1 /* Lock files for editing.
2 Copyright (C) 1985-1987, 1993-1994, 1996, 1998-2013 Free Software
5 This file is part of GNU Emacs.
7 GNU Emacs is free software: you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation, either version 3 of the License, or
10 (at your option) any later version.
12 GNU Emacs is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>. */
22 #include <sys/types.h>
36 #include <sys/sysctl.h>
37 #endif /* __FreeBSD__ */
44 #include "character.h"
50 #include <sys/socket.h> /* for fcntl */
51 #include "w32.h" /* for dostounix_filename */
54 #ifdef CLASH_DETECTION
60 /* A file whose last-modified time is just after the most recent boot.
61 Define this to be NULL to disable checking for this file. */
62 #ifndef BOOT_TIME_FILE
63 #define BOOT_TIME_FILE "/var/run/random-seed"
67 #define WTMP_FILE "/var/log/wtmp"
70 /* Normally use a symbolic link to represent a lock.
71 The strategy: to lock a file FN, create a symlink .#FN in FN's
72 directory, with link data `user@host.pid'. This avoids a single
73 mount (== failure) point for lock files.
75 When the host in the lock data is the current host, we can check if
76 the pid is valid with kill.
78 Otherwise, we could look at a separate file that maps hostnames to
79 reboot times to see if the remote pid can possibly be valid, since we
80 don't want Emacs to have to communicate via pipes or sockets or
81 whatever to other processes, either locally or remotely; rms says
82 that's too unreliable. Hence the separate file, which could
83 theoretically be updated by daemons running separately -- but this
84 whole idea is unimplemented; in practice, at least in our
85 environment, it seems such stale locks arise fairly infrequently, and
86 Emacs' standard methods of dealing with clashes suffice.
88 We use symlinks instead of normal files because (1) they can be
89 stored more efficiently on the filesystem, since the kernel knows
90 they will be small, and (2) all the info about the lock can be read
91 in a single system call (readlink). Although we could use regular
92 files to be useful on old systems lacking symlinks, nowadays
93 virtually all such systems are probably single-user anyway, so it
94 didn't seem worth the complication.
96 Similarly, we don't worry about a possible 14-character limit on
97 file names, because those are all the same systems that don't have
100 This is compatible with the locking scheme used by Interleaf (which
101 has contributed this implementation for Emacs), and was designed by
102 Ethan Jacobson, Kimbo Mundy, and others.
104 --karl@cs.umb.edu/karl@hq.ileaf.com.
106 On some file systems, notably those of MS-Windows, symbolic links
107 do not work well, so instead of a symlink .#FN -> 'user@host.pid',
108 the lock is a regular file .#FN with contents 'user@host.pid'. To
109 establish a lock, a nonce file is created and then renamed to .#FN.
110 On MS-Windows this renaming is atomic unless the lock is forcibly
111 acquired. On other systems the renaming is atomic if the lock is
112 forcibly acquired; if not, the renaming is done via hard links,
113 which is good enough for lock-file purposes.
115 To summarize, race conditions can occur with either:
117 * Forced locks on MS-Windows systems.
119 * Non-forced locks on non-MS-Windows systems that support neither
120 hard nor symbolic links. */
123 /* Return the time of the last system boot. */
125 static time_t boot_time
;
126 static bool boot_time_initialized
;
129 static void get_boot_time_1 (const char *, bool);
135 #if defined (BOOT_TIME)
139 if (boot_time_initialized
)
141 boot_time_initialized
= 1;
143 #if defined (CTL_KERN) && defined (KERN_BOOTTIME)
147 struct timeval boottime_val
;
150 mib
[1] = KERN_BOOTTIME
;
151 size
= sizeof (boottime_val
);
153 if (sysctl (mib
, 2, &boottime_val
, &size
, NULL
, 0) >= 0)
155 boot_time
= boottime_val
.tv_sec
;
159 #endif /* defined (CTL_KERN) && defined (KERN_BOOTTIME) */
164 if (stat (BOOT_TIME_FILE
, &st
) == 0)
166 boot_time
= st
.st_mtime
;
171 #if defined (BOOT_TIME)
173 /* The utmp routines maintain static state.
