1 /* Lock files for editing.
2 Copyright (C) 1985-1987, 1993-1994, 1996, 1998-2013 Free Software
5 This file is part of GNU Emacs.
7 GNU Emacs is free software: you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation, either version 3 of the License, or
10 (at your option) any later version.
12 GNU Emacs is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>. */
22 #include <sys/types.h>
36 #include <sys/sysctl.h>
37 #endif /* __FreeBSD__ */
44 #include "character.h"
50 #include "w32.h" /* for dostounix_filename */
53 #ifdef CLASH_DETECTION
59 /* A file whose last-modified time is just after the most recent boot.
60 Define this to be NULL to disable checking for this file. */
61 #ifndef BOOT_TIME_FILE
62 #define BOOT_TIME_FILE "/var/run/random-seed"
66 #define WTMP_FILE "/var/log/wtmp"
69 /* Normally use a symbolic link to represent a lock.
70 The strategy: to lock a file FN, create a symlink .#FN in FN's
71 directory, with link data `user@host.pid'. This avoids a single
72 mount (== failure) point for lock files.
74 When the host in the lock data is the current host, we can check if
75 the pid is valid with kill.
77 Otherwise, we could look at a separate file that maps hostnames to
78 reboot times to see if the remote pid can possibly be valid, since we
79 don't want Emacs to have to communicate via pipes or sockets or
80 whatever to other processes, either locally or remotely; rms says
81 that's too unreliable. Hence the separate file, which could
82 theoretically be updated by daemons running separately -- but this
83 whole idea is unimplemented; in practice, at least in our
84 environment, it seems such stale locks arise fairly infrequently, and
85 Emacs' standard methods of dealing with clashes suffice.
87 We use symlinks instead of normal files because (1) they can be
88 stored more efficiently on the filesystem, since the kernel knows
89 they will be small, and (2) all the info about the lock can be read
90 in a single system call (readlink). Although we could use regular
91 files to be useful on old systems lacking symlinks, nowadays
92 virtually all such systems are probably single-user anyway, so it
93 didn't seem worth the complication.
95 Similarly, we don't worry about a possible 14-character limit on
96 file names, because those are all the same systems that don't have
99 This is compatible with the locking scheme used by Interleaf (which
100 has contributed this implementation for Emacs), and was designed by
101 Ethan Jacobson, Kimbo Mundy, and others.
103 --karl@cs.umb.edu/karl@hq.ileaf.com.
105 On some file systems, notably those of MS-Windows, symbolic links
106 do not work well, so instead of a symlink .#FN -> 'user@host.pid',
107 the lock is a regular file .#FN with contents 'user@host.pid'. To
108 establish a lock, a nonce file is created and then renamed to .#FN.
109 On MS-Windows this renaming is atomic unless the lock is forcibly
110 acquired. On other systems the renaming is atomic if the lock is
111 forcibly acquired; if not, the renaming is done via hard links,
112 which is good enough for lock-file purposes.
114 To summarize, race conditions can occur with either:
116 * Forced locks on MS-Windows systems.
118 * Non-forced locks on non-MS-Windows systems that support neither
119 hard nor symbolic links. */
122 /* Return the time of the last system boot. */
124 static time_t boot_time
;
125 static bool boot_time_initialized
;
128 static void get_boot_time_1 (const char *, bool);
134 #if defined (BOOT_TIME)
138 if (boot_time_initialized
)
140 boot_time_initialized
= 1;
142 #if defined (CTL_KERN) && defined (KERN_BOOTTIME)
146 struct timeval boottime_val
;
149 mib
[1] = KERN_BOOTTIME
;
150 size
= sizeof (boottime_val
);
152 if (sysctl (mib
, 2, &boottime_val
, &size
, NULL
, 0) >= 0)
154 boot_time
= boottime_val
.tv_sec
;
158 #endif /* defined (CTL_KERN) && defined (KERN_BOOTTIME) */
163 if (stat (BOOT_TIME_FILE
, &st
) == 0)
165 boot_time
= st
.st_mtime
;
170 #if defined (BOOT_TIME)
172 /* The utmp routines maintain static state.
