1POSIX_SPAWN(P) POSIX Programmer's Manual POSIX_SPAWN(P)
2
6 posix_spawn, posix_spawnp - spawn a process (ADVANCED REALTIME)
7
9 #include <spawn.h>
10 int posix_spawn(pid_t *restrict pid, const char *restrict path,
12 const posix_spawn_file_actions_t *file_actions,
13 const posix_spawnattr_t *restrict attrp,
14 char *const argv[restrict], char *const envp[restrict]);
15 int posix_spawnp(pid_t *restrict pid, const char *restrict file,
16 const posix_spawn_file_actions_t *file_actions,
17 const posix_spawnattr_t *restrict attrp,
18 char *const argv[restrict], char * const envp[restrict]);
19
22 The posix_spawn() and posix_spawnp() functions shall create a new
23 process (child process) from the specified process image. The new
24 process image shall be constructed from a regular executable file
25 called the new process image file.
26 When a C program is executed as the result of this call, it shall be
28 entered as a C-language function call as follows:
29 int main(int argc, char *argv[]);
32 where argc is the argument count and argv is an array of character
34 pointers to the arguments themselves. In addition, the following vari‐
35 able:
36 extern char **environ;
39 shall be initialized as a pointer to an array of character pointers to
41 the environment strings.
42 The argument argv is an array of character pointers to null-terminated
44 strings. The last member of this array shall be a null pointer and is
45 not counted in argc. These strings constitute the argument list avail‐
46 able to the new process image. The value in argv[0] should point to a
47 filename that is associated with the process image being started by the
48 posix_spawn() or posix_spawnp() function.
49 The argument envp is an array of character pointers to null-terminated
51 strings. These strings constitute the environment for the new process
52 image. The environment array is terminated by a null pointer.
53 The number of bytes available for the child process' combined argument
55 and environment lists is {ARG_MAX}. The implementation shall specify in
56 the system documentation (see the Base Definitions volume of
57 IEEE Std 1003.1-2001, Chapter 2, Conformance) whether any list over‐
58 head, such as length words, null terminators, pointers, or alignment
59 bytes, is included in this total.
60 The path argument to posix_spawn() is a pathname that identifies the
62 new process image file to execute.
63 The file parameter to posix_spawnp() shall be used to construct a path‐
65 name that identifies the new process image file. If the file parameter
66 contains a slash character, the file parameter shall be used as the
67 pathname for the new process image file. Otherwise, the path prefix for
68 this file shall be obtained by a search of the directories passed as
69 the environment variable PATH (see the Base Definitions volume of
70 IEEE Std 1003.1-2001, Chapter 8, Environment Variables). If this envi‐
71 ronment variable is not defined, the results of the search are imple‐
72 mentation-defined.
73 If file_actions is a null pointer, then file descriptors open in the
75 calling process shall remain open in the child process, except for
76 those whose close-on- exec flag FD_CLOEXEC is set (see fcntl() ). For
77 those file descriptors that remain open, all attributes of the corre‐
78 sponding open file descriptions, including file locks (see fcntl() ),
79 shall remain unchanged.
80 If file_actions is not NULL, then the file descriptors open in the
82 child process shall be those open in the calling process as modified by
83 the spawn file actions object pointed to by file_actions and the
84 FD_CLOEXEC flag of each remaining open file descriptor after the spawn
85 file actions have been processed. The effective order of processing
86 the spawn file actions shall be:
87 1. The set of open file descriptors for the child process shall ini‐
89 tially be the same set as is open for the calling process. All
90 attributes of the corresponding open file descriptions, including
91 file locks (see fcntl() ), shall remain unchanged.
92 2. The signal mask, signal default actions, and the effective user and
94 group IDs for the child process shall be changed as specified in
95 the attributes object referenced by attrp.
96 3. The file actions specified by the spawn file actions object shall
98 be performed in the order in which they were added to the spawn
99 file actions object.
100 4. Any file descriptor that has its FD_CLOEXEC flag set (see fcntl() )
102 shall be closed.
103 The posix_spawnattr_t spawn attributes object type is defined in
105 <spawn.h>. It shall contain at least the attributes defined below.