174 Don't touch that state unless we are initialized,
175 since it might not survive dumping. */
178 #endif /* not CANNOT_DUMP */
180 /* Try to get boot time from utmp before wtmp,
181 since utmp is typically much smaller than wtmp.
182 Passing a null pointer causes get_boot_time_1
183 to inspect the default file, namely utmp. */
184 get_boot_time_1 ((char *) 0, 0);
188 /* Try to get boot time from the current wtmp file. */
189 get_boot_time_1 (WTMP_FILE
, 1);
191 /* If we did not find a boot time in wtmp, look at wtmp, and so on. */
192 for (counter
= 0; counter
< 20 && ! boot_time
; counter
++)
194 char cmd_string
[sizeof WTMP_FILE
".19.gz"];
195 Lisp_Object tempname
, filename
;
196 bool delete_flag
= 0;
200 tempname
= make_formatted_string
201 (cmd_string
, "%s.%d", WTMP_FILE
, counter
);
202 if (! NILP (Ffile_exists_p (tempname
)))
206 tempname
= make_formatted_string (cmd_string
, "%s.%d.gz",
208 if (! NILP (Ffile_exists_p (tempname
)))
212 /* The utmp functions on mescaline.gnu.org accept only
213 file names up to 8 characters long. Choose a 2
214 character long prefix, and call make_temp_file with
215 second arg non-zero, so that it will add not more
216 than 6 characters to the prefix. */
217 filename
= Fexpand_file_name (build_string ("wt"),
218 Vtemporary_file_directory
);
219 filename
= make_temp_name (filename
, 1);
220 args
[0] = build_string ("gzip");
222 args
[2] = list2 (QCfile
, filename
);
224 args
[4] = build_string ("-cd");
226 Fcall_process (6, args
);
231 if (! NILP (filename
))
233 get_boot_time_1 (SSDATA (filename
), 1);
235 unlink (SSDATA (filename
));
246 /* Try to get the boot time from wtmp file FILENAME.
247 This succeeds if that file contains a reboot record.
249 If FILENAME is zero, use the same file as before;
250 if no FILENAME has ever been specified, this is the utmp file.
251 Use the newest reboot record if NEWEST,
252 the first reboot record otherwise.
253 Ignore all reboot records on or before BOOT_TIME.
254 Success is indicated by setting BOOT_TIME to a larger value. */
257 get_boot_time_1 (const char *filename
, bool newest
)
259 struct utmp ut
, *utp
;
263 /* On some versions of IRIX, opening a nonexistent file name
264 is likely to crash in the utmp routines. */
265 if (faccessat (AT_FDCWD
, filename
, R_OK
, AT_EACCESS
) != 0)
275 /* Find the next reboot record. */
276 ut
.ut_type
= BOOT_TIME
;
280 /* Compare reboot times and use the newest one. */
281 if (utp
->ut_time
> boot_time
)
283 boot_time
= utp
->ut_time
;
287 /* Advance on element in the file
288 so that getutid won't repeat the same one. */
295 #endif /* BOOT_TIME */
297 /* An arbitrary limit on lock contents length. 8 K should be plenty
298 big enough in practice. */
299 enum { MAX_LFINFO
= 8 * 1024 };
301 /* Here is the structure that stores information about a lock. */
305 /* Location of '@', '.', ':' in USER. If there's no colon, COLON
306 points to the end of USER. */
307 char *at
, *dot
, *colon
;
309 /* Lock file contents USER@HOST.PID with an optional :BOOT_TIME
310 appended. This memory is used as a lock file contents buffer, so
311 it needs room for MAX_LFINFO + 1 bytes. A string " (pid NNNN)"
312 may be appended to the USER@HOST while generating a diagnostic,
313 so make room for its extra bytes (as opposed to ".NNNN") too. */
314 char user
[MAX_LFINFO
+ 1 + sizeof " (pid )" - sizeof "."];
317 /* Write the name of the lock file for FNAME into LOCKNAME. Length
318 will be that of FNAME plus two more for the leading ".#", plus one
320 #define MAKE_LOCK_NAME(lockname, fname) \
321 (lockname = SAFE_ALLOCA (SBYTES (fname) + 2 + 1), \
322 fill_in_lock_file_name (lockname, fname))
325 fill_in_lock_file_name (char *lockfile
, Lisp_Object fn
)
327 char *last_slash
= memrchr (SSDATA (fn
), '/', SBYTES (fn
));
328 char *base
= last_slash
+ 1;
329 ptrdiff_t dirlen
= base
- SSDATA (fn
);
330 memcpy (lockfile
, SSDATA (fn
), dirlen
);
331 lockfile
[dirlen
] = '.';
332 lockfile
[dirlen
+ 1] = '#';
333 strcpy (lockfile
+ dirlen
+ 2, base
);
336 /* For some reason Linux kernels return EPERM on file systems that do
337 not support hard or symbolic links. This symbol documents the quirk.
