1 /* Lock files for editing.
3 Copyright (C) 1985-1987, 1993-1994, 1996, 1998-2016 Free Software
7 (according to authors.el)
9 This file is part of GNU Emacs.
11 GNU Emacs is free software: you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation, either version 3 of the License, or (at
14 your option) any later version.
16 GNU Emacs is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>. */
26 #include <sys/types.h>
41 #include <sys/sysctl.h>
42 #endif /* __FreeBSD__ */
53 #include <sys/socket.h> /* for fcntl */
54 #include "w32.h" /* for dostounix_filename */
63 /* A file whose last-modified time is just after the most recent boot.
64 Define this to be NULL to disable checking for this file. */
65 #ifndef BOOT_TIME_FILE
66 #define BOOT_TIME_FILE "/var/run/random-seed"
69 #if !defined WTMP_FILE && !defined WINDOWSNT
70 #define WTMP_FILE "/var/log/wtmp"
73 /* Normally use a symbolic link to represent a lock.
74 The strategy: to lock a file FN, create a symlink .#FN in FN's
75 directory, with link data `user@host.pid'. This avoids a single
76 mount (== failure) point for lock files.
78 When the host in the lock data is the current host, we can check if
79 the pid is valid with kill.
81 Otherwise, we could look at a separate file that maps hostnames to
82 reboot times to see if the remote pid can possibly be valid, since we
83 don't want Emacs to have to communicate via pipes or sockets or
84 whatever to other processes, either locally or remotely; rms says
85 that's too unreliable. Hence the separate file, which could
86 theoretically be updated by daemons running separately -- but this
87 whole idea is unimplemented; in practice, at least in our
88 environment, it seems such stale locks arise fairly infrequently, and
89 Emacs' standard methods of dealing with clashes suffice.
91 We use symlinks instead of normal files because (1) they can be
92 stored more efficiently on the filesystem, since the kernel knows
93 they will be small, and (2) all the info about the lock can be read
94 in a single system call (readlink). Although we could use regular
95 files to be useful on old systems lacking symlinks, nowadays
96 virtually all such systems are probably single-user anyway, so it
97 didn't seem worth the complication.
99 Similarly, we don't worry about a possible 14-character limit on
100 file names, because those are all the same systems that don't have
103 This is compatible with the locking scheme used by Interleaf (which
104 has contributed this implementation for Emacs), and was designed by
105 Ethan Jacobson, Kimbo Mundy, and others.
107 --karl@cs.umb.edu/karl@hq.ileaf.com.
109 On some file systems, notably those of MS-Windows, symbolic links
110 do not work well, so instead of a symlink .#FN -> 'user@host.pid',
111 the lock is a regular file .#FN with contents 'user@host.pid'. To
112 establish a lock, a nonce file is created and then renamed to .#FN.
113 On MS-Windows this renaming is atomic unless the lock is forcibly
114 acquired. On other systems the renaming is atomic if the lock is
115 forcibly acquired; if not, the renaming is done via hard links,
116 which is good enough for lock-file purposes.
118 To summarize, race conditions can occur with either:
120 * Forced locks on MS-Windows systems.
122 * Non-forced locks on non-MS-Windows systems that support neither
123 hard nor symbolic links. */
126 /* Return the time of the last system boot. */
128 static time_t boot_time
;
129 static bool boot_time_initialized
;
132 static void get_boot_time_1 (const char *, bool);
138 #if defined (BOOT_TIME)
142 if (boot_time_initialized
)
144 boot_time_initialized
= 1;
146 #if defined (CTL_KERN) && defined (KERN_BOOTTIME)
150 struct timeval boottime_val
;
153 mib
[1] = KERN_BOOTTIME
;
154 size
= sizeof (boottime_val
);
156 if (sysctl (mib
, 2, &boottime_val
, &size
, NULL
, 0) >= 0)
158 boot_time
= boottime_val
.tv_sec
;
162 #endif /* defined (CTL_KERN) && defined (KERN_BOOTTIME) */
167 if (stat (BOOT_TIME_FILE
, &st
) == 0)
169 boot_time
= st
.st_mtime
;
174 #if defined (BOOT_TIME)
176 /* The utmp routines maintain static state.
