posix: Add _Fork [BZ #4737]

Austin Group issue 62 [1] dropped the async-signal-safe requirement
for fork and provided a async-signal-safe _Fork replacement that
does not run the atfork handlers.  It will be included in the next
POSIX standard.

It allow to close a long standing issue to make fork AS-safe (BZ#4737).
As indicated on the bug, besides the internal lock for the atfork
handlers itself; there is no guarantee that the handlers itself will
not introduce more AS-safe issues.

The idea is synchronize fork with the required internal locks to allow
children in multithread processes to use mostly of standard function
(even though POSIX states only AS-safe function should be used).  On
signal handles, _Fork should be used intead and only AS-safe functions
should be used.

For testing, the new tst-_Fork only check basic usage.  I also added
a new tst-mallocfork3 which uses the same strategy to check for
deadlock of tst-mallocfork2 but using threads instead of subprocesses
(and it does deadlock if it replaces _Fork with fork).

[1] https://austingroupbugs.net/view.php?id=62

42 files changed, 451 insertions, 17 deletions

diff --git a/NEWS b/NEWS
index 6931135ab9..60933bd975 100644
--- a/NEWS
+++ b/NEWS
@@ -52,6 +52,14 @@ Major new features:
 * On Linux, a new tunable, glibc.pthread.stack_cache_size, can be used
   to configure the size of the thread stack cache.
 
+* The function _Fork has been added as an async-signal-safe fork replacement
+  since Austin Group issue 62 droped the async-signal-safe requirement for
+  fork (and it will be included in the future POSIX standard).  The new _Fork
+  function does not run any atfork function neither resets any internal state
+  or lock (such as the malloc one), and only sets up a minimal state required
+  to call async-signal-safe functions (such as raise or execve).  This function
+  is currently a GNU extension.
+
 Deprecated and removed features, and other changes affecting compatibility:
 
