/cc @aclements @ianlancetaylor @crawshaw

Change https://golang.org/cl/71570 mentions this issue: cmd/go: skip updateBuildID on binaries we will run

Change https://golang.org/cl/71571 mentions this issue: cmd/go: delete ETXTBSY hack that is no longer needed

Userspace workarounds seem flawed or less than ideal. This is a kernel
problem, like O_CLOEXEC. Perhaps lobby for a O_CLOFORK that's similar
but close on fork instead. The writer would open, write, close, fork,
exec so wouldn't make use of it, but any other thread that forks
wouldn't carry the FD with it so the writer's close would succeeding in
nailing the sole, final, reference to the "open file description", as
POSIX calls it.

O_CLOFORK is a good idea. Does anybody want to suggest that to the Linux kernel maintainers? I expect that if someone can get it into Linux it will flow through to the other kernels.

I'm going to repeat a hack I described elsewhere that I believe would work for pure Go programs.

• record the highest file descriptor returned by syscall.Open, syscall.Socket, syscall.Dup, etc.
• add a new RWMutex in syscall: forkMutex
• during syscall.Close, acquire a read lock on forkMutex
• in syscall.forkAndExecInChild acquire a write lock on forkMutex, and
• open a pipe in the parent (as we already do if UidMappings is set), and
• in the child, loop through the descriptors up to the highest one,
• closing each one that is marked close-on-exec, then close the pipe to the parent
• in the parent, when the pipe is closed, release the forkMutex lock

The effect of this should be that when syscall.Close returns, we know for sure that there is no forked child that has an open copy of the descriptor.

The disadvantages are that all forks are serialized, and that all forks waste time closing descriptors that will shortly be closed anyhow. Also, of course, forks temporarily block closes, but that is unlikely to be significant.

O_CLOFORK is a good idea. Does anybody want to suggest that to the Linux kernel maintainers?

I'm happy to have a go, but I'm a nobody on that list. I was assuming folks here might have the ear of a Google kernel developer or two in that area that would vet the idea and suggest it to the list if worthy. :-)

during syscall.Close, acquire a read lock on forkMutex

And syscall.Dup2 and Dup3 as they may cause newfd to close.

Do syscall.Open et al also synchronise with forkMutex somehow? I'm wondering if they can be creating more FDs, either above or below the highwater mark, whilst forkAndExecInChild is looping, closing close-on-exec ones.

Is there a place to file a feature request against the Linux kernel? I know nothing about the kernel development process. I hear it uses git.

Agree about Dup2 and Dup3.

As far as I can see it doesn't matter if syscall.Open and friends create a new FD while the child is looping, because the child won't see the new descriptor anyhow.

@ianlancetaylor thanks, yes, the explicit closes would solve the problem with slow execs, which would be nice. That might make this actually palatable. You also don't even need the extra pipe if you use vfork in this approach.

I agree with @RalphCorderoy that there's a race between the "maintain the max" and "fork", in that Open might create a new fd, then fork runs in a different thread before Open can update the max. But since fds are created lowest-available, it should suffice for the child to assume that max is, say, 10 larger than it is.

Also note that this need not be an RWMutex (and for that matter the current syscall.ForkMutex need not be an RWMutex either). It just needs to be an "either-or" mutex. An RWMutex allows N readers or 1 writer. The mutex we need would allow N of type A or N of type B, just never a mix. If we built that (not difficult, I don't think), then programs that never fork would not serialize any of their closes, and programs that fork a lot but don't close things would not serialize any of their forks.

O_CLOFORK would require having fcntl F_SETFL/F_GETFL support for that bit too, and it would complicate fork a little more than it already is. An alternative that would be equally fine for us would be a "close all fd's above" or "tell me the maximum fd of my process" syscall. I don't know if a new bit or a new syscall is more likely.

I should maybe also note that macOS fixes this problem by putting #if 0 around the ETXTBSY check in the kernel implementation of exec. That would be a third option for Linux although probably less likely than the other two.

I've emailed linux-kernel@vger.kernel.org. Will reference an archive once it appears.
If they're unpersuaded, then there's the POSIX folks at Open Group; they have a bug tracker.

linux-kernel mailing-list archive of post: https://marc.info/?l=linux-kernel&m=150834137201488

What's the plan here for Go 1.10?

@RalphCorderoy, looks like you never got a reply, eh?

Looks like Solaris and macOS and OpenBSD have O_CLOFORK already. Hopefully it will catch on further.

I observed what I believe is an equivalent race for pipes when investigating #36107.

The race can cause a Write call to a pipe to spuriously succeed (instead of returning EPIPE) after the read side of the pipe has been closed.