177 Don't touch that state unless we are initialized,
178 since it might not survive dumping. */
181 #endif /* not CANNOT_DUMP */
183 /* Try to get boot time from utmp before wtmp,
184 since utmp is typically much smaller than wtmp.
185 Passing a null pointer causes get_boot_time_1
186 to inspect the default file, namely utmp. */
187 get_boot_time_1 (0, 0);
191 /* Try to get boot time from the current wtmp file. */
192 get_boot_time_1 (WTMP_FILE
, 1);
194 /* If we did not find a boot time in wtmp, look at wtmp, and so on. */
195 for (counter
= 0; counter
< 20 && ! boot_time
; counter
++)
197 Lisp_Object filename
= Qnil
;
198 bool delete_flag
= false;
199 char cmd_string
[sizeof WTMP_FILE
".19.gz"];
200 AUTO_STRING_WITH_LEN (tempname
, cmd_string
,
201 sprintf (cmd_string
, "%s.%d", WTMP_FILE
, counter
));
202 if (! NILP (Ffile_exists_p (tempname
)))
206 tempname
= make_formatted_string (cmd_string
, "%s.%d.gz",
208 if (! NILP (Ffile_exists_p (tempname
)))
210 /* The utmp functions on mescaline.gnu.org accept only
211 file names up to 8 characters long. Choose a 2
212 character long prefix, and call make_temp_file with
213 second arg non-zero, so that it will add not more
214 than 6 characters to the prefix. */
215 filename
= Fexpand_file_name (build_string ("wt"),
216 Vtemporary_file_directory
);
217 filename
= make_temp_name (filename
, 1);
218 CALLN (Fcall_process
, build_string ("gzip"), Qnil
,
219 list2 (QCfile
, filename
), Qnil
,
220 build_string ("-cd"), tempname
);
225 if (! NILP (filename
))
227 get_boot_time_1 (SSDATA (filename
), 1);
229 unlink (SSDATA (filename
));
240 /* Try to get the boot time from wtmp file FILENAME.
241 This succeeds if that file contains a reboot record.
243 If FILENAME is zero, use the same file as before;
244 if no FILENAME has ever been specified, this is the utmp file.
245 Use the newest reboot record if NEWEST,
246 the first reboot record otherwise.
247 Ignore all reboot records on or before BOOT_TIME.
248 Success is indicated by setting BOOT_TIME to a larger value. */
251 get_boot_time_1 (const char *filename
, bool newest
)
253 struct utmp ut
, *utp
;
262 /* Find the next reboot record. */
263 ut
.ut_type
= BOOT_TIME
;
267 /* Compare reboot times and use the newest one. */
268 if (utp
->ut_time
> boot_time
)
270 boot_time
= utp
->ut_time
;
274 /* Advance on element in the file
275 so that getutid won't repeat the same one. */
282 #endif /* BOOT_TIME */
284 /* An arbitrary limit on lock contents length. 8 K should be plenty
285 big enough in practice. */
286 enum { MAX_LFINFO
= 8 * 1024 };
288 /* Here is the structure that stores information about a lock. */
292 /* Location of '@', '.', ':' in USER. If there's no colon, COLON
293 points to the end of USER. */
294 char *at
, *dot
, *colon
;
296 /* Lock file contents USER@HOST.PID with an optional :BOOT_TIME
297 appended. This memory is used as a lock file contents buffer, so
298 it needs room for MAX_LFINFO + 1 bytes. A string " (pid NNNN)"
299 may be appended to the USER@HOST while generating a diagnostic,
300 so make room for its extra bytes (as opposed to ".NNNN") too. */
301 char user
[MAX_LFINFO
+ 1 + sizeof " (pid )" - sizeof "."];
304 /* Write the name of the lock file for FNAME into LOCKNAME. Length
305 will be that of FNAME plus two more for the leading ".#", plus one
307 #define MAKE_LOCK_NAME(lockname, fname) \
308 (lockname = SAFE_ALLOCA (SBYTES (fname) + 2 + 1), \
309 fill_in_lock_file_name (lockname, fname))
312 fill_in_lock_file_name (char *lockfile
, Lisp_Object fn
)
314 char *last_slash
= memrchr (SSDATA (fn
), '/', SBYTES (fn
));
315 char *base
= last_slash
+ 1;
316 ptrdiff_t dirlen
= base
- SSDATA (fn
);
317 memcpy (lockfile
, SSDATA (fn
), dirlen
);
318 lockfile
[dirlen
] = '.';
319 lockfile
[dirlen
+ 1] = '#';
320 strcpy (lockfile
+ dirlen
+ 2, base
);
323 /* For some reason Linux kernels return EPERM on file systems that do
324 not support hard or symbolic links. This symbol documents the quirk.
