Use atomic filesystem operations for cPanel::StateFile.

FGasper · toddr · commit 13c0387b546d · 2018-12-13T16:00:50.000-06:00
This eliminates the likelihood of partially-written files. The major
changes are twofold:

1) Ensure that a stat() on the filename returns the same inode
as the filehandle during _open().

2) Write to a temporary file in the same directory, then rename()
that file into place. This prevents corrupt files.
diff --git a/Makefile.PL b/Makefile.PL
@@ -24,6 +24,7 @@ my %WriteMakefileArgs = (
     "Fcntl" => 0,
     "File::Path" => 0,
     "File::Spec" => 0,
+    "File::Temp" => 0,
     "Getopt::Long" => 0,
     "POSIX" => 0,
     "Scalar::Util" => 0,
@@ -40,10 +41,12 @@ my %WriteMakefileArgs = (
   "TEST_REQUIRES" => {
     "Carp" => 0,
     "Cwd" => 0,
-    "File::Temp" => 0,
+    "File::Slurper" => 0,
     "FindBin" => 0,
     "Test::Exception" => 0,
     "Test::More" => 0,
+    "Time::HiRes" => 0,
+    "autodie" => 0,
     "lib" => 0
   },
   "VERSION" => "0.900",
@@ -58,6 +61,7 @@ my %FallbackPrereqs = (
   "Cwd" => 0,
   "Fcntl" => 0,
   "File::Path" => 0,
+  "File::Slurper" => 0,
   "File::Spec" => 0,
   "File::Temp" => 0,
   "FindBin" => 0,
@@ -69,8 +73,10 @@ my %FallbackPrereqs = (
   "Test::Exception" => 0,
   "Test::More" => 0,
   "Text::Wrap" => 0,
+  "Time::HiRes" => 0,
   "Unix::PID" => "0.21",
   "YAML::Syck" => 0,
+  "autodie" => 0,
   "base" => 0,
   "lib" => 0,
   "parent" => 0,
diff --git a/lib/cPanel/StateFile.pm b/lib/cPanel/StateFile.pm
@@ -183,12 +183,7 @@ sub import {
             if ( $state_file->{file_handle} ) {
 
                 # TODO probably need to check for failure, but then what do I do?
-                eval {
-                    local $SIG{'ALRM'} = sub { die "flock 8 timeout\n"; };
-                    my $orig_alarm = alarm $state_file->{flock_timeout};
-                    flock $state_file->{file_handle}, 8;
-                    alarm $orig_alarm;
-                };
+                eval { flock $state_file->{file_handle}, 8; };
                 close $state_file->{file_handle};
                 $state_file->{file_handle} = undef;
 
@@ -222,29 +217,58 @@ sub import {
             return;
         }
 
+        #Tested directly because this is critical logic.
         sub _open {
-            my ( $self, $mode ) = @_;
+            my ($self) = @_;
             my $state_file = $self->{state_file};
             $state_file->throw('Cannot open state file inside a call_unlocked call.') unless defined $self->{lock_file};
 
-            open my $fh, $mode, $state_file->{file_name}
-              or $state_file->throw("Unable to open state file '$state_file->{file_name}': $!");
+          OPEN_FLOCK: {
+                sysopen( my $fh, $state_file->{file_name}, Fcntl::O_CREAT() | Fcntl::O_RDWR(), 0600 )
+                  or $state_file->throw("Unable to open state file '$state_file->{file_name}': $!");
+
+                $self->_flock_after_open($fh);
+
+                #We might have blocked on the flock() long enough for
+                #another process to have rename()d over the file that
+                #we just locked. So we need to ensure that the file we
+                #have locked is the same file as $state_file.
+                my $fh_inode   = ( stat $fh )[1];
+                my $path_inode = ( stat $state_file->{file_name} )[1];
+                if ( $fh_inode != $path_inode ) {
+                    redo OPEN_FLOCK;
+                }
+
+                $state_file->{file_handle} = $fh;
+            }
+        }
+
+        sub _flock_after_open {
+            my ( $self, $fh ) = @_;
+
+            my $timed_out;
+
             eval {
-                local $SIG{'ALRM'} = sub { die "flock 2 timeout\n"; };
-                my $orig_alarm = alarm $state_file->{flock_timeout};
-                flock $fh, 2;
+                local $SIG{'ALRM'} = sub {
+                    $timed_out = 1;
+                    die "flock LOCK_EX timeout\n";
+                };
+
+                my $orig_alarm = alarm $self->{state_file}{flock_timeout};
+                flock $fh, Fcntl::LOCK_EX();
                 alarm $orig_alarm;
                 1;
             } or do {
                 close($fh);
-                if ( $@ eq "flock 2 timeout\n" ) {
-                    $state_file->throw('Guard timed out trying to open state file.');
-                }
-                else {
-                    $state_file->throw($@);
+
+                if ($timed_out) {
+                    $self->{state_file}->throw("Guard timed out trying to lock state file “$self->{state_file}{flock_timeout}”.");
                 }
+
+                $self->{state_file}->throw($@);
             };
-            $state_file->{file_handle} = $fh;
+
+            return;
         }
 
