| blob | 4a992c41ab60e589c45c8e9ac43a483d333560a1 |
1 /* Temporary directories and temporary files with automatic cleanup.
2 Copyright (C) 2001, 2003, 2006-2007, 2009-2020 Free Software Foundation,
3 Inc.
4 Written by Bruno Haible <bruno@clisp.org>, 2006.
6 This program is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <https://www.gnu.org/licenses/>. */
20 #include <config.h>
22 /* Specification. */
25 #include <errno.h>
26 #include <fcntl.h>
27 #include <limits.h>
28 #include <stdbool.h>
29 #include <stdint.h>
30 #include <stdlib.h>
31 #include <string.h>
32 #include <unistd.h>
34 #if defined _WIN32 && ! defined __CYGWIN__
36 # include <windows.h>
37 #endif
52 #if GNULIB_TEMPNAME
54 #endif
55 #if GNULIB_FWRITEERROR
57 #endif
58 #if GNULIB_CLOSE_STREAM
60 #endif
61 #if GNULIB_FCNTL_SAFER
63 #endif
64 #if GNULIB_FOPEN_SAFER
66 #endif
68 #define _(str) gettext (str)
70 /* GNU Hurd doesn't have PATH_MAX. Use a fallback.
71 Temporary directory names are usually not that long. */
72 #ifndef PATH_MAX
73 # define PATH_MAX 1024
74 #endif
76 #if defined _WIN32 && ! defined __CYGWIN__
77 /* Don't assume that UNICODE is not defined. */
78 # undef OSVERSIONINFO
79 # define OSVERSIONINFO OSVERSIONINFOA
80 # undef GetVersionEx
81 # define GetVersionEx GetVersionExA
82 #endif
85 /* The use of 'volatile' in the types below (and ISO C 99 section 5.1.2.3.(5))
86 ensure that while constructing or modifying the data structures, the field
87 values are written to memory in the order of the C statements. So the
88 signal handler can rely on these field values to be up to date. */
91 /* Lock that protects the file_cleanup_list from concurrent modification in
92 different threads. */
95 /* List of all temporary files without temporary directories. */
99 /* Registry for a single temporary directory.
100 'struct temp_dir' from the public header file overlaps with this. */
101 struct tempdir
102 {
103 /* The absolute pathname of the directory. */
105 /* Whether errors during explicit cleanup are reported to standard error. */
107 /* Absolute pathnames of subdirectories. */
109 /* Absolute pathnames of files. */
111 };
113 /* Lock that protects the dir_cleanup_list from concurrent modification in
114 different threads. */
117 /* List of all temporary directories. */
118 static struct
119 {
126 /* A file descriptor to be closed.
127 In multithreaded programs, it is forbidden to close the same fd twice,
128 because you never know what unrelated open() calls are being executed in
129 other threads. So, the 'close (fd)' must be guarded by a once-only guard. */
130 struct closeable_fd
131 {
132 /* The file descriptor to close. */
134 /* Set to true when it has been closed. */
136 /* Lock that protects the fd from being closed twice. */
137 asyncsafe_spinlock_t lock;
138 /* Tells whether this list element has been done and can be freed. */
140 };
142 /* Lock that protects the descriptors list from concurrent modification in
143 different threads. */
146 /* List of all open file descriptors to temporary files. */
150 /* For the subdirs and for the files, we use a gl_list_t of type LINKEDHASH.
151 Why? We need a data structure that
153 1) Can contain an arbitrary number of 'char *' values. The strings
154 are compared via strcmp, not pointer comparison.
155 2) Has insertion and deletion operations that are fast: ideally O(1),
156 or possibly O(log n). This is important for GNU sort, which may
157 create a large number of temporary files.
158 3) Allows iteration through all elements from within a signal handler.
159 4) May or may not allow duplicates. It doesn't matter here, since
160 any file or subdir can only be removed once.
162 Criterion 1) would allow any gl_list_t or gl_oset_t implementation.
164 Criterion 2) leaves only GL_LINKEDHASH_LIST, GL_TREEHASH_LIST, or
165 GL_TREE_OSET.
167 Criterion 3) puts at disadvantage GL_TREEHASH_LIST and GL_TREE_OSET.
168 Namely, iteration through the elements of a binary tree requires access
169 to many ->left, ->right, ->parent pointers. However, the rebalancing
170 code for insertion and deletion in an AVL or red-black tree is so
171 complicated that we cannot assume that >left, ->right, ->parent pointers
172 are in a consistent state throughout these operations. Therefore, to
173 avoid a crash in the signal handler, all destructive operations to the
174 lists would have to be protected by a
175 block_fatal_signals ();
176 ...