325 There is no way to tell whether a symlink call fails due to
326 permissions issues or because links are not supported, but luckily
327 the lock file code should work either way. */
328 enum { LINKS_MIGHT_NOT_WORK
= EPERM
};
330 /* Rename OLD to NEW. If FORCE, replace any existing NEW.
331 It is OK if there are temporarily two hard links to OLD.
332 Return 0 if successful, -1 (setting errno) otherwise. */
334 rename_lock_file (char const *old
, char const *new, bool force
)
337 return sys_rename_replace (old
, new, force
);
343 if (link (old
, new) == 0)
344 return unlink (old
) == 0 || errno
== ENOENT
? 0 : -1;
345 if (errno
!= ENOSYS
&& errno
!= LINKS_MIGHT_NOT_WORK
)
348 /* 'link' does not work on this file system. This can occur on
349 a GNU/Linux host mounting a FAT32 file system. Fall back on
350 'rename' after checking that NEW does not exist. There is a
351 potential race condition since some other process may create
352 NEW immediately after the existence check, but it's the best
353 we can portably do here. */
354 if (lstat (new, &st
) == 0 || errno
== EOVERFLOW
)
363 return rename (old
, new);
367 /* Create the lock file LFNAME with contents LOCK_INFO_STR. Return 0 if
368 successful, an errno value on failure. If FORCE, remove any
369 existing LFNAME if necessary. */
372 create_lock_file (char *lfname
, char *lock_info_str
, bool force
)
375 /* Symlinks are supported only by later versions of Windows, and
376 creating them is a privileged operation that often triggers
377 User Account Control elevation prompts. Avoid the problem by
378 pretending that 'symlink' does not work. */
381 int err
= symlink (lock_info_str
, lfname
) == 0 ? 0 : errno
;
384 if (err
== EEXIST
&& force
)
387 err
= symlink (lock_info_str
, lfname
) == 0 ? 0 : errno
;
390 if (err
== ENOSYS
|| err
== LINKS_MIGHT_NOT_WORK
|| err
== ENAMETOOLONG
)
392 static char const nonce_base
[] = ".#-emacsXXXXXX";
393 char *last_slash
= strrchr (lfname
, '/');
394 ptrdiff_t lfdirlen
= last_slash
+ 1 - lfname
;
396 char *nonce
= SAFE_ALLOCA (lfdirlen
+ sizeof nonce_base
);
398 memcpy (nonce
, lfname
, lfdirlen
);
399 strcpy (nonce
+ lfdirlen
, nonce_base
);
401 fd
= mkostemp (nonce
, O_BINARY
| O_CLOEXEC
);
406 ptrdiff_t lock_info_len
;
408 fcntl (fd
, F_SETFD
, FD_CLOEXEC
);
409 lock_info_len
= strlen (lock_info_str
);
411 /* Use 'write', not 'emacs_write', as garbage collection
412 might signal an error, which would leak FD. */
413 if (write (fd
, lock_info_str
, lock_info_len
) != lock_info_len
414 || fchmod (fd
, S_IRUSR
| S_IRGRP
| S_IROTH
) != 0)
416 /* There is no need to call fsync here, as the contents of
417 the lock file need not survive system crashes. */
418 if (emacs_close (fd
) != 0)
420 if (!err
&& rename_lock_file (nonce
, lfname
, force
) != 0)
432 /* Lock the lock file named LFNAME.