         sub update_file {
@@ -253,26 +277,33 @@ sub import {
             $state_file->throw('Cannot update_file inside a call_unlocked call.') unless defined $self->{lock_file};
 
             if ( !$state_file->{file_handle} ) {
-                if ( -e $state_file->{file_name} ) {
-                    $self->_open('+<');
-                }
-                else {
-                    sysopen( my $fh, $state_file->{file_name}, &Fcntl::O_CREAT | &Fcntl::O_EXCL | &Fcntl::O_RDWR )
-                      or $state_file->throw("Cannot create state file '$state_file->{file_name}': $!");
-                    $state_file->{file_handle} = $fh;
-                }
+                $self->_open();
             }
-            seek( $state_file->{file_handle}, 0, 0 );
-            truncate( $state_file->{file_handle}, 0 )
-              or $state_file->throw("Unable to truncate the state file: $!");
 
-            $state_file->{data_object}->save_to_cache( $state_file->{file_handle} );
-            $state_file->{file_mtime} = ( stat( $state_file->{file_handle} ) )[9];
+            #Set UNLINK in case we die().
+            require File::Temp;
+            my ( $fh, $path ) = File::Temp::tempfile( DIR => $self->{_file_dir}, UNLINK => 1 );
+
+            #We lock the temp file so that it’s “pre-locked”
+            #when we rename() it into place below. That way the
+            #production path stays consistently locked.
+            $self->_flock_after_open($fh);
+
+            $state_file->{data_object}->save_to_cache($fh);
+
+            rename $path => $state_file->{file_name} or $state_file->throw("Failed to rename($path => $state_file->{file_name}: $!");
+
+            flock $state_file->{file_handle}, Fcntl::LOCK_UN();
+            close $state_file->{file_handle};
+
+            @{$state_file}{ 'file_handle', 'file_size', 'file_mtime' } = (
+                $fh,
+                ( stat $fh )[ 7, 9 ],
+            );
 
             # Make certain we are at end of file.
-            seek( $state_file->{file_handle}, 0, 2 )
-              or $state_file->throw("Unable to go to end of file: $!");
-            $state_file->{file_size} = tell( $state_file->{file_handle} );
+            seek( $fh, 0, Fcntl::SEEK_END() ) or $state_file->throw("Unable to go to end of file “$state_file->{file_name}”: $!");
+
             return;
         }
 