106 If the POSIX_SPAWN_SETPGROUP flag is set in the spawn-flags attribute
108 of the object referenced by attrp, and the spawn-pgroup attribute of
109 the same object is non-zero, then the child's process group shall be as
110 specified in the spawn-pgroup attribute of the object referenced by
111 attrp.
112 As a special case, if the POSIX_SPAWN_SETPGROUP flag is set in the
114 spawn-flags attribute of the object referenced by attrp, and the spawn-
115 pgroup attribute of the same object is set to zero, then the child
116 shall be in a new process group with a process group ID equal to its
117 process ID.
118 If the POSIX_SPAWN_SETPGROUP flag is not set in the spawn-flags
120 attribute of the object referenced by attrp, the new child process
121 shall inherit the parent's process group.
122 If the POSIX_SPAWN_SETSCHEDPARAM flag is set in the spawn-flags
124 attribute of the object referenced by attrp, but POSIX_SPAWN_SETSCHED‐
125 ULER is not set, the new process image shall initially have the sched‐
126 uling policy of the calling process with the scheduling parameters
127 specified in the spawn-schedparam attribute of the object referenced by
128 attrp.
129 If the POSIX_SPAWN_SETSCHEDULER flag is set in the spawn-flags
131 attribute of the object referenced by attrp (regardless of the setting
132 of the POSIX_SPAWN_SETSCHEDPARAM flag), the new process image shall
133 initially have the scheduling policy specified in the spawn-schedpolicy
134 attribute of the object referenced by attrp and the scheduling parame‐
135 ters specified in the spawn-schedparam attribute of the same object.
136 The POSIX_SPAWN_RESETIDS flag in the spawn-flags attribute of the
138 object referenced by attrp governs the effective user ID of the child
139 process. If this flag is not set, the child process shall inherit the
140 parent process' effective user ID. If this flag is set, the child
141 process' effective user ID shall be reset to the parent's real user ID.
142 In either case, if the set-user-ID mode bit of the new process image
143 file is set, the effective user ID of the child process shall become
144 that file's owner ID before the new process image begins execution.
145 The POSIX_SPAWN_RESETIDS flag in the spawn-flags attribute of the
147 object referenced by attrp also governs the effective group ID of the
148 child process. If this flag is not set, the child process shall inherit
149 the parent process' effective group ID. If this flag is set, the child
150 process' effective group ID shall be reset to the parent's real group
151 ID. In either case, if the set-group-ID mode bit of the new process
152 image file is set, the effective group ID of the child process shall
153 become that file's group ID before the new process image begins execu‐
154 tion.
155 If the POSIX_SPAWN_SETSIGMASK flag is set in the spawn-flags attribute
157 of the object referenced by attrp, the child process shall initially
158 have the signal mask specified in the spawn-sigmask attribute of the
159 object referenced by attrp.
160 If the POSIX_SPAWN_SETSIGDEF flag is set in the spawn-flags attribute
162 of the object referenced by attrp, the signals specified in the spawn-
163 sigdefault attribute of the same object shall be set to their default
164 actions in the child process. Signals set to the default action in the
165 parent process shall be set to the default action in the child process.
166 Signals set to be caught by the calling process shall be set to the
168 default action in the child process.
169 Except for SIGCHLD, signals set to be ignored by the calling process
171 image shall be set to be ignored by the child process, unless otherwise
172 specified by the POSIX_SPAWN_SETSIGDEF flag being set in the spawn-
173 flags attribute of the object referenced by attrp and the signals being
174 indicated in the spawn-sigdefault attribute of the object referenced by
175 attrp.
176 If the SIGCHLD signal is set to be ignored by the calling process, it
178 is unspecified whether the SIGCHLD signal is set to be ignored or to
179 the default action in the child process, unless otherwise specified by
180 the POSIX_SPAWN_SETSIGDEF flag being set in the spawn_flags attribute
181 of the object referenced by attrp and the SIGCHLD signal being indi‐
182 cated in the spawn_sigdefault attribute of the object referenced by
183 attrp.
184 If the value of the attrp pointer is NULL, then the default values are
186 used.