173 Don't touch that state unless we are initialized,
174 since it might not survive dumping. */
177 #endif /* not CANNOT_DUMP */
179 /* Try to get boot time from utmp before wtmp,
180 since utmp is typically much smaller than wtmp.
181 Passing a null pointer causes get_boot_time_1
182 to inspect the default file, namely utmp. */
183 get_boot_time_1 ((char *) 0, 0);
187 /* Try to get boot time from the current wtmp file. */
188 get_boot_time_1 (WTMP_FILE
, 1);
190 /* If we did not find a boot time in wtmp, look at wtmp, and so on. */
191 for (counter
= 0; counter
< 20 && ! boot_time
; counter
++)
193 char cmd_string
[sizeof WTMP_FILE
".19.gz"];
194 Lisp_Object tempname
, filename
;
195 bool delete_flag
= 0;
199 tempname
= make_formatted_string
200 (cmd_string
, "%s.%d", WTMP_FILE
, counter
);
201 if (! NILP (Ffile_exists_p (tempname
)))
205 tempname
= make_formatted_string (cmd_string
, "%s.%d.gz",
207 if (! NILP (Ffile_exists_p (tempname
)))
211 /* The utmp functions on mescaline.gnu.org accept only
212 file names up to 8 characters long. Choose a 2
213 character long prefix, and call make_temp_file with
214 second arg non-zero, so that it will add not more
215 than 6 characters to the prefix. */
216 filename
= Fexpand_file_name (build_string ("wt"),
217 Vtemporary_file_directory
);
218 filename
= make_temp_name (filename
, 1);
219 args
[0] = build_string ("gzip");
221 args
[2] = list2 (QCfile
, filename
);
223 args
[4] = build_string ("-cd");
225 Fcall_process (6, args
);
230 if (! NILP (filename
))
232 get_boot_time_1 (SSDATA (filename
), 1);
234 unlink (SSDATA (filename
));
245 /* Try to get the boot time from wtmp file FILENAME.
246 This succeeds if that file contains a reboot record.
248 If FILENAME is zero, use the same file as before;
249 if no FILENAME has ever been specified, this is the utmp file.
250 Use the newest reboot record if NEWEST,
251 the first reboot record otherwise.
252 Ignore all reboot records on or before BOOT_TIME.
253 Success is indicated by setting BOOT_TIME to a larger value. */
256 get_boot_time_1 (const char *filename
, bool newest
)
258 struct utmp ut
, *utp
;
263 /* On some versions of IRIX, opening a nonexistent file name
264 is likely to crash in the utmp routines. */
265 desc
= emacs_open (filename
, O_RDONLY
, 0);
278 /* Find the next reboot record. */
279 ut
.ut_type
= BOOT_TIME
;
283 /* Compare reboot times and use the newest one. */
284 if (utp
->ut_time
> boot_time
)
286 boot_time
= utp
->ut_time
;
290 /* Advance on element in the file
291 so that getutid won't repeat the same one. */
298 #endif /* BOOT_TIME */
300 /* An arbitrary limit on lock contents length. 8 K should be plenty
301 big enough in practice. */
302 enum { MAX_LFINFO
= 8 * 1024 };
304 /* Here is the structure that stores information about a lock. */
308 /* Location of '@', '.', ':' in USER. If there's no colon, COLON
309 points to the end of USER. */
310 char *at
, *dot
, *colon
;
312 /* Lock file contents USER@HOST.PID with an optional :BOOT_TIME
313 appended. This memory is used as a lock file contents buffer, so
314 it needs room for MAX_LFINFO + 1 bytes. A string " (pid NNNN)"
315 may be appended to the USER@HOST while generating a diagnostic,
316 so make room for its extra bytes (as opposed to ".NNNN") too. */
317 char user
[MAX_LFINFO
+ 1 + sizeof " (pid )" - sizeof "."];
320 /* Write the name of the lock file for FNAME into LOCKNAME. Length
321 will be that of FNAME plus two more for the leading ".#", plus one
323 #define MAKE_LOCK_NAME(lockname, fname) \
324 (lockname = SAFE_ALLOCA (SBYTES (fname) + 2 + 1), \
325 fill_in_lock_file_name (lockname, fname))
328 fill_in_lock_file_name (char *lockfile
, Lisp_Object fn
)
330 char *last_slash
= memrchr (SSDATA (fn
), '/', SBYTES (fn
));
331 char *base
= last_slash
+ 1;
332 ptrdiff_t dirlen
= base
- SSDATA (fn
);
333 memcpy (lockfile
, SSDATA (fn
), dirlen
);
334 lockfile
[dirlen
] = '.';
335 lockfile
[dirlen
+ 1] = '#';
336 strcpy (lockfile
+ dirlen
+ 2, base
);
339 /* For some reason Linux kernels return EPERM on file systems that do
340 not support hard or symbolic links. This symbol documents the quirk.
