pitchfork 0.10.0 → 0.11.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0f23c677bd64eb8ca7a040cb2d41dab4047e05ae849da16af8e537748bfb6dbe
-  data.tar.gz: 890bac5b67c23d6f0aacf0d9130999cf69ac0bc5a2f1ea06bdd142d67c0606ac
+  metadata.gz: 5dc129b2e6e6e940be0f9e388400a376614a65a125a64b68c73b919744c433b3
+  data.tar.gz: b12e1d5f360edc7159567060c095b40510e8e89c54dae058882742c29c830f78
 SHA512:
-  metadata.gz: 39c33bbbe865ba22bebc8b6b1e823f71d0ba6b2787f06af26f0ffe3d4251c781850826fcbcdf1dc13b1734919770e35dc57815d2de057f18d97ba354f247a3e7
-  data.tar.gz: 94e5ae39e129af1fd950c9a77e094bac5bda586f7358115fd8cf25bb3c6ee2079bb4654ebd4e6ed5e9ff498b461559da07d7b44acc0147fcac5c9a4695b7c62c
+  metadata.gz: 4a43b0204dc0e77a4d28007dbfd89e9645724a4198ea6ec7ffa0895aefaf075bd42d4303c37d0f7e61afb550b665b78ab6b22ca9f934ef2d3721883acf0a68cd
+  data.tar.gz: 7eb41807d6971ac948ee264b1f70fd2e16afcf8f289655073c876b752a53a405b9705e97509f5be82c519ee12694ecf1910b18a20cce8aad3ce9a4ffd3af9ac6

data/.github/workflows/ci.yml

@@ -10,7 +10,7 @@ jobs:
       fail-fast: false
       matrix:
         os: ["ubuntu-latest"]
-        ruby: ["3.2", "3.1", "3.0", "2.7", "2.6"]
+        ruby: ["ruby-head", "3.3", "3.2", "3.1", "3.0", "2.7", "2.6"]
     runs-on: ubuntu-latest
     steps:
       - name: Check out code

data/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Unreleased
 
+# 0.11.1
+
+- Fix Ruby 3.4-dev compatibility.
+
+# 0.11.0
+
+- Drop invalid response headers.
+- Enforce `spawn_timeout` for molds too.
+- Gracefully shutdown the server if the mold appear to be corrupted (#79).
+- Add more information in proctitle when forking a new sibbling.
+- Add a `before_fork` callback called before forking new molds and new workers.
+
 # 0.10.0
 
 - Include requests count in workers proctitle.

data/Gemfile.lock

@@ -1,18 +1,18 @@
 PATH
   remote: .
   specs:
-    pitchfork (0.10.0)
+    pitchfork (0.11.1)
       rack (>= 2.0)
       raindrops (~> 0.7)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    minitest (5.15.0)
-    nio4r (2.5.9)
-    puma (6.3.1)
+    minitest (5.22.2)
+    nio4r (2.7.0)
+    puma (6.4.2)
       nio4r (~> 2.0)
-    rack (3.0.8)
+    rack (3.0.9.1)
     raindrops (0.20.1)
     rake (13.0.6)
     rake-compiler (1.2.1)
@@ -20,8 +20,7 @@ GEM
 
 PLATFORMS
   aarch64-linux
-  arm64-darwin-21
-  arm64-darwin-22
+  arm64-darwin
   x86_64-linux
 
 DEPENDENCIES

data/Rakefile

@@ -42,7 +42,6 @@ namespace :test do
   # preferable to edit the test suite as little as possible.
   task legacy_integration: :compile do
     File.write("test/integration/random_blob", File.read("/dev/random", 1_000_000))
-    lib = File.expand_path("lib", __dir__)
     path = "#{File.expand_path("exe", __dir__)}:#{ENV["PATH"]}"
     old_path = ENV["PATH"]
     ENV["PATH"] = "#{path}:#{old_path}"

data/docs/CONFIGURATION.md

@@ -241,10 +241,10 @@ for more details on nginx upstream configuration.
 ### `spawn_timeout`
 
 ```ruby
-timeout 5
+spawn_timeout 5
 ```
 
-Sets the timeout for a newly spawned worker to be ready after being spawned.
+Sets the timeout for a newly spawned worker or mold to be ready after being spawned.
 