187 All process attributes, other than those influenced by the attributes
189 set in the object referenced by attrp as specified above or by the file
190 descriptor manipulations specified in file_actions, shall appear in the
191 new process image as though fork() had been called to create a child
192 process and then a member of the exec family of functions had been
193 called by the child process to execute the new process image.
194 It is implementation-defined whether the fork handlers are run when
196 posix_spawn() or posix_spawnp() is called.
197
199 Upon successful completion, posix_spawn() and posix_spawnp() shall
200 return the process ID of the child process to the parent process, in
201 the variable pointed to by a non-NULL pid argument, and shall return
202 zero as the function return value. Otherwise, no child process shall be
203 created, the value stored into the variable pointed to by a non-NULL
204 pid is unspecified, and an error number shall be returned as the func‐
205 tion return value to indicate the error. If the pid argument is a null
206 pointer, the process ID of the child is not returned to the caller.
207
209 The posix_spawn() and posix_spawnp() functions may fail if:
210 EINVAL The value specified by file_actions or attrp is invalid.
212 If this error occurs after the calling process successfully returns
215 from the posix_spawn() or posix_spawnp() function, the child process
216 may exit with exit status 127.
217 If posix_spawn() or posix_spawnp() fail for any of the reasons that
219 would cause fork() or one of the exec family of functions to fail, an
220 error value shall be returned as described by fork() and exec, respec‐
221 tively (or, if the error occurs after the calling process successfully
222 returns, the child process shall exit with exit status 127).
223 If POSIX_SPAWN_SETPGROUP is set in the spawn-flags attribute of the
225 object referenced by attrp, and posix_spawn() or posix_spawnp() fails
226 while changing the child's process group, an error value shall be
227 returned as described by setpgid() (or, if the error occurs after the
228 calling process successfully returns, the child process shall exit with
229 exit status 127).
230 If POSIX_SPAWN_SETSCHEDPARAM is set and POSIX_SPAWN_SETSCHEDULER is not
232 set in the spawn-flags attribute of the object referenced by attrp,
233 then if posix_spawn() or posix_spawnp() fails for any of the reasons
234 that would cause sched_setparam() to fail, an error value shall be
235 returned as described by sched_setparam() (or, if the error occurs
236 after the calling process successfully returns, the child process shall
237 exit with exit status 127).
238 If POSIX_SPAWN_SETSCHEDULER is set in the spawn-flags attribute of the
240 object referenced by attrp, and if posix_spawn() or posix_spawnp()
241 fails for any of the reasons that would cause sched_setscheduler() to
242 fail, an error value shall be returned as described by sched_setsched‐
243 uler() (or, if the error occurs after the calling process successfully
244 returns, the child process shall exit with exit status 127).
245 If the file_actions argument is not NULL, and specifies any close,
247 dup2, or open actions to be performed, and if posix_spawn() or
248 posix_spawnp() fails for any of the reasons that would cause close(),
249 dup2(), or open() to fail, an error value shall be returned as
250 described by close(), dup2(), and open(), respectively (or, if the
251 error occurs after the calling process successfully returns, the child
252 process shall exit with exit status 127). An open file action may, by
253 itself, result in any of the errors described by close() or dup2(), in
254 addition to those described by open().
255 The following sections are informative.
257
259 None.
260
262 These functions are part of the Spawn option and need not be provided
263 on all implementations.
264
266 The posix_spawn() function and its close relation posix_spawnp() have
267 been introduced to overcome the following perceived difficulties with
268 fork(): the fork() function is difficult or impossible to implement
269 without swapping or dynamic address translation.
270 * Swapping is generally too slow for a realtime environment.
272 * Dynamic address translation is not available everywhere that POSIX
274 might be useful.
275 * Processes are too useful to simply option out of POSIX whenever it
277 must run without address translation or other MMU services.
278 Thus, POSIX needs process creation and file execution primitives that
280 can be efficiently implemented without address translation or other MMU
281 services.
282 The posix_spawn() function is implementable as a library routine, but
284 both posix_spawn() and posix_spawnp() are designed as kernel opera‐
285 tions. Also, although they may be an efficient replacement for many
286 fork()/ exec pairs, their goal is to provide useful process creation
287 primitives for systems that have difficulty with fork(), not to provide
288 drop-in replacements for fork()/ exec.