341 There is no way to tell whether a symlink call fails due to
342 permissions issues or because links are not supported, but luckily
343 the lock file code should work either way. */
344 enum { LINKS_MIGHT_NOT_WORK
= EPERM
};
346 /* Rename OLD to NEW. If FORCE, replace any existing NEW.
347 It is OK if there are temporarily two hard links to OLD.
348 Return 0 if successful, -1 (setting errno) otherwise. */
350 rename_lock_file (char const *old
, char const *new, bool force
)
353 return sys_rename_replace (old
, new, force
);
359 if (link (old
, new) == 0)
360 return unlink (old
) == 0 || errno
== ENOENT
? 0 : -1;
361 if (errno
!= ENOSYS
&& errno
!= LINKS_MIGHT_NOT_WORK
)
364 /* 'link' does not work on this file system. This can occur on
365 a GNU/Linux host mounting a FAT32 file system. Fall back on
366 'rename' after checking that NEW does not exist. There is a
367 potential race condition since some other process may create
368 NEW immediately after the existence check, but it's the best
369 we can portably do here. */
370 if (lstat (new, &st
) == 0 || errno
== EOVERFLOW
)
379 return rename (old
, new);
383 /* Create the lock file FILE with contents CONTENTS. Return 0 if
384 successful, an errno value on failure. If FORCE, remove any
385 existing FILE if necessary. */
388 create_lock_file (char *lfname
, char *lock_info_str
, bool force
)
391 /* Symlinks are supported only by later versions of Windows, and
392 creating them is a privileged operation that often triggers
393 User Account Control elevation prompts. Avoid the problem by
394 pretending that 'symlink' does not work. */
397 int err
= symlink (lock_info_str
, lfname
) == 0 ? 0 : errno
;
400 if (err
== EEXIST
&& force
)
403 err
= symlink (lock_info_str
, lfname
) == 0 ? 0 : errno
;
406 if (err
== ENOSYS
|| err
== LINKS_MIGHT_NOT_WORK
|| err
== ENAMETOOLONG
)
408 static char const nonce_base
[] = ".#-emacsXXXXXX";
409 char *last_slash
= strrchr (lfname
, '/');
410 ptrdiff_t lfdirlen
= last_slash
+ 1 - lfname
;
412 char *nonce
= SAFE_ALLOCA (lfdirlen
+ sizeof nonce_base
);
415 mode_t world_readable
= S_IRUSR
| S_IRGRP
| S_IROTH
;
416 memcpy (nonce
, lfname
, lfdirlen
);
417 strcpy (nonce
+ lfdirlen
, nonce_base
);
420 /* Prefer mkostemp to mkstemp, as it avoids a window where FD is
421 temporarily open without close-on-exec. */
422 fd
= mkostemp (nonce
, O_BINARY
| O_CLOEXEC
);
425 /* Prefer mkstemp to mktemp, as it avoids a race between
426 mktemp and emacs_open. */
427 fd
= mkstemp (nonce
);
431 fd
= emacs_open (nonce
, O_WRONLY
| O_CREAT
| O_EXCL
| O_BINARY
,
440 ptrdiff_t lock_info_len
;
442 fcntl (fd
, F_SETFD
, FD_CLOEXEC
);
444 lock_info_len
= strlen (lock_info_str
);
446 if (emacs_write (fd
, lock_info_str
, lock_info_len
) != lock_info_len
447 || (need_fchmod
&& fchmod (fd
, world_readable
) != 0))
449 /* There is no need to call fsync here, as the contents of
450 the lock file need not survive system crashes. */
451 if (emacs_close (fd
) != 0)
453 if (!err
&& rename_lock_file (nonce
, lfname
, force
) != 0)
465 /* Lock the lock file named LFNAME.