The mechanism is the same:

• The parent creates the pipe and (with syscall.ForkLock held) sets it to be CLOEXEC.
• The parent process calls os.StartProcess, which forks a child process.
  • (The child process inherits a copy of the file descriptors for the pipe.)
• Before the child process has reached its exec, the parent process closes the read side of the pipe.
  • (However, the FD for that side remains open in the child process.)
• The parent process calls Write on the write side, causing the kernel to buffer the write (since the pipe FD is still open in the child). The Write succeeds.
• Finally, the child process reaches its exec call, closing its copy of the read FD and dropping the buffered bytes.

This race can be observed by running os_test.TestEPIPE concurrently with a call to os.StartProcess.

Change https://go.dev/cl/458015 mentions this issue: os: clean up tests

Change https://go.dev/cl/458016 mentions this issue: os/exec: retry ETXTBSY errors in TestFindExecutableVsNoexec

If the OS had a "close all fds above x", we could use that. (I don't know of any that do, but it sure would help.)

Since this was written, Linux and FreeBSD added a close_range syscall (about fall 2020 - Linux kernel 5.9, FreeBSD 12.2, should be identical semantics). The reason for close_range instead of closefrom (which also exists in a few OSes) is so that if you want to have a child process inherit, say, fds 0, 1, 2, and 1000, you can do two syscalls instead of 998.

Assuming that the set of open fds is sparse, you can also do a pretty good job of this on many OSes, including older Linux versions, by using /dev/fd, /proc/self/fd, or equivalent. From a quick Google, https://github.com/cptpcrd/close_fds seems to be a pretty thorough attempt at finding the best OS-specific way.

Also, just to make sure I understand correctly - the idea here is that you would have some sort of process-wide two-sided lock where calls to close require a critical section around the close call alone and calls to fork require a critical section on the other side from before fork until unwanted file descriptors are closed. (It's not exactly an rwlock because you can have multiple closes at once or multiple forks at once, you just can't have one of each. Also note the lock has to work properly across fork.) And the reason a "close all fds above x" operation would help is that it would allow you to reduce the second critical section to be [fork, close_range] instead of [fork, exec triggering close-on-exec], which is helpful because exec could potentially be slow because of the filesystem, and also because if you're waiting for a self-pipe to close, it might get closed before other FDs are closed. Do I have all of that right?

By the way, there is one mildly exciting complication here, which is that closing the FD can also potentially be slow because of the filesystem. At least on Linux, closing a file descriptor calls the filesystem's flush operation on the underlying file description - even if there are other file descriptors open to that file description which will eventually be closed too! So it's possible that if thread A opens a file on a slow filesystem, thread B forks a child for exec, and thread A then closes the file, both thread A and the child will be slowed down. This isn't any worse than the status quo, to be clear, where the close happens on exec. But it is a really good argument in favor of O_CLOFORK, and that it should be implemented in the form where the FD is never copied to the new process's FD table in the first place instead of actually being closed on fork.

(Another related subtlety - close can return errors! The file might fail to write for I/O reasons or the filesystem might check quota only when the writes is flushed. This can cause actual data loss if you assume it succeeded. On Linux, close returns the error from the filesystem's flush operation and I believe always gets rid of the FD, and I guess it's up to the filesystem whether a second flush on another FD to the same open file description also returns the same error, or if it's lost state at that point. And close_range and of course close-on-exec do not report errors back to userspace the way close does. So that's another really good argument for O_CLOFORK implemented as never-inherit, to ensure that errors from close successfully get to the right close call.)

Note that vfork(2) is not a solution. Vfork is defined as the parent does not continue executing until the child is no longer using the parent's memory image. In the case of a successful exec, at least on Linux, vfork releases the memory image before doing any of the close-on-exec work, so the parent continues running before the child has closed the fds we care about.

The bigger problem is that vfork (at least on Linux and FreeBSD) only suspends the calling thread, and other threads continue to run, so it doesn't solve the problem at all. (If it weren't for that, I think vfork + close_range would avoid this problem, since the parent is still suspended during close_range.)

@geofft Thanks for pointing out close_range. Unfortunately I'm not sure how to use it in a fully reliable way, as Go programs can of course turn off the "close-on-exec" flag for a file descriptor. I think that what we want in the absence of O_CLOFORK is an efficient way to close all descriptors marked close-on-exec, while leaving the non-close-on-exec descriptors alone.

Change https://go.dev/cl/522015 mentions this issue: cmd/go: retry ETXTBSY errors when running test binaries

Change https://go.dev/cl/522176 mentions this issue: [release-branch.go1.21] cmd/go: retry ETXTBSY errors when running test binaries

Change https://go.dev/cl/560415 mentions this issue: cmd/go: avoid copying a binary to be exec'd in TestScript/gotoolchain_path