338 There is no way to tell whether a symlink call fails due to
339 permissions issues or because links are not supported, but luckily
340 the lock file code should work either way. */
341 enum { LINKS_MIGHT_NOT_WORK
= EPERM
};
343 /* Rename OLD to NEW. If FORCE, replace any existing NEW.
344 It is OK if there are temporarily two hard links to OLD.
345 Return 0 if successful, -1 (setting errno) otherwise. */
347 rename_lock_file (char const *old
, char const *new, bool force
)
350 return sys_rename_replace (old
, new, force
);
356 if (link (old
, new) == 0)
357 return unlink (old
) == 0 || errno
== ENOENT
? 0 : -1;
358 if (errno
!= ENOSYS
&& errno
!= LINKS_MIGHT_NOT_WORK
)
361 /* 'link' does not work on this file system. This can occur on
362 a GNU/Linux host mounting a FAT32 file system. Fall back on
363 'rename' after checking that NEW does not exist. There is a
364 potential race condition since some other process may create
365 NEW immediately after the existence check, but it's the best
366 we can portably do here. */
367 if (lstat (new, &st
) == 0 || errno
== EOVERFLOW
)
376 return rename (old
, new);
380 /* Create the lock file LFNAME with contents LOCK_INFO_STR. Return 0 if
381 successful, an errno value on failure. If FORCE, remove any
382 existing LFNAME if necessary. */
385 create_lock_file (char *lfname
, char *lock_info_str
, bool force
)
388 /* Symlinks are supported only by later versions of Windows, and
389 creating them is a privileged operation that often triggers
390 User Account Control elevation prompts. Avoid the problem by
391 pretending that 'symlink' does not work. */
394 int err
= symlink (lock_info_str
, lfname
) == 0 ? 0 : errno
;
397 if (err
== EEXIST
&& force
)
400 err
= symlink (lock_info_str
, lfname
) == 0 ? 0 : errno
;
403 if (err
== ENOSYS
|| err
== LINKS_MIGHT_NOT_WORK
|| err
== ENAMETOOLONG
)
405 static char const nonce_base
[] = ".#-emacsXXXXXX";
406 char *last_slash
= strrchr (lfname
, '/');
407 ptrdiff_t lfdirlen
= last_slash
+ 1 - lfname
;
409 char *nonce
= SAFE_ALLOCA (lfdirlen
+ sizeof nonce_base
);
411 memcpy (nonce
, lfname
, lfdirlen
);
412 strcpy (nonce
+ lfdirlen
, nonce_base
);
415 /* Prefer mkostemp to mkstemp, as it avoids a window where FD is
416 temporarily open without close-on-exec. */
417 fd
= mkostemp (nonce
, O_BINARY
| O_CLOEXEC
);
419 /* Prefer mkstemp to mktemp, as it avoids a race between
420 mktemp and emacs_open. */
421 fd
= mkstemp (nonce
);
424 fd
= emacs_open (nonce
, O_WRONLY
| O_CREAT
| O_EXCL
| O_BINARY
,
432 ptrdiff_t lock_info_len
;
433 #if ! (HAVE_MKOSTEMP && O_CLOEXEC)
434 fcntl (fd
, F_SETFD
, FD_CLOEXEC
);
436 lock_info_len
= strlen (lock_info_str
);
438 /* Use 'write', not 'emacs_write', as garbage collection
439 might signal an error, which would leak FD. */
440 if (write (fd
, lock_info_str
, lock_info_len
) != lock_info_len
441 || fchmod (fd
, S_IRUSR
| S_IRGRP
| S_IROTH
) != 0)
443 /* There is no need to call fsync here, as the contents of
444 the lock file need not survive system crashes. */
445 if (emacs_close (fd
) != 0)
447 if (!err
&& rename_lock_file (nonce
, lfname
, force
) != 0)
459 /* Lock the lock file named LFNAME.