466 If FORCE, do so even if it is already locked.
467 Return 0 if successful, an error number on failure. */
470 lock_file_1 (char *lfname
, bool force
)
472 /* Call this first because it can GC. */
473 printmax_t boot
= get_boot_time ();
475 Lisp_Object luser_name
= Fuser_login_name (Qnil
);
476 char const *user_name
= STRINGP (luser_name
) ? SSDATA (luser_name
) : "";
477 Lisp_Object lhost_name
= Fsystem_name ();
478 char const *host_name
= STRINGP (lhost_name
) ? SSDATA (lhost_name
) : "";
479 char lock_info_str
[MAX_LFINFO
+ 1];
480 printmax_t pid
= getpid ();
482 if (sizeof lock_info_str
483 <= snprintf (lock_info_str
, sizeof lock_info_str
,
484 boot
? "%s@%s.%"pMd
":%"pMd
: "%s@%s.%"pMd
,
485 user_name
, host_name
, pid
, boot
))
488 return create_lock_file (lfname
, lock_info_str
, force
);
491 /* Return true if times A and B are no more than one second apart. */
494 within_one_second (time_t a
, time_t b
)
496 return (a
- b
>= -1 && a
- b
<= 1);
499 /* On systems lacking ELOOP, test for an errno value that shouldn't occur. */
504 /* Read the data for the lock file LFNAME into LFINFO. Read at most
505 MAX_LFINFO + 1 bytes. Return the number of bytes read, or -1
506 (setting errno) on error. */
509 read_lock_data (char *lfname
, char lfinfo
[MAX_LFINFO
+ 1])
513 while ((nbytes
= readlinkat (AT_FDCWD
, lfname
, lfinfo
, MAX_LFINFO
+ 1)) < 0
516 int fd
= emacs_open (lfname
, O_RDONLY
| O_BINARY
| O_NOFOLLOW
, 0);
519 ptrdiff_t read_bytes
= emacs_read (fd
, lfinfo
, MAX_LFINFO
+ 1);
520 int read_errno
= errno
;
521 if (emacs_close (fd
) != 0)
530 /* readlinkat saw a non-symlink, but emacs_open saw a symlink.
531 The former must have been removed and replaced by the latter.
539 /* Return 0 if nobody owns the lock file LFNAME or the lock is obsolete,
540 1 if another process owns it (and set OWNER (if non-null) to info),
541 2 if the current process owns it,
542 or -1 if something is wrong with the locking mechanism. */
545 current_lock_owner (lock_info_type
*owner
, char *lfname
)
548 lock_info_type local_owner
;
550 intmax_t pid
, boot_time
;
551 char *at
, *dot
, *lfinfo_end
;
553 /* Even if the caller doesn't want the owner info, we still have to
554 read it to determine return value. */
556 owner
= &local_owner
;
558 /* If nonexistent lock file, all is well; otherwise, got strange error. */
559 lfinfolen
= read_lock_data (lfname
, owner
->user
);
561 return errno
== ENOENT
? 0 : -1;
562 if (MAX_LFINFO
< lfinfolen
)
564 owner
->user
[lfinfolen
] = 0;
566 /* Parse USER@HOST.PID:BOOT_TIME. If can't parse, return -1. */
567 /* The USER is everything before the last @. */
568 owner
->at
= at
= memrchr (owner
->user
, '@', lfinfolen
);
571 owner
->dot
= dot
= strrchr (at
, '.');
575 /* The PID is everything from the last `.' to the `:'. */