 * The function pthread_mutex_consistent_np has been deprecated; programs
diff --git a/malloc/Makefile b/malloc/Makefile
index 3162301fba..9bc2e50a9a 100644
--- a/malloc/Makefile
+++ b/malloc/Makefile
@@ -31,6 +31,7 @@ tests := mallocbug tst-malloc tst-valloc tst-calloc tst-obstack \
 	 tst-malloc-backtrace tst-malloc-thread-exit \
 	 tst-malloc-thread-fail tst-malloc-fork-deadlock \
 	 tst-mallocfork2 \
+	 tst-mallocfork3 \
 	 tst-interpose-nothread \
 	 tst-interpose-thread \
 	 tst-alloc_buffer \
@@ -113,6 +114,8 @@ libmemusage-inhibit-o = $(filter-out .os,$(object-suffixes))
 $(objpfx)tst-malloc-backtrace: $(shared-thread-library)
 $(objpfx)tst-malloc-thread-exit: $(shared-thread-library)
 $(objpfx)tst-malloc-thread-fail: $(shared-thread-library)
+$(objpfx)tst-mallocfork3: $(shared-thread-library)
+$(objpfx)tst-mallocfork3-mcheck: $(shared-thread-library)
 $(objpfx)tst-malloc-fork-deadlock: $(shared-thread-library)
 $(objpfx)tst-malloc-stats-cancellation: $(shared-thread-library)
 $(objpfx)tst-malloc-backtrace-malloc-check: $(shared-thread-library)
diff --git a/malloc/tst-mallocfork3.c b/malloc/tst-mallocfork3.c
new file mode 100644
index 0000000000..4ac99eea43
--- /dev/null
+++ b/malloc/tst-mallocfork3.c
@@ -0,0 +1,213 @@
+/* Test case for async-signal-safe _Fork (with respect to malloc).
+   Copyright (C) 2021 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public License as
+   published by the Free Software Foundation; either version 2.1 of the
+   License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; see the file COPYING.LIB.  If
+   not, see <https://www.gnu.org/licenses/>.  */
+
+/* This test is similar to tst-mallocfork2.c, but specifically stress
+   the async-signal-safeness of _Fork on multithread environment.  */
+
+#include <array_length.h>
+#include <errno.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <support/check.h>
+#include <support/support.h>
+#include <support/xsignal.h>
+#include <support/xthread.h>
+#include <support/xunistd.h>
+#include <sys/wait.h>
+
+/* How many malloc objects to keep arond.  */
+enum { malloc_objects = 1009 };
+
+/* The maximum size of an object.  */
+enum { malloc_maximum_size = 70000 };
+
+/* How many iterations the test performs before exiting.  */
+enum { iterations = 10000 };
+
+/* Barrier for synchronization with the threads sending SIGUSR1
+   signals, to make it more likely that the signals arrive during a
+   fork/free/malloc call.  */
+static pthread_barrier_t barrier;
+
+/* Set to 1 if SIGUSR1 is received.  Used to detect a signal during
+   fork/free/malloc.  */
+static volatile sig_atomic_t sigusr1_received;
+
+/* Periodically set to 1, to indicate that the thread is making
+   progress.  Checked by liveness_signal_handler.  */
+static volatile sig_atomic_t progress_indicator = 1;
+
+/* Set to 1 if an error occurs in the signal handler.  */
+static volatile sig_atomic_t error_indicator = 0;
+
+static void
+sigusr1_handler (int signo)
+{
+  sigusr1_received = 1;
+
+  /* Perform a fork with a trivial subprocess.  */
+  pid_t pid = _Fork ();
+  if (pid == -1)
+    {
+      write_message ("error: fork\n");
+      error_indicator = 1;
+      return;
+    }
+  if (pid == 0)
+    _exit (0);
+  int status;
+  int ret = TEMP_FAILURE_RETRY (waitpid (pid, &status, 0));
+  if (ret < 0)
+    {
+      write_message ("error: waitpid\n");
+      error_indicator = 1;
+      return;
+    }
+  if (status != 0)
+    {
+      write_message ("error: unexpected exit status from subprocess\n");
+      error_indicator = 1;
+      return;
+    }
+}
+
+static void
+liveness_signal_handler (int signo)
+{
+  if (progress_indicator)
+    progress_indicator = 0;
+  else
+    write_message ("warning: thread seems to be stuck\n");
+}
+
+struct signal_send_args
+{
+  pthread_t target;
+  int signo;
+  bool sleep;
+};
+#define SIGNAL_SEND_GET_ARG(arg, field) \
+  (((struct signal_send_args *)(arg))->field)
+
+/* Send SIGNO to the parent thread.  If SLEEP, wait a second between
+   signals, otherwise use barriers to delay sending signals.  */
+static void *
+signal_sender (void *args)
+{
+  int signo = SIGNAL_SEND_GET_ARG (args, signo);
+  bool sleep = SIGNAL_SEND_GET_ARG (args, sleep);
+
+  pthread_t target = SIGNAL_SEND_GET_ARG (args, target);
+  while (true)
+    {
+      if (!sleep)
+        xpthread_barrier_wait (&barrier);
+      xpthread_kill (target, signo);
+      if (sleep)
+        usleep (1 * 1000 * 1000);
+      else
+        xpthread_barrier_wait (&barrier);
+    }
+  return NULL;
+}
+
+static pthread_t sigusr1_sender[5];
+static pthread_t sigusr2_sender;
+
+static int
+do_test (void)
+{
+  xsignal (SIGUSR1, sigusr1_handler);
+  xsignal (SIGUSR2, liveness_signal_handler);
+
+  pthread_t self = pthread_self ();
+
+  struct signal_send_args sigusr2_args = { self, SIGUSR2, true };
+  sigusr2_sender = xpthread_create (NULL, signal_sender, &sigusr2_args);
+
+  /* Send SIGUSR1 signals from several threads.  Hopefully, one
+     signal will hit one of the ciritical functions.  Use a barrier to
+     avoid sending signals while not running fork/free/malloc.  */
+  struct signal_send_args sigusr1_args = { self, SIGUSR1, false };
+  xpthread_barrier_init (&barrier, NULL,
+                         array_length (sigusr1_sender) + 1);
+  for (size_t i = 0; i < array_length (sigusr1_sender); ++i)
+    sigusr1_sender[i] = xpthread_create (NULL, signal_sender, &sigusr1_args);
+
+  void *objects[malloc_objects] = {};
+  unsigned int fork_signals = 0;
+  unsigned int free_signals = 0;
+  unsigned int malloc_signals = 0;
+  unsigned int seed = 1;
+  for (int i = 0; i < iterations; ++i)
+    {
+      progress_indicator = 1;
+      int slot = rand_r (&seed) % malloc_objects;
+      size_t size = rand_r (&seed) % malloc_maximum_size;
+
+      /* Occasionally do a fork first, to catch deadlocks there as
+         well (see bug 24161).  */
+      bool do_fork = (rand_r (&seed) % 7) == 0;
+
+      xpthread_barrier_wait (&barrier);
+      if (do_fork)
+        {
+          sigusr1_received = 0;
+          pid_t pid = _Fork ();
+          TEST_VERIFY_EXIT (pid != -1);
+          if (sigusr1_received)
+            ++fork_signals;
+          if (pid == 0)
+            _exit (0);
+          int status;
+          int ret = TEMP_FAILURE_RETRY (waitpid (pid, &status, 0));
+          if (ret < 0)
+            FAIL_EXIT1 ("waitpid: %m");
+          TEST_COMPARE (status, 0);
+        }
+      sigusr1_received = 0;
+      free (objects[slot]);
+      if (sigusr1_received)
+        ++free_signals;
+      sigusr1_received = 0;
+      objects[slot] = malloc (size);
+      if (sigusr1_received)
+        ++malloc_signals;
+      xpthread_barrier_wait (&barrier);
+
+      if (objects[slot] == NULL || error_indicator != 0)
+        {
+          printf ("error: malloc: %m\n");
+          return 1;
+        }
+    }
+
+  /* Clean up allocations.  */
+  for (int slot = 0; slot < malloc_objects; ++slot)
+    free (objects[slot]);
+
+  printf ("info: signals received during fork: %u\n", fork_signals);
+  printf ("info: signals received during free: %u\n", free_signals);
+  printf ("info: signals received during malloc: %u\n", malloc_signals);
+
+  return 0;
+}
+
+#define TIMEOUT 100
+#include <support/test-driver.c>
diff --git a/manual/process.texi b/manual/process.texi
index 134d5c6143..28c9531f42 100644
--- a/manual/process.texi
+++ b/manual/process.texi
@@ -137,8 +137,8 @@ creating a process and making it run another program.
 @cindex parent process
 @cindex subprocess
 A new processes is created when one of the functions
-@code{posix_spawn}, @code{fork}, or @code{vfork} is called.  (The
-@code{system} and @code{popen} also create new processes internally.)
+@code{posix_spawn}, @code{fork}, @code{_Fork} or @code{vfork} is called.
+(The @code{system} and @code{popen} also create new processes internally.)
 Due to the name of the @code{fork} function, the act of creating a new
 process is sometimes called @dfn{forking} a process.  Each new process
 (the @dfn{child process} or @dfn{subprocess}) is allocated a process
@@ -154,9 +154,10 @@ limited information about why the child terminated---for example, its
 exit status code.
 
