mirror of
https://github.com/RGBCube/serenity
synced 2025-10-24 01:52:31 +00:00

These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.Everything: The modifications in this commit were automatically made using the following command: find . -name '*.cpp' -exec sed -i -E 's/dbg\(\) << ("[^"{]*");/dbgln\(\1\);/' {} \;
169 lines
4.8 KiB
C++
169 lines
4.8 KiB
C++
/*
|
|
* Copyright (c) 2020, Ben Wiederhake <BenWiederhake.GitHub@gmx.de>
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions are met:
|
|
*
|
|
* 1. Redistributions of source code must retain the above copyright notice, this
|
|
* list of conditions and the following disclaimer.
|
|
*
|
|
* 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
* this list of conditions and the following disclaimer in the documentation
|
|
* and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
#include <AK/Assertions.h>
|
|
#include <AK/LogStream.h>
|
|
#include <LibPthread/pthread.h>
|
|
#include <fcntl.h>
|
|
#include <signal.h>
|
|
#include <stdio.h>
|
|
#include <unistd.h>
|
|
|
|
/*
|
|
* Bug:
|
|
* If the main thread of a process is no longer alive, it cannot receive
|
|
* signals anymore. This can manifest as, for example, an unkillable process.
|
|
*
|
|
* So what needs to happen:
|
|
* - There is process P
|
|
* - It has more than one thread
|
|
* - The main thread calls thread_exit(), leaving the rest of the threads alive
|
|
* - Now the process is unkillable!
|
|
*
|
|
* Here's how to demonstrate the bug:
|
|
* - Time 0: PX forks into PZ (mnemonic: Zombie)
|
|
* - Time 1: PZ's main thread T1 creates a new thread T2
|
|
* - Time 2: Nothing (T2 could communicate to PX both process and thread ID)
|
|
* (most LibC functions crash currently, which is a different bug I suppose.)
|
|
* - Time 3: T1 calls thread_exit()
|
|
* - Time 4:
|
|
* * PX tries to kill PZ (should work, but doesn't)
|
|
* * PX tries to kill PZ using T2's thread ID (shouldn't work, and doesn't)
|
|
* * PX outputs all results.
|
|
*/
|
|
|
|
static constexpr useconds_t STEP_SIZE = 1100000;
|
|
|
|
static void fork_into(void(fn)())
|
|
{
|
|
const pid_t rc = fork();
|
|
if (rc < 0) {
|
|
perror("fork");
|
|
exit(1);
|
|
}
|
|
if (rc > 0) {
|
|
return;
|
|
}
|
|
fn();
|
|
dbgln("child finished (?)");
|
|
exit(1);
|
|
}
|
|
|
|
static void thread_into(void* (*fn)(void*))
|
|
{
|
|
pthread_t tid;
|
|
const int rc = pthread_create(&tid, nullptr, fn, nullptr);
|
|
if (rc < 0) {
|
|
perror("pthread_create");
|
|
exit(1);
|
|
}
|
|
}
|
|
|
|
static void sleep_steps(useconds_t steps)
|
|
{
|
|
const int rc = usleep(steps * STEP_SIZE);
|
|
if (rc < 0) {
|
|
perror("usleep");
|
|
ASSERT_NOT_REACHED();
|
|
}
|
|
}
|
|
|
|
static bool try_kill(pid_t kill_id)
|
|
{
|
|
int rc = kill(kill_id, SIGTERM);
|
|
perror("kill");
|
|
printf("kill rc: %d\n", rc);
|
|
return rc >= 0;
|
|
}
|
|
|
|
static void run_pz();
|
|
static void* run_pz_t2_wrap(void* fd_ptr);
|
|
static void run_pz_t2();
|
|
|
|
int main(int, char**)
|
|
{
|
|
// This entire function is the entirety of process PX.
|
|
|
|
// Time 0: PX forks into PZ (mnemonic: Zombie)
|
|
dbgln("PX forks into PZ");
|
|
fork_into(run_pz);
|
|
sleep_steps(4);
|
|
|
|
// Time 4:
|
|
dbgln("Let's hope everything went fine!");
|
|
pid_t guessed_pid = getpid() + 1;
|
|
pid_t guessed_tid = guessed_pid + 1;
|
|
printf("About to kill PID %d, TID %d.\n", guessed_pid, guessed_tid);
|
|
if (try_kill(guessed_tid)) {
|
|
printf("FAIL, could kill a thread\n");
|
|
exit(1);
|
|
}
|
|
if (!try_kill(guessed_pid)) {
|
|
printf("FAIL, could not kill the process\n");
|
|
exit(1);
|
|
}
|
|
|
|
printf("PASS\n");
|
|
return 0;
|
|
}
|
|
|
|
static void run_pz()
|
|
{
|
|
// Time 0: PX forks into PZ (mnemonic: Zombie)
|
|
sleep_steps(1);
|
|
|
|
// Time 1: PZ's main thread T1 creates a new thread T2
|
|
dbgln("PZ calls pthread_create");
|
|
thread_into(run_pz_t2_wrap);
|
|
sleep_steps(2);
|
|
|
|
// Time 3: T1 calls thread_exit()
|
|
dbgln("PZ(T1) calls thread_exit");
|
|
pthread_exit(nullptr);
|
|
ASSERT_NOT_REACHED();
|
|
}
|
|
|
|
static void* run_pz_t2_wrap(void*)
|
|
{
|
|
run_pz_t2();
|
|
exit(1);
|
|
}
|
|
|
|
static void run_pz_t2()
|
|
{
|
|
// Time 1: PZ's main thread T1 creates a new thread T2
|
|
sleep_steps(1);
|
|
|
|
// Time 2: Nothing
|
|
// FIXME: For some reason, both printf() and dbg() crash.
|
|
// This also prevents us from using a pipe to communicate to PX both process and thread ID
|
|
// dbgln("T2: I'm alive and well.");
|
|
sleep_steps(18);
|
|
|
|
// Time 20: Cleanup
|
|
printf("PZ(T2) dies from boredom.\n");
|
|
exit(0);
|
|
}
|