460 If FORCE, do so even if it is already locked.
461 Return 0 if successful, an error number on failure. */
464 lock_file_1 (char *lfname
, bool force
)
466 /* Call this first because it can GC. */
467 printmax_t boot
= get_boot_time ();
469 Lisp_Object luser_name
= Fuser_login_name (Qnil
);
470 char const *user_name
= STRINGP (luser_name
) ? SSDATA (luser_name
) : "";
471 Lisp_Object lhost_name
= Fsystem_name ();
472 char const *host_name
= STRINGP (lhost_name
) ? SSDATA (lhost_name
) : "";
473 char lock_info_str
[MAX_LFINFO
+ 1];
474 printmax_t pid
= getpid ();
476 if (sizeof lock_info_str
477 <= snprintf (lock_info_str
, sizeof lock_info_str
,
478 boot
? "%s@%s.%"pMd
":%"pMd
: "%s@%s.%"pMd
,
479 user_name
, host_name
, pid
, boot
))
482 return create_lock_file (lfname
, lock_info_str
, force
);
485 /* Return true if times A and B are no more than one second apart. */
488 within_one_second (time_t a
, time_t b
)
490 return (a
- b
>= -1 && a
- b
<= 1);
493 /* On systems lacking ELOOP, test for an errno value that shouldn't occur. */
498 /* Read the data for the lock file LFNAME into LFINFO. Read at most
499 MAX_LFINFO + 1 bytes. Return the number of bytes read, or -1
500 (setting errno) on error. */
503 read_lock_data (char *lfname
, char lfinfo
[MAX_LFINFO
+ 1])
507 while ((nbytes
= readlinkat (AT_FDCWD
, lfname
, lfinfo
, MAX_LFINFO
+ 1)) < 0
510 int fd
= emacs_open (lfname
, O_RDONLY
| O_BINARY
| O_NOFOLLOW
, 0);
513 /* Use read, not emacs_read, since FD isn't unwind-protected. */
514 ptrdiff_t read_bytes
= read (fd
, lfinfo
, MAX_LFINFO
+ 1);
515 int read_errno
= errno
;
516 if (emacs_close (fd
) != 0)
525 /* readlinkat saw a non-symlink, but emacs_open saw a symlink.
526 The former must have been removed and replaced by the latter.
534 /* Return 0 if nobody owns the lock file LFNAME or the lock is obsolete,
535 1 if another process owns it (and set OWNER (if non-null) to info),
536 2 if the current process owns it,
537 or -1 if something is wrong with the locking mechanism. */
540 current_lock_owner (lock_info_type
*owner
, char *lfname
)
543 lock_info_type local_owner
;
545 intmax_t pid
, boot_time
;
546 char *at
, *dot
, *lfinfo_end
;
548 /* Even if the caller doesn't want the owner info, we still have to
549 read it to determine return value. */
551 owner
= &local_owner
;
553 /* If nonexistent lock file, all is well; otherwise, got strange error. */
554 lfinfolen
= read_lock_data (lfname
, owner
->user
);
556 return errno
== ENOENT
? 0 : -1;
557 if (MAX_LFINFO
< lfinfolen
)
559 owner
->user
[lfinfolen
] = 0;
561 /* Parse USER@HOST.PID:BOOT_TIME. If can't parse, return -1. */
562 /* The USER is everything before the last @. */
563 owner
->at
= at
= memrchr (owner
->user
, '@', lfinfolen
);
566 owner
->dot
= dot
= strrchr (at
, '.');
