Bug 1553982 Part 1 - Manage "multi-instance locks" that can be created by any component. r=bytesized,nalexander

Differential Revision: https://phabricator.services.mozilla.com/D95626

Author: Molly Howell

toolkit/xre/MultiInstanceLock.cpp

@@ -0,0 +1,197 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim:set ts=2 sw=2 sts=2 et cindent: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "MultiInstanceLock.h"
+
+#include "commonupdatedir.h"  // for GetInstallHash
+#include "mozilla/UniquePtr.h"
+#include "nsPrintfCString.h"
+#include "nsPromiseFlatString.h"
+#include "updatedefines.h"  // for NS_t* definitions
+
+#ifndef XP_WIN
+#  include <fcntl.h>
+#  include <sys/stat.h>
+#  include <sys/types.h>
+#endif
+
+namespace mozilla {
+
+static bool GetLockFileName(const char* nameToken, const char16_t* installPath,
+                            nsCString& filePath) {
+  mozilla::UniquePtr<NS_tchar[]> pathHash;
+  if (!GetInstallHash(installPath, MOZ_APP_VENDOR, pathHash)) {
+    return false;
+  }
+
+#ifdef XP_WIN
+  // On Windows, the lock file is placed at the path
+  // ProgramData\[vendor]\[nameToken]-[pathHash], so first we need to get the
+  // ProgramData path and then append our directory and the file name.
+  PWSTR programDataPath;
+  HRESULT hr = SHGetKnownFolderPath(FOLDERID_ProgramData, KF_FLAG_CREATE,
+                                    nullptr, &programDataPath);
+  if (FAILED(hr)) {
+    return false;
+  }
+  mozilla::UniquePtr<wchar_t, CoTaskMemFreeDeleter> programDataPathUnique(
+      programDataPath);
+
+  filePath = nsPrintfCString("%S\\%s\\%s-%S", programDataPath, MOZ_APP_VENDOR,
+                             nameToken, pathHash.get());
+
+#else
+  // On POSIX platforms the base path is /tmp/[vendor][nameToken]-[pathHash].
+  filePath = nsPrintfCString("/tmp/%s%s-%s", MOZ_APP_VENDOR, nameToken,
+                             pathHash.get());
+
+#endif
+
+  return true;
+}
+
+MultiInstLockHandle OpenMultiInstanceLock(const char* nameToken,
+                                          const char16_t* installPath) {
+  nsCString filePath;
+  GetLockFileName(nameToken, installPath, filePath);
+
+  // Open a file handle with full privileges and sharing, and then attempt to
+  // take a shared (nonexclusive, read-only) lock on it.
+#ifdef XP_WIN
+  HANDLE h =
+      ::CreateFileW(PromiseFlatString(NS_ConvertUTF8toUTF16(filePath)).get(),
+                    GENERIC_READ | GENERIC_WRITE,
+                    FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+                    nullptr, OPEN_ALWAYS, FILE_FLAG_DELETE_ON_CLOSE, nullptr);
+  if (h != INVALID_HANDLE_VALUE) {
+    // The LockFileEx functions always require an OVERLAPPED structure even
+    // though we did not open the lock file for overlapped I/O.
+    OVERLAPPED o = {0};
+    if (!::LockFileEx(h, LOCKFILE_FAIL_IMMEDIATELY, 0, 1, 0, &o)) {
+      CloseHandle(h);
+      h = INVALID_HANDLE_VALUE;
+    }
+  }
+  return h;
+
+#else
+  int fd = ::open(PromiseFlatCString(filePath).get(),
+                  O_CLOEXEC | O_CREAT | O_NOFOLLOW,
+                  S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH);
+  if (fd != -1) {
+    // We would like to ensure that the lock file is deleted when we are done
+    // with it. The normal way to do that would be to call unlink on it right
+    // now, but that would immediately delete the name from the file system, and
+    // we need other instances to be able to open that name and get the same
+    // inode, so we can't unlink the file before we're done with it. This means
+    // we accept some unreliability in getting the file deleted, but it's a zero
+    // byte file in the tmp directory, so having it stay around isn't the worst.
+    struct flock l = {0};
+    l.l_start = 0;
+    l.l_len = 0;