289 This view of the role of posix_spawn() and posix_spawnp() influenced
291 the design of their API. It does not attempt to provide the full func‐
292 tionality of fork()/ exec in which arbitrary user-specified operations
293 of any sort are permitted between the creation of the child process and
294 the execution of the new process image; any attempt to reach that level
295 would need to provide a programming language as parameters. Instead,
296 posix_spawn() and posix_spawnp() are process creation primitives like
297 the Start_Process and Start_Process_Search Ada language bindings pack‐
298 age POSIX_Process_Primitives and also like those in many operating sys‐
299 tems that are not UNIX systems, but with some POSIX-specific additions.
300 To achieve its coverage goals, posix_spawn() and posix_spawnp() have
302 control of six types of inheritance: file descriptors, process group
303 ID, user and group ID, signal mask, scheduling, and whether each signal
304 ignored in the parent will remain ignored in the child, or be reset to
305 its default action in the child.
306 Control of file descriptors is required to allow an independently writ‐
308 ten child process image to access data streams opened by and even gen‐
309 erated or read by the parent process without being specifically coded
310 to know which parent files and file descriptors are to be used. Control
311 of the process group ID is required to control how the child process'
312 job control relates to that of the parent.
313 Control of the signal mask and signal defaulting is sufficient to sup‐
315 port the implementation of system(). Although support for system() is
316 not explicitly one of the goals for posix_spawn() and posix_spawnp(),
317 it is covered under the "at least 50%" coverage goal.
318 The intention is that the normal file descriptor inheritance across
320 fork(), the subsequent effect of the specified spawn file actions, and
321 the normal file descriptor inheritance across one of the exec family of
322 functions should fully specify open file inheritance. The implementa‐
323 tion need make no decisions regarding the set of open file descriptors
324 when the child process image begins execution, those decisions having
325 already been made by the caller and expressed as the set of open file
326 descriptors and their FD_CLOEXEC flags at the time of the call and the
327 spawn file actions object specified in the call. We have been assured
328 that in cases where the POSIX Start_Process Ada primitives have been
329 implemented in a library, this method of controlling file descriptor
330 inheritance may be implemented very easily.
331 We can identify several problems with posix_spawn() and posix_spawnp(),
333 but there does not appear to be a solution that introduces fewer prob‐
334 lems. Environment modification for child process attributes not speci‐
335 fiable via the attrp or file_actions arguments must be done in the par‐
336 ent process, and since the parent generally wants to save its context,
337 it is more costly than similar functionality with fork()/ exec. It is
338 also complicated to modify the environment of a multi-threaded process
339 temporarily, since all threads must agree when it is safe for the envi‐
340 ronment to be changed. However, this cost is only borne by those invo‐
341 cations of posix_spawn() and posix_spawnp() that use the additional
342 functionality. Since extensive modifications are not the usual case,
343 and are particularly unlikely in time-critical code, keeping much of
344 the environment control out of posix_spawn() and posix_spawnp() is
345 appropriate design.
346 The posix_spawn() and posix_spawnp() functions do not have all the
348 power of fork()/ exec. This is to be expected. The fork() function is
349 a wonderfully powerful operation. We do not expect to duplicate its
350 functionality in a simple, fast function with no special hardware
351 requirements. It is worth noting that posix_spawn() and posix_spawnp()
352 are very similar to the process creation operations on many operating
353 systems that are not UNIX systems.
354 Requirements
356 The requirements for posix_spawn() and posix_spawnp() are:
357 * They must be implementable without an MMU or unusual hardware.
359 * They must be compatible with existing POSIX standards.
361 Additional goals are:
363 * They should be efficiently implementable.
365 * They should be able to replace at least 50% of typical executions of
367 fork().
368 * A system with posix_spawn() and posix_spawnp() and without fork()
370 should be useful, at least for realtime applications.
371 * A system with fork() and the exec family should be able to implement
373 posix_spawn() and posix_spawnp() as library routines.