 A newly forked child process continues to execute the same program as
-its parent process, at the point where the @code{fork} call returns.
-You can use the return value from @code{fork} to tell whether the program
-is running in the parent process or the child.
+its parent process, at the point where the @code{fork} or @code{_Fork}
+call returns.  You can use the return value from @code{fork} or
+@code{_Fork} to tell whether the program is running in the parent process
+or the child.
 
 @cindex process image
 Having several processes run the same program is only occasionally
@@ -248,16 +249,13 @@ It is declared in the header file @file{unistd.h}.
 @deftypefun pid_t fork (void)
 @standards{POSIX.1, unistd.h}
 @safety{@prelim{}@mtsafe{}@asunsafe{@ascuplugin{}}@acunsafe{@aculock{}}}
-@c The nptl/.../linux implementation safely collects fork_handlers into
-@c an alloca()ed linked list and increments ref counters; it uses atomic
-@c ops and retries, avoiding locking altogether.  It then takes the
-@c IO_list lock, resets the thread-local pid, and runs fork.  The parent
-@c restores the thread-local pid, releases the lock, and runs parent
-@c handlers, decrementing the ref count and signaling futex wait if
-@c requested by unregister_atfork.  The child bumps the fork generation,
-@c sets the thread-local pid, resets cpu clocks, initializes the robust
-@c mutex list, the stream locks, the IO_list lock, the dynamic loader
-@c lock, runs the child handlers, reseting ref counters to 1, and
+@c The posix/fork.c implementation iterates over the fork_handlers
+@c using a lock.  It then takes the IO_list lock, resets the thread-local
+@c pid, and runs fork.  The parent releases the lock, and runs parent
+@c handlers, and unlocks the internal lock.  The child bumps the fork
+@c generation, sets the thread-local pid, resets cpu clocks, initializes
+@c the robust mutex list, the stream locks, the IO_list lock, the dynamic
+@c loader lock, runs the child handlers, reseting ref counters to 1, and
 @c initializes the fork lock.  These are all safe, unless atfork
 @c handlers themselves are unsafe.
 The @code{fork} function creates a new process.
@@ -321,6 +319,19 @@ process is cleared.  (The child process inherits its mask of blocked
 signals and signal actions from the parent process.)
 @end itemize
 
+@deftypefun pid_t _Fork (void)
+@standards{GNU, unistd.h}
+@safety{@prelim{}@mtsafe{}@assafe{}@acsafe{}}
+The @code{_Fork} function is similar to @code{fork}, but it does not invoke
+any callbacks registered with @code{pthread_atfork}, nor does it reset
+any internal state or locks (such as the @code{malloc} locks).  In the
+new subprocess, only async-signal-safe functions may be called, such as
+@code{dup2} or @code{execve}.
+
+The @code{_Fork} function is an async-signal-safe replacement of @code{fork}.
+It is a GNU extension.
+
+@end deftypefun
 
 @deftypefun pid_t vfork (void)