+    l.l_type = F_RDLCK;
+    if (::fcntl(fd, F_SETLK, &l)) {
+      ::close(fd);
+      fd = -1;
+    }
+  }
+  return fd;
+
+#endif
+}
+
+void ReleaseMultiInstanceLock(MultiInstLockHandle lock) {
+  if (lock != MULTI_INSTANCE_LOCK_HANDLE_ERROR) {
+#ifdef XP_WIN
+    OVERLAPPED o = {0};
+    ::UnlockFileEx(lock, 0, 1, 0, &o);
+    // We've used FILE_FLAG_DELETE_ON_CLOSE, so if we are the last instance
+    // with a handle on the lock file, closing it here will delete it.
+    ::CloseHandle(lock);
+
+#else
+    // If we're the last instance, then unlink the lock file. There is a race
+    // condition here that may cause an instance to fail to open the same inode
+    // as another even though they use the same path, but there's no reasonable
+    // way to avoid that without skipping deleting the file at all, so we accept
+    // that risk.
+    bool otherInstance = true;
+    if (IsOtherInstanceRunning(lock, &otherInstance) && !otherInstance) {
+      // Recover the file's path so we can unlink it.
+      // There's no error checking in here because we're content to let the file
+      // hang around if any of this fails (which can happen if for example we're
+      // on a system where /proc/self/fd does not exist); this is a zero-byte
+      // file in the tmp directory after all.
+      UniquePtr<NS_tchar[]> linkPath = MakeUnique<NS_tchar[]>(MAXPATHLEN + 1);
+      NS_tsnprintf(linkPath.get(), MAXPATHLEN + 1, "/proc/self/fd/%d", lock);
+      UniquePtr<NS_tchar[]> lockFilePath =
+          MakeUnique<NS_tchar[]>(MAXPATHLEN + 1);
+      if (::readlink(linkPath.get(), lockFilePath.get(), MAXPATHLEN + 1) !=
+          -1) {
+        ::unlink(lockFilePath.get());
+      }
+    }
+    // Now close the lock file, which will release the lock.
+    ::close(lock);
+#endif
+  }
+}
+
+bool IsOtherInstanceRunning(MultiInstLockHandle lock, bool* aResult) {
+  // Every running instance has opened a readonly lock, and read locks prevent
+  // write locks from being opened, so to see if we are the only instance, we
+  // attempt to take a write lock, and if it succeeds then that must mean there
+  // are no other read locks open and therefore no other instances.
+  if (lock == MULTI_INSTANCE_LOCK_HANDLE_ERROR) {
+    return false;
+  }
+
+#ifdef XP_WIN
+  // We need to release the lock we're holding before we would be allowed to
+  // take an exclusive lock, and if that succeeds we need to release it too
+  // in order to get our shared lock back. This procedure is not atomic, so we
+  // accept the risk of the scheduler deciding to ruin our day between these
+  // operations; we'd get a false negative in a different instance's check.
+  OVERLAPPED o = {0};
+  // Release our current shared lock.
+  if (!::UnlockFileEx(lock, 0, 1, 0, &o)) {
+    return false;
+  }
+  // Attempt to take an exclusive lock.
+  bool rv = false;
+  if (::LockFileEx(lock, LOCKFILE_EXCLUSIVE_LOCK | LOCKFILE_FAIL_IMMEDIATELY, 0,
+                   1, 0, &o)) {
+    // We got the exclusive lock, so now release it.
+    ::UnlockFileEx(lock, 0, 1, 0, &o);
+    *aResult = false;
+    rv = true;
+  } else if (::GetLastError() == ERROR_LOCK_VIOLATION) {
+    // We didn't get the exclusive lock because of outstanding shared locks.
+    *aResult = true;
+    rv = true;
+  }
+  // Attempt to reclaim the shared lock we released at the beginning.
+  if (!::LockFileEx(lock, LOCKFILE_FAIL_IMMEDIATELY, 0, 1, 0, &o)) {
+    rv = false;
+  }
+  return rv;
+
+#else
+  // See if we would be allowed to set a write lock (no need to actually do so).
+  struct flock l = {0};
+  l.l_start = 0;
+  l.l_len = 0;
+  l.l_type = F_WRLCK;
+  if (::fcntl(lock, F_GETLK, &l)) {
+    return false;
+  }
+  *aResult = l.l_type != F_UNLCK;
+  return true;
+
+#endif
+}
+
+};  // namespace mozilla