576 if (! c_isdigit (dot
[1]))
579 pid
= strtoimax (dot
+ 1, &owner
->colon
, 10);
583 /* After the `:', if there is one, comes the boot time. */
584 switch (owner
->colon
[0])
588 lfinfo_end
= owner
->colon
;
592 if (! c_isdigit (owner
->colon
[1]))
594 boot_time
= strtoimax (owner
->colon
+ 1, &lfinfo_end
, 10);
600 if (lfinfo_end
!= owner
->user
+ lfinfolen
)
603 /* On current host? */
604 if (STRINGP (Vsystem_name
)
605 && dot
- (at
+ 1) == SBYTES (Vsystem_name
)
606 && memcmp (at
+ 1, SSDATA (Vsystem_name
), SBYTES (Vsystem_name
)) == 0)
608 if (pid
== getpid ())
609 ret
= 2; /* We own it. */
610 else if (0 < pid
&& pid
<= TYPE_MAXIMUM (pid_t
)
611 && (kill (pid
, 0) >= 0 || errno
== EPERM
)
613 || (boot_time
<= TYPE_MAXIMUM (time_t)
614 && within_one_second (boot_time
, get_boot_time ()))))
615 ret
= 1; /* An existing process on this machine owns it. */
616 /* The owner process is dead or has a strange pid, so try to
619 return unlink (lfname
);
622 { /* If we wanted to support the check for stale locks on remote machines,
623 here's where we'd do it. */
631 /* Lock the lock named LFNAME if possible.
632 Return 0 in that case.
633 Return positive if some other process owns the lock, and info about
634 that process in CLASHER.
635 Return -1 if cannot lock for any other reason. */
638 lock_if_free (lock_info_type
*clasher
, char *lfname
)
641 while ((err
= lock_file_1 (lfname
, 0)) == EEXIST
)
643 switch (current_lock_owner (clasher
, lfname
))
646 return 0; /* We ourselves locked it. */
648 return 1; /* Someone else has it. */
650 return -1; /* current_lock_owner returned strange error. */
653 /* We deleted a stale lock; try again to lock the file. */
659 /* lock_file locks file FN,
660 meaning it serves notice on the world that you intend to edit that file.
661 This should be done only when about to modify a file-visiting
662 buffer previously unmodified.
663 Do not (normally) call this for a buffer already modified,
664 as either the file is already locked, or the user has already
665 decided to go ahead without locking.
667 When this returns, either the lock is locked for us,
668 or lock creation failed,
669 or the user has said to go ahead without locking.
671 If the file is locked by someone else, this calls
672 ask-user-about-lock (a Lisp function) with two arguments,
673 the file name and info about the user who did the locking.
674 This function can signal an error, or return t meaning
675 take away the lock, or return nil meaning ignore the lock. */
678 lock_file (Lisp_Object fn
)
680 Lisp_Object orig_fn
, encoded_fn
;
682 lock_info_type lock_info
;
686 /* Don't do locking if the user has opted out. */
687 if (! create_lockfiles
)
690 /* Don't do locking while dumping Emacs.