@@ -430,7 +461,7 @@ sub import {
 
             # File is newer or a different size
             $guard ||= cPanel::StateFile::Guard->new( { state => $self } );
-            $guard->_open('+<');
+            $guard->_open();
             $self->{data_object}->load_from_cache( $self->{file_handle} );
             ( $self->{file_mtime}, $self->{file_size} ) = ( stat( $self->{file_handle} ) )[ 9, 7 ];
         }
diff --git a/t/statefile_lock_replace.t b/t/statefile_lock_replace.t
@@ -0,0 +1,161 @@
+#!/usr/bin/perl
+
+use Test::More tests => 1;
+
+use strict;
+use warnings;
+use autodie;
+
+use Fcntl         ();
+use File::Temp    ();
+use File::Slurper ();
+use Time::HiRes   ();
+
+use cPanel::StateFile ();
+
+my $dir = File::Temp::tempdir( CLEANUP => 1 );
+
+my $file_path = "$dir/the_file";
+
+our $suffix = substr( rand, 2 );
+
+#----------------------------------------------------------------------
+# This is a deep test of object internals. For conciseness,
+# it recreates objects directly rather than via constructors.
+# This is generally bad practice, but the alternatives would be either
+# an unwieldy, brittle test or a significant refactor, neither of which
+# seems justified here. (Even these tests are more complicated than
+# would be ideal.)
+#
+# Unfortunately, it means that any change to the implementation of
+# cPanel::StateFile or cPanel::StateFile::Guard is not unlikely to
+# cause a spurious failure here.
+#----------------------------------------------------------------------
+
+my $data_obj = bless( {}, 'MockDataObject' );
+
+sub _create_hack_guard {
+    my $hack_state = bless {
+        data_object   => $data_obj,
+        file_name     => $file_path,
+        flock_timeout => 60,
+      },
+      'cPanel::StateFile';
+
+    return bless {
+        state_file => $hack_state,
+        lock_file  => 'this_does_not_really_exist',
+      },
+      'cPanel::StateFile::Guard';
+}
+
+#----------------------------------------------------------------------
+
+local $SIG{'CHLD'} = 'IGNORE';
+
+my $subprocess_timeout = 60;    # 1 minute
+
+my $renamer_pid = fork or do {
+    my $end = time + $subprocess_timeout;
+
+    while ( time < $end ) {
+        open my $fh, '>>', $file_path;
+        flock $fh, Fcntl::LOCK_EX();
+
+        do { open my $fh, '>>', "$file_path.tmp" };
+
+        Time::HiRes::sleep(0.01);
+
+        rename "$file_path.tmp" => $file_path;
+    }
+
+    print "# $$: Renamer process has outlived its usefulness. Exiting …$/";
+
+    exit;
+};
+
+for my $iteration ( 1 .. 10 ) {
+    note "_open() iteration $iteration …";
+
+    my $hguard = _create_hack_guard();
+    $hguard->_open();
+
+    my $fh_inode   = ( stat $hguard->{'state_file'}{'file_handle'} )[1];
+    my $path_inode = ( stat $hguard->{'state_file'}{'file_name'} )[1];
+    if ( $fh_inode != $path_inode ) {
+        die "_open() did flock() a file handle that isn’t the path!";
+    }
+
+    note "\t… done.";
+}
+
+if ( CORE::kill 'KILL', $renamer_pid ) {
+    note "Renamer process ($renamer_pid) sent SIGKILL";
+}
+else {
+    diag "kill() of renamer process ($renamer_pid): $! (timed out?)";
+}
+
+#----------------------------------------------------------------------
+
+_create_hack_guard()->update_file();
+
+for my $iteration ( 1 .. 20 ) {
+    $suffix = substr( rand, 2 );
+    $suffix = substr( $suffix, 0, int rand length $suffix );
+
+    note "Integrity test: running iteration $iteration …";
+
+    my $expected_content = qr<\APID [0-9]+-$suffix\z>;
+
+    my $check_content_cr = sub {
+        my $content = File::Slurper::read_binary($file_path);
+
+        if ( $content !~ $expected_content ) {
+            die "FAIL: content “$content” doesn’t match expected “$expected_content”";
+        }
+    };
+
+    my $pid = fork or do {
+        alarm $subprocess_timeout;
+        my $hack_guard = _create_hack_guard();
+        $hack_guard->update_file();
+        do { open my $fh, '>', "$dir/wrote-$iteration" };
+        $hack_guard->update_file() while 1;
+    };
+
+    Time::HiRes::sleep(0.01) while !-e "$dir/wrote-$iteration";
+
+    my $start = time;
+    $check_content_cr->() while time < ( $start + 1 );
+
+    if ( !CORE::kill 'KILL', $pid ) {
+        diag "kill() of updater process ($pid): $! (timed out?)";
+    }
+
+    $check_content_cr->();
+}
+
+ok 1, 'Done';
+
+#----------------------------------------------------------------------
+
+package MockDataObject;
+
+sub load_from_cache {
+    my ( $self, $fh ) = @_;
+
+    sysread( $fh, $self->{'_content'}, 32768 );
+
+    return;
+}
+
+sub save_to_cache {
+    my ( $self, $fh ) = @_;
+
+    syswrite( $fh, "PID $$-$main::suffix" );
+
+    return;
+}
+
+1;