433 If FORCE, do so even if it is already locked.
434 Return 0 if successful, an error number on failure. */
437 lock_file_1 (char *lfname
, bool force
)
439 /* Call this first because it can GC. */
440 printmax_t boot
= get_boot_time ();
442 Lisp_Object luser_name
= Fuser_login_name (Qnil
);
443 char const *user_name
= STRINGP (luser_name
) ? SSDATA (luser_name
) : "";
444 Lisp_Object lhost_name
= Fsystem_name ();
445 char const *host_name
= STRINGP (lhost_name
) ? SSDATA (lhost_name
) : "";
446 char lock_info_str
[MAX_LFINFO
+ 1];
447 printmax_t pid
= getpid ();
451 if (sizeof lock_info_str
452 <= snprintf (lock_info_str
, sizeof lock_info_str
,
454 user_name
, host_name
, pid
, boot
))
457 else if (sizeof lock_info_str
458 <= snprintf (lock_info_str
, sizeof lock_info_str
,
460 user_name
, host_name
, pid
))
463 return create_lock_file (lfname
, lock_info_str
, force
);
466 /* Return true if times A and B are no more than one second apart. */
469 within_one_second (time_t a
, time_t b
)
471 return (a
- b
>= -1 && a
- b
<= 1);
474 /* On systems lacking ELOOP, test for an errno value that shouldn't occur. */
479 /* Read the data for the lock file LFNAME into LFINFO. Read at most
480 MAX_LFINFO + 1 bytes. Return the number of bytes read, or -1
481 (setting errno) on error. */
484 read_lock_data (char *lfname
, char lfinfo
[MAX_LFINFO
+ 1])
488 while ((nbytes
= readlinkat (AT_FDCWD
, lfname
, lfinfo
, MAX_LFINFO
+ 1)) < 0
491 int fd
= emacs_open (lfname
, O_RDONLY
| O_NOFOLLOW
, 0);
494 /* Use read, not emacs_read, since FD isn't unwind-protected. */
495 ptrdiff_t read_bytes
= read (fd
, lfinfo
, MAX_LFINFO
+ 1);
496 int read_errno
= errno
;
497 if (emacs_close (fd
) != 0)
506 /* readlinkat saw a non-symlink, but emacs_open saw a symlink.
507 The former must have been removed and replaced by the latter.
515 /* Return 0 if nobody owns the lock file LFNAME or the lock is obsolete,
516 1 if another process owns it (and set OWNER (if non-null) to info),
517 2 if the current process owns it,
518 or -1 if something is wrong with the locking mechanism. */
521 current_lock_owner (lock_info_type
*owner
, char *lfname
)
524 lock_info_type local_owner
;
526 intmax_t pid
, boot_time
;
527 char *at
, *dot
, *lfinfo_end
;
529 /* Even if the caller doesn't want the owner info, we still have to
530 read it to determine return value. */
532 owner
= &local_owner
;
534 /* If nonexistent lock file, all is well; otherwise, got strange error. */
535 lfinfolen
= read_lock_data (lfname
, owner
->user
);
537 return errno
== ENOENT
? 0 : -1;
538 if (MAX_LFINFO
< lfinfolen
)
540 owner
->user
[lfinfolen
] = 0;
542 /* Parse USER@HOST.PID:BOOT_TIME. If can't parse, return -1. */
543 /* The USER is everything before the last @. */
544 owner
->at
= at
= memrchr (owner
->user
, '@', lfinfolen
);
547 owner
->dot
= dot
= strrchr (at
, '.');
551 /* The PID is everything from the last `.' to the `:'. */
552 if (! c_isdigit (dot
[1]))
555 pid
= strtoimax (dot
+ 1, &owner
->colon
, 10);
559 /* After the `:', if there is one, comes the boot time. */
560 switch (owner
->colon
[0])
564 lfinfo_end
= owner
->colon
;
568 if (! c_isdigit (owner
->colon
[1]))
570 boot_time
= strtoimax (owner
->colon
+ 1, &lfinfo_end
, 10);
576 if (lfinfo_end