691 Uncompressing wtmp files uses call-process, which does not work
692 in an uninitialized Emacs. */
693 if (! NILP (Vpurify_flag
))
698 fn
= Fexpand_file_name (fn
, Qnil
);
700 /* Ensure we have only '/' separators, to avoid problems with
701 looking (inside fill_in_lock_file_name) for backslashes in file
702 names encoded by some DBCS codepage. */
703 dostounix_filename (SSDATA (fn
), 1);
705 encoded_fn
= ENCODE_FILE (fn
);
707 /* Create the name of the lock-file for file fn */
708 MAKE_LOCK_NAME (lfname
, encoded_fn
);
710 /* See if this file is visited and has changed on disk since it was
713 register Lisp_Object subject_buf
;
715 subject_buf
= get_truename_buffer (orig_fn
);
717 if (!NILP (subject_buf
)
718 && NILP (Fverify_visited_file_modtime (subject_buf
))
719 && !NILP (Ffile_exists_p (fn
)))
720 call1 (intern ("ask-user-about-supersession-threat"), fn
);
724 /* Try to lock the lock. */
725 if (0 < lock_if_free (&lock_info
, lfname
))
727 /* Someone else has the lock. Consider breaking it. */
729 char *dot
= lock_info
.dot
;
730 ptrdiff_t pidlen
= lock_info
.colon
- (dot
+ 1);
731 static char const replacement
[] = " (pid ";
732 int replacementlen
= sizeof replacement
- 1;
733 memmove (dot
+ replacementlen
, dot
+ 1, pidlen
);
734 strcpy (dot
+ replacementlen
+ pidlen
, ")");
735 memcpy (dot
, replacement
, replacementlen
);
736 attack
= call2 (intern ("ask-user-about-lock"), fn
,
737 build_string (lock_info
.user
));
738 /* Take the lock if the user said so. */
740 lock_file_1 (lfname
, 1);
748 unlock_file (Lisp_Object fn
)
753 fn
= Fexpand_file_name (fn
, Qnil
);
754 fn
= ENCODE_FILE (fn
);
756 MAKE_LOCK_NAME (lfname
, fn
);
758 if (current_lock_owner (0, lfname
) == 2)
765 unlock_all_files (void)
767 register Lisp_Object tail
;
768 register struct buffer
*b
;
770 for (tail
= Vbuffer_alist
; CONSP (tail
); tail
= XCDR (tail
))
772 b
= XBUFFER (XCDR (XCAR (tail
)));
773 if (STRINGP (BVAR (b
, file_truename
)) && BUF_SAVE_MODIFF (b
) < BUF_MODIFF (b
))
775 unlock_file (BVAR (b
, file_truename
));
780 DEFUN ("lock-buffer", Flock_buffer
, Slock_buffer
,
782 doc
: /* Lock FILE, if current buffer is modified.
783 FILE defaults to current buffer's visited file,
784 or else nothing is done if current buffer isn't visiting a file. */)
788 file
= BVAR (current_buffer
, file_truename
);
791 if (SAVE_MODIFF
< MODIFF
797 DEFUN ("unlock-buffer", Funlock_buffer
, Sunlock_buffer
,
799 doc
: /* Unlock the file visited in the current buffer.
800 If the buffer is not modified, this does nothing because the file
801 should not be locked in that case. */)
804 if (SAVE_MODIFF
< MODIFF
805 && STRINGP (BVAR (current_buffer
, file_truename
)))
806 unlock_file (BVAR (current_buffer
, file_truename
));
810 /* Unlock the file visited in buffer BUFFER. */
813 unlock_buffer (struct buffer
*buffer
)
815 if (BUF_SAVE_MODIFF (buffer
) < BUF_MODIFF (buffer
)
816 && STRINGP (BVAR (buffer
, file_truename
)))
817 unlock_file (BVAR (buffer
, file_truename
));
820 DEFUN ("file-locked-p", Ffile_locked_p
, Sfile_locked_p
, 1, 1, 0,
821 doc
: /* Return a value indicating whether FILENAME is locked.
822 The value is nil if the FILENAME is not locked,
823 t if it is locked by you, else a string saying which user has locked it. */)
824 (Lisp_Object filename
)
829 lock_info_type locker
;
832 filename
= Fexpand_file_name (filename
, Qnil
);
834 MAKE_LOCK_NAME (lfname
, filename
);
836 owner
= current_lock_owner (&locker
, lfname
);
842 ret
= make_string (locker
.user
, locker
.at
- locker
.user
);
848 #endif /* CLASH_DETECTION */
851 syms_of_filelock (void)
853 DEFVAR_LISP ("temporary-file-directory", Vtemporary_file_directory
,
854 doc
: /* The directory for writing temporary files. */);
855 Vtemporary_file_directory
= Qnil
;
857 DEFVAR_BOOL ("create-lockfiles", create_lockfiles
,
858 doc
: /* Non-nil means use lockfiles to avoid editing collisions. */);
859 create_lockfiles
= 1;
861 #ifdef CLASH_DETECTION
862 defsubr (&Sunlock_buffer
);
863 defsubr (&Slock_buffer
);
864 defsubr (&Sfile_locked_p
);