Path: csiph.com!xmission!news.snarked.org!news.linkpendium.com!news.linkpendium.com!panix!usenet.stanford.edu!not-for-mail
From: Godmar Back <godmar@gmail.com>
Newsgroups: gnu.bash.bug
Subject: approach to async-signal safety in bash
Date: Tue, 30 Jun 2020 16:28:27 -0400
Lines: 55
Approved: bug-bash@gnu.org
Message-ID: <mailman.722.1593548926.2574.bug-bash@gnu.org>
References: <pn9hipci.dag@gnui.org> <CAB4+JYLs7vO-9dOb9inSRF0QC7d67U9RJnduk3oWy+MiaFUOug@mail.gmail.com>
NNTP-Posting-Host: lists.gnu.org
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
X-Trace: usenet.stanford.edu 1593548927 26336 209.51.188.17 (30 Jun 2020 20:28:47 GMT)
X-Complaints-To: action@cs.stanford.edu
To: bug-bash@gnu.org
Envelope-to: bug-bash@gnu.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=hmDfKa5oUDS5eYP0DYGXAEXDEXA9enL8zQQ5o+uCY20=; b=tTWpXZ0fP+5Q9RMDlU3kUbEPykrKQ40LeeUmV7SKq9UngWHxhAyH8NpNmLf7cIsdll FrboYY3Dc0dCc6J9QBqqxKNvI/nI4dc9GyqpEAQ4oqc6a5e0xVoxxYCeAxBi/HCmAppc J1iY7JCkcDj0H9VLX4AzV5q4SSewpsWZ48iAWkiCcyBAo+aLdVUQTpe0Nro62wYDfoA1 1XGBSunm1qrUqv+oWur47BUbu+PekSVQZSqR6hw17lsTWmJRWrgj8+YIB3AH2fJgHeEa fhBzG533HBAaY9veM9XnquYPyHqZaHDsys/9CSXfnxOaPcFULp511fqIPN9dScUKsaZr d8tQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=hmDfKa5oUDS5eYP0DYGXAEXDEXA9enL8zQQ5o+uCY20=; b=E8E4GcXZkwjQmEbTOL/uf58QrDwK35CBktLvoANXZWqm+yXG6bxSTJjBgmBWUle8Co Zw28meIQZojvae8m61WTmlEe92ebSv1Sj1bgmNFFFtwNebQoGMm0LTuljZDMH29vi+SK d4uYdD+i7Qq/UxvhhOjhsKMYojah329yAoXkPp6NI6Me8aUfTejBBBteWjPIqJ0zgTip efxUgQ02t9n+BBmBkCA40Nhtm1lCjTbALTc510+ya7GCoUAfBRZudj/KLJpKOmYXGwsQ 1faAqCOpjwlqcnxUOaf5FU5LG/phjDkyW0trc2/s0Vm54OtX8k65gvMkBbF/yzlRsXNn xFMw==
X-Gm-Message-State: AOAM533qUWI5a24A7T9irmPCWbJUjd5RPduCm78jPuMSYu0mXHH8YwTL GVzkd6c2/pnKvv0t6u2mkiHSizMQadCLVC9TbT3b5IX1RlU=
X-Google-Smtp-Source: ABdhPJzL+i3fgsR/9isLs8NXC/nB5H71E133N5V7M9oXd5eZZpJXBlwGdUsDxSl/k3O2eUAZ2cHNPGLvuISDH/41Z7o=
X-Received: by 2002:adf:f784:: with SMTP id q4mr23094845wrp.397.1593548919702; Tue, 30 Jun 2020 13:28:39 -0700 (PDT)
In-Reply-To: <pn9hipci.dag@gnui.org>
Received-SPF: pass client-ip=2a00:1450:4864:20::42a; envelope-from=godmar@gmail.com; helo=mail-wr1-x42a.google.com
X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know.
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN
X-Spam_action: no action
X-Content-Filtered-By: Mailman/MimeDel 2.1.23
X-BeenThere: bug-bash@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-bash>
List-Post: <mailto:bug-bash@gnu.org>
List-Help: <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
X-Mailman-Original-Message-ID: <CAB4+JYLs7vO-9dOb9inSRF0QC7d67U9RJnduk3oWy+MiaFUOug@mail.gmail.com>
X-Mailman-Original-References: <pn9hipci.dag@gnui.org>
Xref: csiph.com gnu.bash.bug:16501

Hi,

I'm trying to understand what approach bash takes to async-signal safety in
its design.

Generally, programs that use signals (such as SIGCHLD or SIGALRM) must make
sure that

(a) they do not access state (such as variables) from within the signal
handler if such state could also be accessed from the main control flow
while a signal could be delivered and the 2 accesses could conflict in some
way.

(b) they do not call POSIX functions from a signal handler if it is
possible for those functions to be called from the main control flow while
a signal can be delivered, unless the function is marked as async-signal
safe by POSIX, which does not include stdio functions such as printf or
fprintf.

Looking at the bash 5.0 code, I see some comments in the code about
strategies to protect the jobs array and other data structures from
arriving SIGCHLD signals, but I have questions about, for instance, these:

- printable_job_status uses a 'static' variable "temp". However,
printable_job_status is called during the execution of the builtin command
"jobs" and here (I believe at least) without blocking or queuing SIGCHLD.
Therefore, if set -b is set, it could be reentered if a child process exits
at that time. This could clobber 'temp'.

- If set -b is set, calls to notify_job_status from the SIGCHLD handler may
invoke printf or fprintf(stderr,), which is also called on builtin paths,
for instance, when executing just "set" and listing all variables/functions.

- The SIGALRM handler in eval.c calls printf and fflush(stdout), even
though SIGALRM doesn't appear to be blocked elsewhere where printf() is
called.

(These 3 things were those I was able to spot in a few minutes, it is not
meant to be an exhaustive list.)

If my observations were correct, the existing code may not be async-signal
safe.

The path of calling printf() on a SIGCHLD path (if it exists) is
particularly concerning because it is prone to deadlocks
<http://www.cs.cmu.edu/afs/cs/academic/class/15213-s19/www/code/15-ecf-signals/signaldeadlock.c>
due to the acquisition of a lock in stdio at least on GNU/Linux systems.
This might actually show up under stress testing or in daily use. Printing
to stderr may be less so in my experience, perhaps because stderr is
unbuffered, but it would still violate the POSIX guarantees of those
functions.

Thanks.

  - Godmar