make File::try_clone produce non-inheritable handles on Windows #65316
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File handles shouldn't be inheritable in general. `std::process::Command` takes care of making them inheritable when child processes are spawned, and the `CREATE_PROCESS_LOCK` protects against races in that section on Windows. But `File::try_clone` has been creating inheritable file descriptors outside of that lock, which could be leaking into other child processes unintentionally. See also rust-lang#31069 (comment).
|
(rust_highfive has picked a reviewer for you, use r? to override) |
rust-highfive
added
the
S-waiting-on-review
|
FWIW CI here by default runs on Linux and a Windows run these days is probably not too hard but will require some manual work I believe... I would get feedback on the idea first probably. |
|
Oh gotcha, my bad. I do have a Windows machine, so I can see about learning how to run libstd tests locally, though so far I've only ever done that on Linux. In the meantime, @alexcrichton if you happen to know that this change is a terrible idea, please let me know :) |
oconnor663
added a commit
to oconnor663/os_pipe.rs
that referenced
this pull request
Oct 11, 2019
There is a bug (I think it's a bug?) in libstd which makes File::try_clone return inheritable handles. We need to work around that by making the same system calls explictly, but with the inheritable flag set to false. I've filed a fix against libstd (rust-lang/rust#65316), but even if that lands we'll need to retain this workaround for all the past versions of Rust that have the bug.
oconnor663
added a commit
to oconnor663/os_pipe.rs
that referenced
this pull request
Oct 11, 2019
There is a bug (I think it's a bug?) in libstd which makes File::try_clone return inheritable handles. We need to work around that by making the same system calls explictly, but with the inheritable flag set to false. I've filed a fix against libstd (rust-lang/rust#65316), but even if that lands we'll need to retain this workaround for all the past versions of Rust that have the bug.
oconnor663
added a commit
to oconnor663/os_pipe.rs
that referenced
this pull request
Oct 11, 2019
There is a bug (I think it's a bug?) in libstd which makes File::try_clone return inheritable handles. We need to work around that by making the same system calls explictly, but with the inheritable flag set to false. I've filed a fix against libstd (rust-lang/rust#65316), but even if that lands we'll need to retain this workaround for all the past versions of Rust that have the bug.
oconnor663
added a commit
to oconnor663/os_pipe.rs
that referenced
this pull request
Oct 11, 2019
There is a bug (I think it's a bug?) in libstd which makes File::try_clone return inheritable handles. We need to work around that by making the same system calls explictly, but with the inheritable flag set to false. I've filed a fix against libstd (rust-lang/rust#65316), but even if that lands we'll need to retain this workaround for all the past versions of Rust that have the bug.
oconnor663
added a commit
to oconnor663/os_pipe.rs
that referenced
this pull request
Oct 11, 2019
There is a bug (I think it's a bug?) in libstd which makes File::try_clone return inheritable handles. We need to work around that by making the same system calls explictly, but with the inheritable flag set to false. I've filed a fix against libstd (rust-lang/rust#65316), but even if that lands we'll need to retain this workaround for all the past versions of Rust that have the bug.
oconnor663
added a commit
to oconnor663/os_pipe.rs
that referenced
this pull request
Oct 11, 2019
There is a bug (I think it's a bug?) in libstd which makes File::try_clone return inheritable handles. We need to work around that by making the same system calls explictly, but with the inheritable flag set to false. I've filed a fix against libstd (rust-lang/rust#65316), but even if that lands we'll need to retain this workaround for all the past versions of Rust that have the bug.
|
Thanks for the PR here @oconnor663! I believe this was probably just a mistake in the original PR, it's definitely intended that all handles created by the standard library are not inherited to child processes by default. The PR description says that this isn't ready for review, but the change here looks good to me. I think that this is pretty likely to be low-impact enough to land without much more ado. Was there more testing you wanted to perform though? |
|
Thanks @alexcrichton, I've edited my comment at the top to remove the "please don't review" :) I'll try to run compiler tests on my Windows box, but I don't know if I'll succeed, so I'm fine with landing this without waiting for me, if it looks good to you. |
|
@bors: r+ Ok, it'll take awhile to merge anyway, so seems fine to me to go ahead and land! |
|
📌 Commit 93ae692 has been approved by |
bors
added
S-waiting-on-bors
Centril
added a commit
to Centril/rust
that referenced
this pull request
Oct 16, 2019
…ichton make File::try_clone produce non-inheritable handles on Windows ~**NOT READY FOR REVIEW.** This PR is currently mainly to trigger CI so that I can see what happens. (Is there a better way to trigger CI?) I don't know whether this change makes sense yet.~ (Edit: @Mark-Simulacrum clarified that CI doesn't currently run on Windows.) --- File handles shouldn't be inheritable in general. `std::process::Command` takes care of making them inheritable when child processes are spawned, and the `CREATE_PROCESS_LOCK` protects against races in that section on Windows. But `File::try_clone` has been creating inheritable file descriptors outside of that lock, which could be leaking into other child processes unintentionally. See also rust-lang#31069 (comment).
bors
added a commit
that referenced
this pull request
Oct 17, 2019
Rollup of 8 pull requests Successful merges: - #65094 (Prefer statx on linux if available) - #65316 (make File::try_clone produce non-inheritable handles on Windows) - #65319 (InterpCx: make memory field public) - #65461 (Don't recommend ONCE_INIT in std::sync::Once) - #65465 (Move syntax::ext to a syntax_expand and refactor some attribute logic) - #65469 (Update libc to 0.2.64) - #65475 (add example for type_name) - #65478 (fmt::Write is about string slices, not byte slices) Failed merges: r? @ghost
Centril
added a commit
to Centril/rust
that referenced
this pull request
Oct 17, 2019
…ichton make File::try_clone produce non-inheritable handles on Windows ~**NOT READY FOR REVIEW.** This PR is currently mainly to trigger CI so that I can see what happens. (Is there a better way to trigger CI?) I don't know whether this change makes sense yet.~ (Edit: @Mark-Simulacrum clarified that CI doesn't currently run on Windows.) --- File handles shouldn't be inheritable in general. `std::process::Command` takes care of making them inheritable when child processes are spawned, and the `CREATE_PROCESS_LOCK` protects against races in that section on Windows. But `File::try_clone` has been creating inheritable file descriptors outside of that lock, which could be leaking into other child processes unintentionally. See also rust-lang#31069 (comment).
bors
added a commit
that referenced
this pull request
Oct 17, 2019
Rollup of 8 pull requests Successful merges: - #65237 (Move debug_map assertions after check for err) - #65316 (make File::try_clone produce non-inheritable handles on Windows) - #65319 (InterpCx: make memory field public) - #65461 (Don't recommend ONCE_INIT in std::sync::Once) - #65465 (Move syntax::ext to a syntax_expand and refactor some attribute logic) - #65475 (add example for type_name) - #65478 (fmt::Write is about string slices, not byte slices) - #65486 (doc: fix typo in OsStrExt and OsStringExt) Failed merges: r? @ghost
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
NOT READY FOR REVIEW. This PR is currently mainly to trigger CI so that I can see what happens. (Is there a better way to trigger CI?) I don't know whether this change makes sense yet.(Edit: @Mark-Simulacrum clarified that CI doesn't currently run on Windows.)File handles shouldn't be inheritable in general.
std::process::Commandtakes care of making them inheritable when childprocesses are spawned, and the
CREATE_PROCESS_LOCKprotects againstraces in that section on Windows. But
File::try_clonehas beencreating inheritable file descriptors outside of that lock, which could
be leaking into other child processes unintentionally.
See also #31069 (comment).