Move the ProcessWatcher methods out of content/common/process_watcher into base/process_util, alongside the other process methods.

The only non-trivial move change is to the Windows implementation, where I changed KillProcess to use an exit code of kProcessKilledExitCode instead of content::RESULT_CODE_HUNG. cpu said that the existing code was incorrect, since GetTerminationStatus() should be mapping that result to TERMINATION_STATUS_PROCESS_WAS_KILLED. So I changed the exit code to kProcessKilledExitCode. This might make the UMA stats for killed processes to go up (and crashed to go down), but that will be an accounting change and should be zero-sum. BUG=98716 Review URL: http://codereview.chromium.org/8674003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@111371 0039d316-1c4b-4281-b951-d872f2087c98
author: jam@chromium.org <jam@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-11-23 18:32:00 +0000
committer: jam@chromium.org <jam@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-11-23 18:32:00 +0000
commit: eaac715956492f57bae3f30957662aca56462abe (patch)
tree: 4a98772d114fcd710936a12ae1f03f38278cfba3 /base/process_util_mac.mm
parent: 407a38f923c6d76fe91de1bab7d8e190b6aa6f1d (diff)
download: chromium_src-eaac715956492f57bae3f30957662aca56462abe.zip
chromium_src-eaac715956492f57bae3f30957662aca56462abe.tar.gz
chromium_src-eaac715956492f57bae3f30957662aca56462abe.tar.bz2
1 files changed, 159 insertions, 0 deletions
diff --git a/base/process_util_mac.mm b/base/process_util_mac.mm
index 2d8bde4..6b39a61 100644
--- a/base/process_util_mac.mm
+++ b/base/process_util_mac.mm
@@ -7,6 +7,7 @@
 #import <Cocoa/Cocoa.h>
 #include <crt_externs.h>
 #include <dlfcn.h>
+#include <errno.h>
 #include <mach/mach.h>
 #include <mach/mach_init.h>
 #include <mach/mach_vm.h>
@@ -16,7 +17,9 @@
 #include <mach-o/nlist.h>
 #include <malloc/malloc.h>
 #import <objc/runtime.h>
+#include <signal.h>
 #include <spawn.h>
+#include <sys/event.h>
 #include <sys/mman.h>
 #include <sys/sysctl.h>
 #include <sys/types.h>
@@ -27,6 +30,7 @@
 
 #include "base/debug/debugger.h"
 #include "base/eintr_wrapper.h"
+#include "base/file_util.h"
 #include "base/hash_tables.h"
 #include "base/logging.h"
 #include "base/mac/mac_util.h"
@@ -990,4 +994,159 @@ ProcessId GetParentProcessId(ProcessHandle process) {
   return info.kp_eproc.e_ppid;
 }
 