!= owner
->user
+ lfinfolen
)
579 /* On current host? */
580 Lisp_Object system_name
= Fsystem_name ();
581 if (STRINGP (system_name
)
582 && dot
- (at
+ 1) == SBYTES (system_name
)
583 && memcmp (at
+ 1, SSDATA (system_name
), SBYTES (system_name
)) == 0)
585 if (pid
== getpid ())
586 ret
= 2; /* We own it. */
587 else if (0 < pid
&& pid
<= TYPE_MAXIMUM (pid_t
)
588 && (kill (pid
, 0) >= 0 || errno
== EPERM
)
590 || (boot_time
<= TYPE_MAXIMUM (time_t)
591 && within_one_second (boot_time
, get_boot_time ()))))
592 ret
= 1; /* An existing process on this machine owns it. */
593 /* The owner process is dead or has a strange pid, so try to
596 return unlink (lfname
);
599 { /* If we wanted to support the check for stale locks on remote machines,
600 here's where we'd do it. */
608 /* Lock the lock named LFNAME if possible.
609 Return 0 in that case.
610 Return positive if some other process owns the lock, and info about
611 that process in CLASHER.
612 Return -1 if cannot lock for any other reason. */
615 lock_if_free (lock_info_type
*clasher
, char *lfname
)
618 while ((err
= lock_file_1 (lfname
, 0)) == EEXIST
)
620 switch (current_lock_owner (clasher
, lfname
))
623 return 0; /* We ourselves locked it. */
625 return 1; /* Someone else has it. */
627 return -1; /* current_lock_owner returned strange error. */
630 /* We deleted a stale lock; try again to lock the file. */
636 /* lock_file locks file FN,
637 meaning it serves notice on the world that you intend to edit that file.
638 This should be done only when about to modify a file-visiting
639 buffer previously unmodified.
640 Do not (normally) call this for a buffer already modified,
641 as either the file is already locked, or the user has already
642 decided to go ahead without locking.
644 When this returns, either the lock is locked for us,
645 or lock creation failed,
646 or the user has said to go ahead without locking.
648 If the file is locked by someone else, this calls
649 ask-user-about-lock (a Lisp function) with two arguments,
650 the file name and info about the user who did the locking.
651 This function can signal an error, or return t meaning
652 take away the lock, or return nil meaning ignore the lock. */
655 lock_file (Lisp_Object fn
)
657 Lisp_Object orig_fn
, encoded_fn
;
659 lock_info_type lock_info
;
662 /* Don't do locking while dumping Emacs.
663 Uncompressing wtmp files uses call-process, which does not work
664 in an uninitialized Emacs. */
665 if (! NILP (Vpurify_flag
))
669 fn
= Fexpand_file_name (fn
, Qnil
);
671 /* Ensure we have only '/' separators, to avoid problems with
672 looking (inside fill_in_lock_file_name) for backslashes in file
673 names encoded by some DBCS codepage. */
674 dostounix_filename (SSDATA (fn
));
676 encoded_fn
= ENCODE_FILE (fn
);
678 /* See if this file is visited and has changed on disk since it was
681 register Lisp_Object subject_buf
;
683 subject_buf
= get_truename_buffer (orig_fn
);
685 if (!NILP (subject_buf
)
686 && NILP (Fverify_visited_file_modtime (subject_buf
))
687 && !NILP (Ffile_exists_p (fn
)))
688 call1 (intern ("userlock--ask-user-about-supersession-threat"), fn
);
692 /* Don't do locking if the user has opted out. */
693 if (create_lockfiles
)
