombie that a non-blocking (WNOHANG) waitpid can reap. This condition is`
			`// detected when kqueue indicates that the process is not running and a`
			`// non-blocking waitpid fails to reap the process but indicates that it is`
			`// still running. In this event, a blocking attempt to reap the process`
			`// collects the known-dying child, preventing zombies from congregating.`
			`//`
			`// In the event that the kqueue misbehaves entirely, as it might under a`
			`// EMFILE condition ("too many open files", or out of file descriptors), this`
			`// function will forcibly kill and reap the child without delay. This`
			`// eliminates another potential zombie vector. (If you're out of file`
			`// descriptors, you're probably deep into something else, but that doesn't`
			`// mean that zombies be allowed to kick you while you're down.)`
			`//`
			`// The fact that this function seemingly can be called to wait on a child`
			`// that's not only already terminated but already reaped is a bit of a`
			`// problem: a reaped child's pid can be reclaimed and may refer to a distinct`
			`// process in that case. The fact that this function can seemingly be called`
			`// to wait on a process that's not even a child is also a problem: kqueue will`
			`// work in that case, but waitpid won't, and killing a non-child might not be`
			`// the best approach.`
			`void WaitForChildToDie(pid_t child, int timeout) {`
			`DCHECK_GT(child, 0);`
			`DCHECK_GT(timeout, 0);`

			`// DON'T ADD ANY EARLY RETURNS TO THIS FUNCTION without ensuring that`
			`// \|child\| has been reaped. Specifically, even if a kqueue, kevent, or other`
			`// call fails, this function should fall back to the last resort of trying`
			`// to kill and reap the process. Not observing this rule will resurrect`
			`// zombies.`

			`int result;`

			`ScopedFD kq(HANDLE_EINTR(kqueue()));`
			`if (!kq.is_valid()) {`
			`DPLOG(ERROR) << "kqueue()";`
			`} else {`
			`struct kevent change = {0};`
			`EV_SET(&change, child, EVFILT_PROC, EV_ADD, NOTE_EXIT, 0, NULL);`
			`result = HANDLE_EINTR(kevent(kq.get(), &change, 1, NULL, 0, NULL));`

			`if (result == -1) {`
			`if (errno != ESRCH) {`
			`DPLOG(ERROR) << "kevent (setup " << child << ")";`
			`} else {`
			`// At this point, one of the following has occurred:`
			`// 1. The process has died but has not yet been reaped.`
			`// 2. The process has died and has already been reaped.`
			`// 3. The process is in the process of dying. It's no longer`
			`// kqueueable, but it may not be waitable yet either. Mark calls`
			`// this case the "zombie death race".`

			`result = HANDLE_EINTR(waitpid(child, NULL, WNOHANG));`

			`if (result != 0) {`
			`// A positive result indicates case 1. waitpid succeeded and reaped`
			`// the child. A result of -1 indicates case 2. The child has already`
			`// been reaped. In both of these cases, no further action is`
			`// necessary.`
			`return;`
			`}`

			`// \|result\| is 0, indicating case 3. The process will be waitable in`
			`// short order. Fall back out of the kqueue code to kill it (for good`
			`// measure) and reap it.`
			`}`
			`} else {`
			`// Keep track of the elapsed time to be able to restart kevent if it's`
			`// interrupted.`
			`TimeDelta remaining_delta = TimeDelta::FromSeconds(timeout);`
			`TimeTicks deadline = TimeTicks::Now() + remaining_delta;`
			`result = -1;`
			`struct kevent event = {0};`
			`while (remaining_delta.InMilliseconds() > 0) {`
			`const struct timespec remaining_timespec = remaining_delta.ToTimeSpec();`
			`result = kevent(kq.get(), NULL, 0, &event, 1, &remaining_timespec);`
			`if (result == -1 && errno == EINTR) {`
			`remaining_delta = deadline - TimeTicks::Now();`
			`result = 0;`
			`} else {`
			`break;`
			`}`
			`}`

			`if (result == -1) {`
			`DPLOG(ERROR) << "kevent (wait " << child << ")";`
			`} else if (result > 1) {`
			`DLOG(ERROR) << "kevent (wait " << child << "): unexpected result "`
			`<< result;`
			`} else if (result == 1) {`
			`if ((event.fflags & NOTE_EXIT) &&`
			`(event.ident == static_cast<uintptr_t>(child))) {`
			`// The process is dead or dying. This won't block for long, if at`
			`// all.`
			`BlockingReap(child);`
			`return;`
			`} else {`
			`DLOG(ERROR) << "kevent (wait " << child`
			`<< "): unexpected event: fflags=" << event.fflags`
			`<< ", ident=" << event.ident;`
			`}`
			`}`
			`}`
			`}`

			`// The child is still alive, or is very freshly dead. Be sure by sending it`
			`// a signal. This is safe even if it's freshly dead, because it will be a`
			`// zombie (or on the way to zombiedom) and kill will return 0 even if the`
			`// signal is not delivered to a live process.`
			`result = kill(child, SIGKILL);`
			`if (result == -1) {`
			`DPLOG(ERROR) << "kill(" << child << ", SIGKILL)";`
			`} else {`
			`// The child is definitely on the way out now. BlockingReap won't need to`
			`// wait for long, if at all.`
			`BlockingReap(child);`
			`}`
			`}`

			`} // namespace`

			`void EnsureProcessTerminated(Process process) {`
			`WaitForChildToDie(process.Pid(), kWaitBeforeKillSeconds);`
			`}`

			`} // namespace base`