177 unblock_fatal_signals ();
178 pair. Which causes extra system calls.
180 Criterion 3) would also discourage GL_ARRAY_LIST and GL_CARRAY_LIST,
181 if they were not already excluded. Namely, these implementations use
182 xrealloc(), leaving a time window in which in the list->elements pointer
183 points to already deallocated memory. To avoid a crash in the signal
184 handler at such a moment, all destructive operations would have to
185 protected by block/unblock_fatal_signals (), in this case too.
187 A list of type GL_LINKEDHASH_LIST without duplicates fulfills all
188 requirements:
189 2) Insertion and deletion are O(1) on average.
190 3) The gl_list_iterator, gl_list_iterator_next implementations do
191 not trigger memory allocations, nor other system calls, and are
192 therefore safe to be called from a signal handler.
193 Furthermore, since SIGNAL_SAFE_LIST is defined, the implementation
194 of the destructive functions ensures that the list structure is
195 safe to be traversed at any moment, even when interrupted by an
196 asynchronous signal.
197 */
199 /* String equality and hash code functions used by the lists. */
201 static bool
203 {
207 }
209 #define SIZE_BITS (sizeof (size_t) * CHAR_BIT)
211 /* A hash function for NUL-terminated char* strings using
212 the method described by Bruno Haible.
213 See https://www.haible.de/bruno/hashfunc.html. */
214 static size_t
216 {
224 }
227 /* The set of fatal signal handlers.
228 Cached here because we are not allowed to call get_fatal_signal_set ()
229 from a signal handler. */
232 static void
234 {
237 }
240 /* Close a file descriptor.
241 Avoids race conditions with normal thread code or signal-handler code that
242 might want to close the same file descriptor. */
245 {
246 sigset_t saved_mask;
252 {
256 }
257 else
258 {
261 }
267 }
269 /* Close a file descriptor and the stream that contains it.
270 Avoids race conditions with signal-handler code that might want to close the
271 same file descriptor. */
272 static int
275 {
279 /* Flush buffered data first, to minimize the duration of the spin lock. */
282 sigset_t saved_mask;
288 {
292 }
293 else
294 {
297 }
303 }
305 /* The signal handler. It gets called asynchronously. */
308 {
311 /* First close all file descriptors to temporary files. */
312 {
316 {
317 gl_list_iterator_t iter;
322 {
324 }
326 }
327 }
329 {
333 {
334 gl_list_iterator_t iter;
339 {
342 }
344 }
345 }
348 {
352 {
353 gl_list_iterator_t iter;
356 /* First cleanup the files in the subdirectories. */
359 {
362 }
365 /* Then cleanup the subdirectories. */
368 {
371 }
374 /* Then cleanup the temporary directory itself. */
376 }
377 }
378 }
381 /* Initializes this facility. */
382 static void
384 {
385 /* Initialize the data used by the cleanup handler. */
387 /* Register the cleanup handler. */
389 }
391 /* Ensure that do_init_clean_temp is called once only. */
394 /* Initializes this facility upon first use. */
395 static void
397 {
399 }
402 /* ============= Temporary files without temporary directories ============= */
404 /* Register the given ABSOLUTE_FILE_NAME as being a file that needs to be
405 removed.
406 Should be called before the file ABSOLUTE_FILE_NAME is created. */
407 void
409 {
414 /* Make sure that this facility and the file_cleanup_list are initialized. */
416 {
418 file_cleanup_list =
421 }
423 /* Add absolute_file_name to file_cleanup_list, without duplicates. */
428 }
430 /* Unregister the given ABSOLUTE_FILE_NAME as being a file that needs to be
431 removed.
432 Should be called when the file ABSOLUTE_FILE_NAME could not be created. */
433 void
435 {
442 {
445 {
450 }
451 }
454 }
456 /* Remove a file, with optional error message.
457 Return 0 upon success, or -1 if there was some problem. */
458 static int
460 {
463 {
467 }
469 }
471 /* Remove the given ABSOLUTE_FILE_NAME and unregister it.
472 CLEANUP_VERBOSE determines whether errors are reported to standard error.
473 Return 0 upon success, or -1 if there was some problem. */
474 int
476 {
483 }
486 /* ========= Temporary directories and temporary files inside them ========= */
488 /* Create a temporary directory.
489 PREFIX is used as a prefix for the name of the temporary directory. It
490 should be short and still give an indication about the program.
491 PARENTDIR can be used to specify the parent directory; if NULL, a default
492 parent directory is used (either $TMPDIR or /tmp or similar).
493 CLEANUP_VERBOSE determines whether errors during explicit cleanup are
494 reported to standard error.