696 /* Create the name of the lock-file for file fn */
697 MAKE_LOCK_NAME (lfname
, encoded_fn
);
699 /* Try to lock the lock. */
700 if (0 < lock_if_free (&lock_info
, lfname
))
702 /* Someone else has the lock. Consider breaking it. */
704 char *dot
= lock_info
.dot
;
705 ptrdiff_t pidlen
= lock_info
.colon
- (dot
+ 1);
706 static char const replacement
[] = " (pid ";
707 int replacementlen
= sizeof replacement
- 1;
708 memmove (dot
+ replacementlen
, dot
+ 1, pidlen
);
709 strcpy (dot
+ replacementlen
+ pidlen
, ")");
710 memcpy (dot
, replacement
, replacementlen
);
711 attack
= call2 (intern ("ask-user-about-lock"), fn
,
712 build_string (lock_info
.user
));
713 /* Take the lock if the user said so. */
715 lock_file_1 (lfname
, 1);
722 unlock_file (Lisp_Object fn
)
727 fn
= Fexpand_file_name (fn
, Qnil
);
728 fn
= ENCODE_FILE (fn
);
730 MAKE_LOCK_NAME (lfname
, fn
);
732 if (current_lock_owner (0, lfname
) == 2)
740 lock_file (Lisp_Object fn
)
745 unlock_file (Lisp_Object fn
)
752 unlock_all_files (void)
754 register Lisp_Object tail
, buf
;
755 register struct buffer
*b
;
757 FOR_EACH_LIVE_BUFFER (tail
, buf
)
760 if (STRINGP (BVAR (b
, file_truename
))
761 && BUF_SAVE_MODIFF (b
) < BUF_MODIFF (b
))
762 unlock_file (BVAR (b
, file_truename
));
766 DEFUN ("lock-buffer", Flock_buffer
, Slock_buffer
,
768 doc
: /* Lock FILE, if current buffer is modified.
769 FILE defaults to current buffer's visited file,
770 or else nothing is done if current buffer isn't visiting a file.
772 If the option `create-lockfiles' is nil, this does nothing. */)
776 file
= BVAR (current_buffer
, file_truename
);
779 if (SAVE_MODIFF
< MODIFF
785 DEFUN ("unlock-buffer", Funlock_buffer
, Sunlock_buffer
,
787 doc
: /* Unlock the file visited in the current buffer.
788 If the buffer is not modified, this does nothing because the file
789 should not be locked in that case. */)
792 if (SAVE_MODIFF
< MODIFF
793 && STRINGP (BVAR (current_buffer
, file_truename
)))
794 unlock_file (BVAR (current_buffer
, file_truename
));
798 /* Unlock the file visited in buffer BUFFER. */
801 unlock_buffer (struct buffer
*buffer
)
803 if (BUF_SAVE_MODIFF (buffer
) < BUF_MODIFF (buffer
)
804 && STRINGP (BVAR (buffer
, file_truename
)))
805 unlock_file (BVAR (buffer
, file_truename
));
808 DEFUN ("file-locked-p", Ffile_locked_p
, Sfile_locked_p
, 1, 1, 0,
809 doc
: /* Return a value indicating whether FILENAME is locked.
810 The value is nil if the FILENAME is not locked,
811 t if it is locked by you, else a string saying which user has locked it. */)
812 (Lisp_Object filename
)
820 lock_info_type locker
;
823 filename
= Fexpand_file_name (filename
, Qnil
);
825 MAKE_LOCK_NAME (lfname
, filename
);
827 owner
= current_lock_owner (&locker
, lfname
);
833 ret
= make_string (locker
.user
, locker
.at
- locker
.user
);
841 syms_of_filelock (void)
843 DEFVAR_LISP ("temporary-file-directory", Vtemporary_file_directory
,
844 doc
: /* The directory for writing temporary files. */);
845 Vtemporary_file_directory
= Qnil
;
847 DEFVAR_BOOL ("create-lockfiles", create_lockfiles
,
848 doc
: /* Non-nil means use lockfiles to avoid editing collisions. */);
849 create_lockfiles
= 1;
851 defsubr (&Sunlock_buffer
);
852 defsubr (&Slock_buffer
);
853 defsubr (&Sfile_locked_p
);