+namespace {
+
+const int kWaitBeforeKillSeconds = 2;
+
+// Reap |child| process. This call blocks until completion.
+void BlockingReap(pid_t child) {
+  const pid_t result = HANDLE_EINTR(waitpid(child, NULL, 0));
+  if (result == -1) {
+    DPLOG(ERROR) << "waitpid(" << child << ", NULL, 0)";
+  }
+}
+
+// Waits for |timeout| seconds for the given |child| to exit and reap it. If
+// the child doesn't exit within the time specified, kills it.
+//
+// This function takes two approaches: first, it tries to use kqueue to
+// observe when the process exits. kevent can monitor a kqueue with a
+// timeout, so this method is preferred to wait for a specified period of
+// time. Once the kqueue indicates the process has exited, waitpid will reap
+// the exited child. If the kqueue doesn't provide an exit event notification,
+// before the timeout expires, or if the kqueue fails or misbehaves, the
+// process will be mercilessly killed and reaped.
+//
+// A child process passed to this function may be in one of several states:
+// running, terminated and not yet reaped, and (apparently, and unfortunately)
+// terminated and already reaped. Normally, a process will at least have been
+// asked to exit before this function is called, but this is not required.
+// If a process is terminating and unreaped, there may be a window between the
+// time that kqueue will no longer recognize it and when it becomes an actual
+// zombie that a non-blocking (WNOHANG) waitpid can reap. This condition is
+// detected when kqueue indicates that the process is not running and a
+// non-blocking waitpid fails to reap the process but indicates that it is
+// still running. In this event, a blocking attempt to reap the process
+// collects the known-dying child, preventing zombies from congregating.
+//
+// In the event that the kqueue misbehaves entirely, as it might under a
+// EMFILE condition ("too many open files", or out of file descriptors), this
+// function will forcibly kill and reap the child without delay. This
+// eliminates another potential zombie vector. (If you're out of file
+// descriptors, you're probably deep into something else, but that doesn't
+// mean that zombies be allowed to kick you while you're down.)
+//
+// The fact that this function seemingly can be called to wait on a child
+// that's not only already terminated but already reaped is a bit of a
+// problem: a reaped child's pid can be reclaimed and may refer to a distinct
+// process in that case. The fact that this function can seemingly be called
+// to wait on a process that's not even a child is also a problem: kqueue will
+// work in that case, but waitpid won't, and killing a non-child might not be
+// the best approach.
+void WaitForChildToDie(pid_t child, int timeout) {
+  DCHECK(child > 0);
+  DCHECK(timeout > 0);
+
+  // DON'T ADD ANY EARLY RETURNS TO THIS FUNCTION without ensuring that
+  // |child| has been reaped. Specifically, even if a kqueue, kevent, or other
+  // call fails, this function should fall back to the last resort of trying
+  // to kill and reap the process. Not observing this rule will resurrect
+  // zombies.
+
+  int result;
+
+  int kq = HANDLE_EINTR(kqueue());
+  if (kq == -1) {
+    DPLOG(ERROR) << "kqueue()";
+  } else {
+    file_util::ScopedFD auto_close_kq(&kq);
+
+    struct kevent change = {0};
+    EV_SET(&change, child, EVFILT_PROC, EV_ADD, NOTE_EXIT, 0, NULL);
+    result = HANDLE_EINTR(kevent(kq, &change, 1, NULL, 0, NULL));
+
+    if (result == -1) {
+      if (errno != ESRCH) {
+        DPLOG(ERROR) << "kevent (setup " << child << ")";
+      } else {
+        // At this point, one of the following has occurred:
+        // 1. The process has died but has not yet been reaped.
+        // 2. The process has died and has already been reaped.
+        // 3. The process is in the process of dying. It's no longer
+        //    kqueueable, but it may not be waitable yet either. Mark calls
+        //    this case the "zombie death race".
+
+        result = HANDLE_EINTR(waitpid(child, NULL, WNOHANG));
+
+        if (result != 0) {
+          // A positive result indicates case 1. waitpid succeeded and reaped
+          // the child. A result of -1 indicates case 2. The child has already
+          // been reaped. In both of these cases, no further action is
+          // necessary.
+          return;
+        }
+
+        // |result| is 0, indicating case 3. The process will be waitable in
+        // short order. Fall back out of the kqueue code to kill it (for good
+        // measure) and reap it.
+      }
+    } else {
+      // Keep track of the elapsed time to be able to restart kevent if it's
+      // interrupted.
+      TimeDelta remaining_delta = TimeDelta::FromSeconds(timeout);
+      Time deadline = Time::Now() + remaining_delta;
+      result = -1;
+      struct kevent event = {0};
+      while (remaining_delta.InMilliseconds() > 0) {
+        const struct timespec remaining_timespec = remaining_delta.ToTimeSpec();
+        result = kevent(kq, NULL, 0, &event, 1, &remaining_timespec);
+        if (result == -1 && errno == EINTR) {
+          remaining_delta = deadline - Time::Now();
+          result = 0;
+        } else {
+          break;
+        }
+      }
+
+      if (result == -1) {
+        DPLOG(ERROR) << "kevent (wait " << child << ")";
+      } else if (result > 1) {
+        DLOG(ERROR) << "kevent (wait " << child << "): unexpected result "
+                    << result;
+      } else if (result == 1) {
+        if ((event.fflags & NOTE_EXIT) &&
+            (event.ident == static_cast<uintptr_t>(child))) {
+          // The process is dead or dying. This won't block for long, if at
+          // all.
+          BlockingReap(child);
+          return;
+        } else {
+          DLOG(ERROR) << "kevent (wait " << child
+                      << "): unexpected event: fflags=" << event.fflags
+                      << ", ident=" << event.ident;
+        }
+      }
+    }
+  }
+
+  // The child is still alive, or is very freshly dead. Be sure by sending it
+  // a signal. This is safe even if it's freshly dead, because it will be a
+  // zombie (or on the way to zombiedom) and kill will return 0 even if the
+  // signal is not delivered to a live process.
+  result = kill(child, SIGKILL);
+  if (result == -1) {
+    DPLOG(ERROR) << "kill(" << child << ", SIGKILL)";
+  } else {
+    // The child is definitely on the way out now. BlockingReap won't need to
+    // wait for long, if at all.
+    BlockingReap(child);
+  }
+}
+
+}  // namespace
+
+void EnsureProcessTerminated(ProcessHandle process) {
+  WaitForChildToDie(process, kWaitBeforeKillSeconds);
+}
+
 }  // namespace base
author	jam@chromium.org <jam@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-11-23 18:32:00 +0000
committer	jam@chromium.org <jam@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-11-23 18:32:00 +0000
commit	eaac715956492f57bae3f30957662aca56462abe (patch)
tree	4a98772d114fcd710936a12ae1f03f38278cfba3 /base/process_util_mac.mm
parent	407a38f923c6d76fe91de1bab7d8e190b6aa6f1d (diff)
download	chromium_src-eaac715956492f57bae3f30957662aca56462abe.zip chromium_src-eaac715956492f57bae3f30957662aca56462abe.tar.gz chromium_src-eaac715956492f57bae3f30957662aca56462abe.tar.bz2