495 Return a fresh 'struct temp_dir' on success. Upon error, an error message
496 is shown and NULL is returned. */
500 {
511 /* See whether it can take the slot of an earlier temporary directory
512 already cleaned up. */
515 {
518 }
520 {
521 /* See whether the array needs to be extended. */
523 {
524 /* Note that we cannot use xrealloc(), because then the cleanup()
525 function could access an already deallocated array. */
533 {
534 /* First use of this facility. */
536 }
537 else
538 {
539 /* Don't use memcpy() here, because memcpy takes non-volatile
540 arguments and is therefore not guaranteed to complete all
541 memory stores before the next statement. */
546 }
551 /* Now we can free the old array. */
552 /* No, we can't do that. If cleanup_action is running in a different
553 thread and has already fetched the tempdir_list pointer (getting
554 old_array) but not yet accessed its i-th element, that thread may
555 crash when accessing an element of the already freed old_array
556 array. */
557 #if 0
560 #endif
561 }
564 /* Initialize *tmpdirp before incrementing tempdir_count, so that
565 cleanup() will skip this entry before it is fully initialized. */
568 }
570 /* Initialize a 'struct tempdir'. */
581 /* Create the temporary directory. */
584 {
588 }
593 {
596 }
599 {
602 xtemplate);
604 }
605 /* Replace tmpdir->dirname with a copy that has indefinite extent.
606 We cannot do this inside the block_fatal_signals/unblock_fatal_signals
607 block because then the cleanup handler would not remove the directory
608 if xstrdup fails. */
614 quit:
618 }
620 /* Register the given ABSOLUTE_FILE_NAME as being a file inside DIR, that
621 needs to be removed before DIR can be removed.
622 Should be called before the file ABSOLUTE_FILE_NAME is created. */
623 void
626 {
632 /* Add absolute_file_name to tmpdir->files, without duplicates. */
637 }
639 /* Unregister the given ABSOLUTE_FILE_NAME as being a file inside DIR, that
640 needs to be removed before DIR can be removed.
641 Should be called when the file ABSOLUTE_FILE_NAME could not be created. */
642 void
645 {
652 gl_list_node_t node;
656 {
661 }
664 }
666 /* Register the given ABSOLUTE_DIR_NAME as being a subdirectory inside DIR,
667 that needs to be removed before DIR can be removed.
668 Should be called before the subdirectory ABSOLUTE_DIR_NAME is created. */
669 void
672 {
678 /* Add absolute_dir_name to tmpdir->subdirs, without duplicates. */
683 }
685 /* Unregister the given ABSOLUTE_DIR_NAME as being a subdirectory inside DIR,
686 that needs to be removed before DIR can be removed.
687 Should be called when the subdirectory ABSOLUTE_DIR_NAME could not be
688 created. */
689 void
692 {
699 gl_list_node_t node;
703 {
708 }
711 }
713 /* Remove a directory, with optional error message.
714 Return 0 upon success, or -1 if there was some problem. */
715 static int
717 {
720 {
724 }
726 }
728 /* Remove the given ABSOLUTE_FILE_NAME and unregister it.
729 Return 0 upon success, or -1 if there was some problem. */
730 int
733 {
740 }
742 /* Remove the given ABSOLUTE_DIR_NAME and unregister it.
743 Return 0 upon success, or -1 if there was some problem. */
744 int
747 {
754 }
756 /* Remove all registered files and subdirectories inside DIR.
757 Only to be called with dir_cleanup_list_lock locked.
758 Return 0 upon success, or -1 if there was some problem. */
759 int
761 {
764 gl_list_t list;
765 gl_list_iterator_t iter;
767 gl_list_node_t node;
769 /* First cleanup the files in the subdirectories. */
773 {
778 /* Now only we can free file. */
780 }
783 /* Then cleanup the subdirectories. */
787 {
792 /* Now only we can free subdir. */
794 }
798 }
800 /* Remove all registered files and subdirectories inside DIR and DIR itself.
801 DIR cannot be used any more after this call.
802 Return 0 upon success, or -1 if there was some problem. */
803 int
805 {
819 {
820 /* Remove dir_cleanup_list.tempdir_list[i]. */
822 {
824 i--;
826 }
827 else
829 /* Now only we can free the tmpdir->dirname, tmpdir->subdirs,
830 tmpdir->files, and tmpdir itself. */
837 }
839 /* The user passed an invalid DIR argument. */
841 }
844 /* ================== Opening and closing temporary files ================== */
846 #if defined _WIN32 && ! defined __CYGWIN__
848 /* On Windows, opening a file with _O_TEMPORARY has the effect of passing
849 the FILE_FLAG_DELETE_ON_CLOSE flag to CreateFile(), which has the effect
850 of deleting the file when it is closed - even when the program crashes.