570 /* The PID is everything from the last `.' to the `:'. */
571 if (! c_isdigit (dot
[1]))
574 pid
= strtoimax (dot
+ 1, &owner
->colon
, 10);
578 /* After the `:', if there is one, comes the boot time. */
579 switch (owner
->colon
[0])
583 lfinfo_end
= owner
->colon
;
587 if (! c_isdigit (owner
->colon
[1]))
589 boot_time
= strtoimax (owner
->colon
+ 1, &lfinfo_end
, 10);
595 if (lfinfo_end
!= owner
->user
+ lfinfolen
)
598 /* On current host? */
599 if (STRINGP (Vsystem_name
)
600 && dot
- (at
+ 1) == SBYTES (Vsystem_name
)
601 && memcmp (at
+ 1, SSDATA (Vsystem_name
), SBYTES (Vsystem_name
)) == 0)
603 if (pid
== getpid ())
604 ret
= 2; /* We own it. */
605 else if (0 < pid
&& pid
<= TYPE_MAXIMUM (pid_t
)
606 && (kill (pid
, 0) >= 0 || errno
== EPERM
)
608 || (boot_time
<= TYPE_MAXIMUM (time_t)
609 && within_one_second (boot_time
, get_boot_time ()))))
610 ret
= 1; /* An existing process on this machine owns it. */
611 /* The owner process is dead or has a strange pid, so try to
614 return unlink (lfname
);
617 { /* If we wanted to support the check for stale locks on remote machines,
618 here's where we'd do it. */
626 /* Lock the lock named LFNAME if possible.
627 Return 0 in that case.
628 Return positive if some other process owns the lock, and info about
629 that process in CLASHER.
630 Return -1 if cannot lock for any other reason. */
633 lock_if_free (lock_info_type
*clasher
, char *lfname
)
636 while ((err
= lock_file_1 (lfname
, 0)) == EEXIST
)
638 switch (current_lock_owner (clasher
, lfname
))
641 return 0; /* We ourselves locked it. */
643 return 1; /* Someone else has it. */
645 return -1; /* current_lock_owner returned strange error. */
648 /* We deleted a stale lock; try again to lock the file. */
654 /* lock_file locks file FN,
655 meaning it serves notice on the world that you intend to edit that file.
656 This should be done only when about to modify a file-visiting
657 buffer previously unmodified.
658 Do not (normally) call this for a buffer already modified,
659 as either the file is already locked, or the user has already
660 decided to go ahead without locking.
662 When this returns, either the lock is locked for us,
663 or lock creation failed,
664 or the user has said to go ahead without locking.
666 If the file is locked by someone else, this calls
667 ask-user-about-lock (a Lisp function) with two arguments,
668 the file name and info about the user who did the locking.
669 This function can signal an error, or return t meaning
670 take away the lock, or return nil meaning ignore the lock. */
673 lock_file (Lisp_Object fn
)
675 Lisp_Object orig_fn
, encoded_fn
;
677 lock_info_type lock_info
;
681 /* Don't do locking if the user has opted out. */
682 if (! create_lockfiles
)
685 /* Don't do locking while dumping Emacs.