374 Two-Syntax
376 POSIX exec has several calling sequences with approximately the same
377 functionality. These appear to be required for compatibility with
378 existing practice. Since the existing practice for the posix_spawn*()
379 functions is otherwise substantially unlike POSIX, we feel that sim‐
380 plicity outweighs compatibility. There are, therefore, only two names
381 for the posix_spawn*() functions.
382 The parameter list does not differ between posix_spawn() and
384 posix_spawnp(); posix_spawnp() interprets the second parameter more
385 elaborately than posix_spawn().
386 Compatibility with POSIX.5 (Ada)
388 The Start_Process and Start_Process_Search procedures from the
389 POSIX_Process_Primitives package from the Ada language binding to
390 POSIX.1 encapsulate fork() and exec functionality in a manner similar
391 to that of posix_spawn() and posix_spawnp(). Originally, in keeping
392 with our simplicity goal, the standard developers had limited the capa‐
393 bilities of posix_spawn() and posix_spawnp() to a subset of the capa‐
394 bilities of Start_Process and Start_Process_Search; certain non-default
395 capabilities were not supported. However, based on suggestions by the
396 ballot group to improve file descriptor mapping or drop it, and on the
397 advice of an Ada Language Bindings working group member, the standard
398 developers decided that posix_spawn() and posix_spawnp() should be suf‐
399 ficiently powerful to implement Start_Process and Start_Process_Search.
400 The rationale is that if the Ada language binding to such a primitive
401 had already been approved as an IEEE standard, there can be little jus‐
402 tification for not approving the functionally-equivalent parts of a C
403 binding. The only three capabilities provided by posix_spawn() and
404 posix_spawnp() that are not provided by Start_Process and
405 Start_Process_Search are optionally specifying the child's process
406 group ID, the set of signals to be reset to default signal handling in
407 the child process, and the child's scheduling policy and parameters.
408 For the Ada language binding for Start_Process to be implemented with
410 posix_spawn(), that binding would need to explicitly pass an empty sig‐
411 nal mask and the parent's environment to posix_spawn() whenever the
412 caller of Start_Process allowed these arguments to default, since
413 posix_spawn() does not provide such defaults. The ability of
414 Start_Process to mask user-specified signals during its execution is
415 functionally unique to the Ada language binding and must be dealt with
416 in the binding separately from the call to posix_spawn().
417 Process Group
419 The process group inheritance field can be used to join the child
420 process with an existing process group. By assigning a value of zero to
421 the spawn-pgroup attribute of the object referenced by attrp, the
422 setpgid() mechanism will place the child process in a new process
423 group.
424 Threads
426 Without the posix_spawn() and posix_spawnp() functions, systems without
427 address translation can still use threads to give an abstraction of
428 concurrency. In many cases, thread creation suffices, but it is not
429 always a good substitute. The posix_spawn() and posix_spawnp() func‐
430 tions are considerably "heavier" than thread creation. Processes have
431 several important attributes that threads do not. Even without address
432 translation, a process may have base-and-bound memory protection. Each
433 process has a process environment including security attributes and
434 file capabilities, and powerful scheduling attributes. Processes
435 abstract the behavior of non-uniform-memory-architecture multi-proces‐
436 sors better than threads, and they are more convenient to use for
437 activities that are not closely linked.
438 The posix_spawn() and posix_spawnp() functions may not bring support
440 for multiple processes to every configuration. Process creation is not
441 the only piece of operating system support required to support multiple
442 processes. The total cost of support for multiple processes may be
443 quite high in some circumstances. Existing practice shows that support
444 for multiple processes is uncommon and threads are common among "tiny
445 kernels". There should, therefore, probably continue to be AEPs for
446 operating systems with only one process.
447 Asynchronous Error Notification
449 A library implementation of posix_spawn() or posix_spawnp() may not be
450 able to detect all possible errors before it forks the child process.
451 IEEE Std 1003.1-2001 provides for an error indication returned from a
452 child process which could not successfully complete the spawn operation
453 via a special exit status which may be detected using the status value
454 returned by wait() and waitpid().
455 The stat_val interface and the macros used to interpret it are not well
457 suited to the purpose of returning API errors, but they are the only
458 path available to a library implementation. Thus, an implementation
459 may cause the child process to exit with exit status 127 for any error
460 detected during the spawn process after the posix_spawn() or
461 posix_spawnp() function has successfully returned.