851 But (according to the Cygwin sources) it works only on Windows NT or newer.
852 So we cache the info whether we are running on Windows NT or newer. */
854 static bool
856 {
859 {
860 OSVERSIONINFO v;
862 /* According to
863 <https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getversionexa>
864 this structure must be initialized as follows: */
869 else
871 }
873 }
875 #endif
878 /* Register a file descriptor to be closed. */
879 static void
881 {
899 }
901 /* Open a temporary file in a temporary directory.
902 FILE_NAME must already have been passed to register_temp_file.
903 Registers the resulting file descriptor to be closed.
904 DELETE_ON_CLOSE indicates whether the file can be deleted when the resulting
905 file descriptor or stream is closed. */
906 int
908 {
913 /* Note: 'open' here is actually open() or open_safer(). */
914 #if defined _WIN32 && ! defined __CYGWIN__
915 /* Use _O_TEMPORARY when possible, to increase the chances that the
916 temporary file is removed when the process crashes. */
919 else
920 #endif
928 }
930 /* Open a temporary file in a temporary directory.
931 FILE_NAME must already have been passed to register_temp_file.
932 Registers the resulting file descriptor to be closed.
933 DELETE_ON_CLOSE indicates whether the file can be deleted when the resulting
934 file descriptor or stream is closed. */
937 {
942 /* Note: 'fopen' here is actually fopen() or fopen_safer(). */
943 #if defined _WIN32 && ! defined __CYGWIN__
944 /* Use _O_TEMPORARY when possible, to increase the chances that the
945 temporary file is removed when the process crashes. */
947 {
957 }
958 else
959 #endif
960 {
963 }
965 {
966 /* It is sufficient to register fileno (fp) instead of the entire fp,
967 because at cleanup time there is no need to do an fflush (fp); a
968 close (fileno (fp)) will be enough. */
973 }
977 }
979 #if GNULIB_TEMPNAME
981 struct try_create_file_params
982 {
984 mode_t mode;
985 };
987 static int
989 {
994 }
996 /* Open a temporary file, generating its name based on FILE_NAME_TMPL.
997 FILE_NAME_TMPL must match the rules for mk[s]temp (i.e. end in "XXXXXX",
998 possibly with a suffix). The name constructed does not exist at the time
999 of the call. FILE_NAME_TMPL is overwritten with the result.
1000 A safe choice for MODE is S_IRUSR | S_IWUSR, a.k.a. 0600.
1001 Registers the file for deletion.
1002 Opens the file, with the given FLAGS and mode MODE.
1003 Registers the resulting file descriptor to be closed. */
1004 int
1007 {
1018 {
1022 }
1026 }
1028 #endif
1030 /* Close a temporary file.
1031 FD must have been returned by open_temp or gen_register_open_temp.
1032 Unregisters the previously registered file descriptor. */
1033 int
1035 {
1050 /* descriptors should already contain fd. */
1053 /* Search through the list, and clean it up on the fly. */
1057 gl_list_node_t node;
1060 {
1063 /* Close the file descriptor, avoiding races with the signal
1064 handler. */
1066 {
1070 }
1079 {
1082 }
1086 }
1089 /* descriptors should already contain fd. */
1096 }
1098 static int
1100 {
1114 /* descriptors should already contain fd. */
1117 /* Search through the list, and clean it up on the fly. */
1121 gl_list_node_t node;
1124 {
1127 /* Close the file descriptor and the stream, avoiding races with the
1128 signal handler. */
1130 {
1134 }
1143 {
1146 }
1150 }
1153 /* descriptors should have contained fd. */
1160 }
1162 /* Close a temporary file.
1163 FP must have been returned by fopen_temp, or by fdopen on a file descriptor
1164 returned by open_temp or gen_register_open_temp.
1165 Unregisters the previously registered file descriptor. */
1166 int
1168 {
1170 }
1172 #if GNULIB_FWRITEERROR
1173 /* Like fwriteerror.
1174 FP must have been returned by fopen_temp, or by fdopen on a file descriptor
1175 returned by open_temp or gen_register_open_temp.
1176 Unregisters the previously registered file descriptor. */
1177 int
1179 {
1181 }
1182 #endif
1184 #if GNULIB_CLOSE_STREAM
1185 /* Like close_stream.
1186 FP must have been returned by fopen_temp, or by fdopen on a file descriptor
1187 returned by open_temp or gen_register_open_temp.
1188 Unregisters the previously registered file descriptor. */
1189 int
1191 {
1193 }
1194 #endif