686 Uncompressing wtmp files uses call-process, which does not work
687 in an uninitialized Emacs. */
688 if (! NILP (Vpurify_flag
))
693 fn
= Fexpand_file_name (fn
, Qnil
);
695 /* Ensure we have only '/' separators, to avoid problems with
696 looking (inside fill_in_lock_file_name) for backslashes in file
697 names encoded by some DBCS codepage. */
698 dostounix_filename (SSDATA (fn
), 1);
700 encoded_fn
= ENCODE_FILE (fn
);
702 /* Create the name of the lock-file for file fn */
703 MAKE_LOCK_NAME (lfname
, encoded_fn
);
705 /* See if this file is visited and has changed on disk since it was
708 register Lisp_Object subject_buf
;
710 subject_buf
= get_truename_buffer (orig_fn
);
712 if (!NILP (subject_buf
)
713 && NILP (Fverify_visited_file_modtime (subject_buf
))
714 && !NILP (Ffile_exists_p (fn
)))
715 call1 (intern ("ask-user-about-supersession-threat"), fn
);
719 /* Try to lock the lock. */
720 if (0 < lock_if_free (&lock_info
, lfname
))
722 /* Someone else has the lock. Consider breaking it. */
724 char *dot
= lock_info
.dot
;
725 ptrdiff_t pidlen
= lock_info
.colon
- (dot
+ 1);
726 static char const replacement
[] = " (pid ";
727 int replacementlen
= sizeof replacement
- 1;
728 memmove (dot
+ replacementlen
, dot
+ 1, pidlen
);
729 strcpy (dot
+ replacementlen
+ pidlen
, ")");
730 memcpy (dot
, replacement
, replacementlen
);
731 attack
= call2 (intern ("ask-user-about-lock"), fn
,
732 build_string (lock_info
.user
));
733 /* Take the lock if the user said so. */
735 lock_file_1 (lfname
, 1);
743 unlock_file (Lisp_Object fn
)
748 fn
= Fexpand_file_name (fn
, Qnil
);
749 fn
= ENCODE_FILE (fn
);
751 MAKE_LOCK_NAME (lfname
, fn
);
753 if (current_lock_owner (0, lfname
) == 2)
760 unlock_all_files (void)
762 register Lisp_Object tail
;
763 register struct buffer
*b
;
765 for (tail
= Vbuffer_alist
; CONSP (tail
); tail
= XCDR (tail
))
767 b
= XBUFFER (XCDR (XCAR (tail
)));
768 if (STRINGP (BVAR (b
, file_truename
)) && BUF_SAVE_MODIFF (b
) < BUF_MODIFF (b
))
770 unlock_file (BVAR (b
, file_truename
));
775 DEFUN ("lock-buffer", Flock_buffer
, Slock_buffer
,
777 doc
: /* Lock FILE, if current buffer is modified.
778 FILE defaults to current buffer's visited file,
779 or else nothing is done if current buffer isn't visiting a file. */)
783 file
= BVAR (current_buffer
, file_truename
);
786 if (SAVE_MODIFF
< MODIFF
792 DEFUN ("unlock-buffer", Funlock_buffer
, Sunlock_buffer
,
794 doc
: /* Unlock the file visited in the current buffer.
795 If the buffer is not modified, this does nothing because the file
796 should not be locked in that case. */)
799 if (SAVE_MODIFF
< MODIFF
800 && STRINGP (BVAR (current_buffer
, file_truename
)))
801 unlock_file (BVAR (current_buffer
, file_truename
));
805 /* Unlock the file visited in buffer BUFFER. */
808 unlock_buffer (struct buffer
*buffer
)
810 if (BUF_SAVE_MODIFF (buffer
) < BUF_MODIFF (buffer
)
811 && STRINGP (BVAR (buffer
, file_truename
)))
812 unlock_file (BVAR (buffer
, file_truename
));
815 DEFUN ("file-locked-p", Ffile_locked_p
, Sfile_locked_p
, 1, 1, 0,
816 doc
: /* Return a value indicating whether FILENAME is locked.
817 The value is nil if the FILENAME is not locked,
818 t if it is locked by you, else a string saying which user has locked it. */)
819 (Lisp_Object filename
)
824 lock_info_type locker
;
827 filename
= Fexpand_file_name (filename
, Qnil
);
829 MAKE_LOCK_NAME (lfname
, filename
);
831 owner
= current_lock_owner (&locker
, lfname
);
837 ret
= make_string (locker
.user
, locker
.at
- locker
.user
);
843 #endif /* CLASH_DETECTION */
846 syms_of_filelock (void)
848 DEFVAR_LISP ("temporary-file-directory", Vtemporary_file_directory
,
849 doc
: /* The directory for writing temporary files. */);
850 Vtemporary_file_directory
= Qnil
;
852 DEFVAR_BOOL ("create-lockfiles", create_lockfiles
,
853 doc
: /* Non-nil means use lockfiles to avoid editing collisions. */);
854 create_lockfiles
= 1;
856 #ifdef CLASH_DETECTION
857 defsubr (&Sunlock_buffer
);
858 defsubr (&Slock_buffer
);
859 defsubr (&Sfile_locked_p
);