462 The standard developers had proposed using two additional macros to
464 interpret stat_val. The first, WIFSPAWNFAIL, would have detected a sta‐
465 tus that indicated that the child exited because of an error detected
466 during the posix_spawn() or posix_spawnp() operations rather than dur‐
467 ing actual execution of the child process image; the second, WSPAWN‐
468 ERRNO, would have extracted the error value if WIFSPAWNFAIL indicated a
469 failure. Unfortunately, the ballot group strongly opposed this because
470 it would make a library implementation of posix_spawn() or
471 posix_spawnp() dependent on kernel modifications to waitpid() to be
472 able to embed special information in stat_val to indicate a spawn fail‐
473 ure.
474 The 8 bits of child process exit status that are guaranteed by
476 IEEE Std 1003.1-2001 to be accessible to the waiting parent process are
477 insufficient to disambiguate a spawn error from any other kind of error
478 that may be returned by an arbitrary process image. No other bits of
479 the exit status are required to be visible in stat_val, so these macros
480 could not be strictly implemented at the library level. Reserving an
481 exit status of 127 for such spawn errors is consistent with the use of
482 this value by system() and popen() to signal failures in these opera‐
483 tions that occur after the function has returned but before a shell is
484 able to execute. The exit status of 127 does not uniquely identify this
485 class of error, nor does it provide any detailed information on the
486 nature of the failure. Note that a kernel implementation of
487 posix_spawn() or posix_spawnp() is permitted (and encouraged) to return
488 any possible error as the function value, thus providing more detailed
489 failure information to the parent process.
490 Thus, no special macros are available to isolate asynchronous
492 posix_spawn() or posix_spawnp() errors. Instead, errors detected by the
493 posix_spawn() or posix_spawnp() operations in the context of the child
494 process before the new process image executes are reported by setting
495 the child's exit status to 127. The calling process may use the WIFEX‐
496 ITED and WEXITSTATUS macros on the stat_val stored by the wait() or
497 waitpid() functions to detect spawn failures to the extent that other
498 status values with which the child process image may exit (before the
499 parent can conclusively determine that the child process image has
500 begun execution) are distinct from exit status 127.
501
503 None.
504
506 alarm() , chmod() , close() , dup() , exec() , exit() , fcntl() ,
507 fork() , kill() , open() , posix_spawn_file_actions_addclose() ,
508 posix_spawn_file_actions_adddup2() , posix_spawn_file_actions_addopen()
509 , posix_spawn_file_actions_destroy() , , posix_spawnattr_destroy() ,
510 posix_spawnattr_init() , posix_spawnattr_getsigdefault() , posix_spaw‐
511 nattr_getflags() , posix_spawnattr_getpgroup() , posix_spaw‐
512 nattr_getschedparam() , posix_spawnattr_getschedpolicy() , posix_spaw‐
513 nattr_getsigmask() , posix_spawnattr_setsigdefault() , posix_spaw‐
514 nattr_setflags() , posix_spawnattr_setpgroup() , posix_spaw‐
515 nattr_setschedparam() , posix_spawnattr_setschedpolicy() , posix_spaw‐
516 nattr_setsigmask() , sched_setparam() , sched_setscheduler() ,
517 setpgid() , setuid() , stat() , times() , wait() , the Base Definitions
518 volume of IEEE Std 1003.1-2001, <spawn.h>
519
521 Portions of this text are reprinted and reproduced in electronic form
522 from IEEE Std 1003.1, 2003 Edition, Standard for Information Technology
523 -- Portable Operating System Interface (POSIX), The Open Group Base
524 Specifications Issue 6, Copyright (C) 2001-2003 by the Institute of
525 Electrical and Electronics Engineers, Inc and The Open Group. In the
526 event of any discrepancy between this version and the original IEEE and
527 The Open Group Standard, the original IEEE and The Open Group Standard
528 is the referee document. The original Standard can be obtained online
529 at http://www.opengroup.org/unix/online.html .
530IEEE/The Open Group 2003 POSIX_SPAWN(P)