toolkit/xre/MultiInstanceLock.h

@@ -0,0 +1,84 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim:set ts=2 sw=2 sts=2 et cindent: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef MULTIINSTANCELOCK_H
+#define MULTIINSTANCELOCK_H
+
+#ifdef XP_WIN
+#  include <windows.h>
+#endif
+
+// These functions manage "multi-instance locks", which are a type of lock
+// specifically designed to allow instances of an application, process, or other
+// task to detect when other instances relevant to them are running. Each
+// instance opens a lock and holds it for the duration of the task of interest
+// (which may be the lifetime of the process, or a shorter period). Then while
+// the lock is open, it can be used to check whether any other instances of the
+// same task are currently running out of the same copy of the binary, in the
+// context of any OS user. A process can open any number of locks, so long as
+// they use different names. It is necessary for the process to have permission
+// to create files in /tmp/ on POSIX systems or ProgramData\[vendor]\ on
+// Windows, so this mechanism may not work for sandboxed processes.
+
+// The implementation is based on file locking. An empty file is created in a
+// systemwide (not per-user) location, and a shared (read) lock is taken on that
+// file; the value that OpenMultiInstanceLock() returns is the file
+// handle/descriptor. When you call IsOtherInstanceRunning(), it will attempt to
+// convert that shared lock into an exclusive (write) lock. If that operation
+// would succeed, it means that there must not be any other shared locks
+// currently taken on that file, so we know there are no other instances
+// running. This is a more complex design than most file locks or most other
+// concurrency mechanisms, but it is necessary for this use case because of the
+// requirement that an instance must be able to detect other instances that were
+// started later than it was. If, say, a mutex were used, or another kind of
+// exclusive lock, then the first instance that tried to take it would succeed,
+// and be unable to tell that another instance had tried to take it later and
+// failed. This mechanism allows any number of instances started at any time in
+// relation to one another to always be able to detect that the others exist
+// (although it does not allow you to know how many others exist). The lock is
+// guaranteed to be released if the process holding it crashes or is exec'd into
+// something else, because the file is closed when that happens. The file itself
+// is not necessarily always deleted on POSIX, because it isn't possible (within
+// reason) to guarantee that unlink() is called, but the file is empty and
+// created in the /tmp directory, so should not be a serious problem.
+
+namespace mozilla {
+
+#ifdef XP_WIN
+using MultiInstLockHandle = HANDLE;
+#  define MULTI_INSTANCE_LOCK_HANDLE_ERROR INVALID_HANDLE_VALUE
+#else
+using MultiInstLockHandle = int;
+#  define MULTI_INSTANCE_LOCK_HANDLE_ERROR -1
+#endif
+
+/*
+ * nameToken should be a string very briefly naming the lock you are creating
+ * creating, and it should be unique except for across multiple instances of the
+ * same application. The vendor name is included in the generated path, so it
+ * doesn't need to be present in your supplied name. Try to keep this name sort
+ * of short, ideally under about 64 characters, because creating the lock will
+ * fail if the final path string (the token + the path hash + the vendor name)
+ * is longer than the platform's maximum path and/or path component length.
+ *
+ * installPath should be the path to the directory containing the application,
+ * which will be used to form a path specific to that installation.
+ *
+ * Returns MULTI_INSTANCE_LOCK_HANDLE_ERROR upon failure, or a handle which can
+ * later be passed to the other functions declared here upon success.
+ */
+MultiInstLockHandle OpenMultiInstanceLock(const char* nameToken,
+                                          const char16_t* installPath);
+
+void ReleaseMultiInstanceLock(MultiInstLockHandle lock);
+
+// aResult will be set to true if another instance *was* found, false if not.
+// Return value is true on success, false on error (and aResult won't be set).
+bool IsOtherInstanceRunning(MultiInstLockHandle lock, bool* aResult);
+
+};  // namespace mozilla
+
+#endif  // MULTIINSTANCELOCK_H

toolkit/xre/moz.build

@@ -38,6 +38,7 @@ EXPORTS.mozilla += [
     "AutoSQLiteLifetime.h",
     "Bootstrap.h",
     "CmdLineAndEnvUtils.h",
+    "MultiInstanceLock.h",
     "SafeMode.h",
     "UntrustedModulesData.h",
 ]
@@ -125,6 +126,11 @@ if CONFIG["MOZ_WIDGET_TOOLKIT"] == "android":
         "nsAndroidStartup.cpp",
     ]
 
+if CONFIG["MOZ_WIDGET_TOOLKIT"] != "android":
+    UNIFIED_SOURCES += [
+        "MultiInstanceLock.cpp",
+    ]
+
 UNIFIED_SOURCES += [
     "/toolkit/mozapps/update/common/commonupdatedir.cpp",
     "AutoSQLiteLifetime.cpp",