eio_posix: initial support for subprocesses

[talex5]

To spawn a child executable on Unix, the parent forks a copy of itself, then has the child copy set up the environment and execve the new program.

However, we cannot run any OCaml code in the forked child process. This is because fork only duplicates its own domain. To the child, it appears that all other domains have stopped responding and if it tries to e.g. perform a GC then the child process will hang.

Therefore, the fork and all child actions need to be written in C. To keep this flexible, this PR adds a new fork_action type and lets the user provide a list of such actions to perform.

Some of this support is in Eio_unix as it should be possible to share it with Eio_linux.

At present, there are three actions (chdir, fchdir and execve). It should be fairly easy to plug in new ones (e.g. for renumbering file descriptors, dropping privileges, execveat, etc). Different backends may provide different functions.

In future, it might be good to support vfork too, as well as clone3 on Linux. The SIGCHLD stuff could also be massively simplified on systems with process descriptors, but I think that's only Linux and FreeBSD at the moment (and Eio_linux can do its own thing anyway).

[haesbaert]

I'm surprised this holds, since a pid_t might not fit on an int. The standard library does the same though.

[talex5]

man system_data_types says:

According to POSIX, [pid_t] shall be a signed integer type, and the implementation shall support one or more programming environments where the width of pid_t is no greater than the width of the type long.

That could indeed be too big for an OCaml int. However, https://unix.stackexchange.com/questions/16883/what-is-the-maximum-value-of-the-process-id seems to indicate that the limit is usually quite small.

[haesbaert]

Interesting, I remember Stevens mentioning that the correct practice whas to for example cast a pid_t to (long long) in order to print it safely, since it was impossible to know its size.

[haesbaert]

Suggested change

	} else if (child_pid < 0) {
	} else if (child_pid == -1) {

[talex5]

Why? PIDs can't be negative, so if it returns e.g. -5 then it would be better to raise an exception. The kernel may do interesting things if passed a negative PID. e.g. kill says:

If pid is less than -1, then sig is sent to every process in the process group whose ID is -pid.

[haesbaert]

Exactly, PIDs can't be negative and fork cannot return anything below -1.

[talex5]

If it never returns anything below -1 then this code change makes no difference. And if it does, then the original version was safer.

[haesbaert]

it was just more "precise" 😄

[patricoferris]

Looks good! I did a little bit of stress testing on macOS and nothing seemed to break! Would standard output redirection be another action?

[patricoferris]

I think Fork_action is a sensible name, but I wonder if people will get confused with Fiber.fork?

[talex5]

It could be Child_action I suppose. But if you're using the low-level API to get precise control over forking, you probably know what Process.Fork_action means.

[patricoferris]

Should Process be exposed at the top-level of Eio_posix or inside Low_level?

[talex5]

Yes, this was a bit of a hack because Process depends on Low_level. I've moved it now, by making Children a separate file instead.

[patricoferris]

Do we need to document this more? You could in theory infer that the following is allowed:

let p = Eio_posix.Process.(spawn ~sw [
      Fork_action.chdir "./bench";
      Fork_action.execve "/bin/ls" ~argv:[| "ls" |] ~env:(Unix.environment ());
      Fork_action.chdir "..";
      Fork_action.execve "/bin/ls" ~argv:[| "ls" |] ~env:(Unix.environment ())
    ]) in
ignore (Eio.Promise.await p.exit_status)

[talex5]

I've added a comment to execve that it only makes sense to put it last.

[patricoferris]

Is there a chance the reap function above raises a different exception than the ones in the pattern-match and we end up not unlocking the lock?

[talex5]

I hope not. It's not clear whether it would be safe to release the mutex in that case, as we're probably in a bad state anyway.

[patricoferris]

Should we expose the concrete type for this, or abstract it and add functions to access pid and exit_status ?

[talex5]

Good idea. I've made it abstract now.

[avsm]

it's worth checking for EINTR here isn't it? Reasonable chance that if there's an error from a forked child, that some signal is coming back to the parent process and interrupting things.

[talex5]

This code runs in the child. Possibly we should be masking signals there though.

[talex5]

Would standard output redirection be another action?

I've made a branch with some experimental support for inheriting FDs here: https://github.com/talex5/eio/compare/spawn...talex5:eio:inherit-fds?expand=1

[RyanGibb]

This allows fixing the issue described at #435 (comment) by writing custom fork actions wrapping dup2 and ioctl: RyanGibb/ocaml-exec-shell@eedf2b...main#diff-5f310ca7290aedf0d4ea03186711c91b09aa4f211b0c4f3956260ea10ab98c18

How would you feel about exposing this to and documenting for users? (I.e. not putting it behind Eio_unix.Private)

[talex5]

@RyanGibb : we could just add setsid and setting the tty actions to Eio itself.

If we want to make this public, it will need a bit of work to put the public header files where other packages can find them.

[RyanGibb]

If we want to make this public, it will need a bit of work to put the public header files where other packages can find them.

That makes sense, I did have to duplicate some declarations and definitions from fork_action.h.

we could just add setsid and setting the tty actions to Eio itself.

I'll try and create a separate PR doing that.