Ensure that sandboxed processes exit before their sandboxes are clean… #18642
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ed up (Cherry-pick of pantsbuild#18632) As @jsirois discovered and described in pantsbuild#16778 (comment), because the `local::CommandRunner` does not `wait` for its child process to have exited, it might be possible for a SIGKILL to not have taken effect on the child process before its sandbox has been torn down. And that could result in the process seeing a partial sandbox (and in the case of pantsbuild#16778, potentially cause named cache corruption). This change ensures that we block to call `wait` when spawning local processes by wrapping them in the `ManagedChild` helper that we were already using for interactive processes. It then attempts to clarify the contract of the `CapturedWorkdir` trait (but in order to improve cherry-pickability does not attempt to adjust it), to make it clear that child processes should fully exit before the `run_and_capture_workdir` method has returned. Fixes pantsbuild#16778 🤞. --------- Co-authored-by: John Sirois <[email protected]> (cherry picked from commit 1462bef)
tdyas
approved these changes
Mar 31, 2023
|
This cherry-pick was not clean. The conflicts were use conflicts, |
stuhood
approved these changes
Mar 31, 2023
| subprocess.kill().map_err(|e| format!("Failed to interrupt child process: {}", e)).await?; | ||
| }; | ||
| subprocess.wait().await.map_err(|e| e.to_string()) | ||
| let exit_status = session.clone() |
There was a problem hiding this comment.
I would have expected cargo fmt to want to re-indent this, since in 2.15.x+ it was nested in a macro, and it isn't here. But if it passes, then not worth re-running CI over.
There was a problem hiding this comment.
Ah, yeah. It does seem to have been fine with this; so I'll submit.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
…ed up (Cherry-pick of #18632)
As @jsirois discovered and described in
#16778 (comment), because the
local::CommandRunnerdoes notwaitfor its child process to have exited, it might be possible for a SIGKILL to not have taken effect on the child process before its sandbox has been torn down. And that could result in the process seeing a partial sandbox (and in the case of #16778, potentially cause named cache corruption).This change ensures that we block to call
waitwhen spawning local processes by wrapping them in theManagedChildhelper that we were already using for interactive processes. It then attempts to clarify the contract of theCapturedWorkdirtrait (but in order to improve cherry-pickability does not attempt to adjust it), to make it clear that child processes should fully exit before therun_and_capture_workdirmethod has returned.Fixes #16778 🤞.
Co-authored-by: John Sirois [email protected]
(cherry picked from commit 1462bef)