 This timeout is a safeguard against various low-level fork safety bugs that could cause
 a process to dead-lock.
@@ -284,6 +284,16 @@ after_monitor_ready do |server|
 end
 ```
 
+### `before_fork`
+
+Called by the mold before forking a new workers, and by workers before they spawn a new mold.
+
+```ruby
+before_fork do |server|
+  server.logger.info("About to fork, closing connections!")
+end
+```
+
 ### `after_mold_fork`
 
 ```ruby
@@ -307,6 +317,11 @@ That is the case for instance of many SQL databases protocols.
 This is also the callback in which memory optimizations, such as
 heap compaction should be done.
 
+This callback is also a good place to check for potential corruption
+issues caused by forking. If you detect something wrong, you can
+call `Process.exit`, and this mold won't be used, another one will be
+spawned later. e.g. you can check `Socket.getaddrinfo` still works, etc.
+
 ### `after_worker_fork`
 
 ```ruby

data/docs/DESIGN.md

@@ -49,7 +49,7 @@
   nothing to accept().
 
 * Since non-blocking accept() is used, there can be a thundering
-  herd when an occasional client connects when application
+  herd when an occasional client connects when the application
   *is not busy*.  The thundering herd problem should not affect
   applications that are running all the time since worker processes
   will only select()/accept() outside of the application dispatch.

data/docs/FORK_SAFETY.md

@@ -3,11 +3,11 @@
 Because `pitchfork` is a preforking server, your application code and libraries
 must be fork safe.
 
-Generally code might be fork-unsafe for one of two reasons
+Generally, code might be fork-unsafe for one of two reasons.
 
 ## Inherited Connection
 
-When a process is forked, any open file descriptor (sockets, files, pipes, etc)
+When a process is forked, any open file descriptors (sockets, files, pipes, etc)
 end up shared between the parent and child process. This is never what you
 want, so any code keeping persistent connections should close them either
 before or after the fork happens.
@@ -22,20 +22,24 @@ reopen connections and restart threads:
 ```ruby
 # pitchfork.conf.rb
 
-after_mold_fork do
+before_fork do
   Sequel::DATABASES.each(&:disconnect)
 end
 
-after_worker_fork do
+after_mold_fork do
   SomeLibary.connection.close
 end
+
+after_worker_fork do
+  SomeOtherLibary.connection.close
+end
 ```
 
 The documentation of any database client or network library you use should be
 read with care to figure out how to disconnect it, and whether it is best to
 do it before or after fork.
 
-Since the most common Ruby application servers `Puma`, `Unicorn` and `Passenger`
+Since the most common Ruby application servers like `Puma`, `Unicorn` and `Passenger`
 have forking at least as an option, the requirements are generally well documented.
 
 However what is novel with `Pitchfork`, is that processes can be forked more than once.
@@ -57,7 +61,7 @@ So any libraries that spawn a background thread for periodical work may need to
 that a fork happened and that it should restart its thread.
 
 Just like with connections, some libraries take on them to automatically restart their background
-thread when they detect a fork happened.
+thread when they detect that a fork happened.
 
 # Refork Safety
 
@@ -67,7 +71,7 @@ but not work in Pitchfork when reforking is enabled.
 This is because it is not uncommon for network connections or background threads to only be
 initialized upon the first request. As such they're not inherited on the first fork.
 
-However when reforking is enabled, new processes as forked out of warmed up process, as such
+However when reforking is enabled, new processes are forked out of a warmed up process, as such
 any lazily created connection is much more likely to have been created.
 
 As such, if you enable reforking for the first time, it is heavily recommended to first do it
@@ -84,4 +88,6 @@ impact of discovering such bug.
 - The `ruby-vips` gem binds the `libvips` image processing library that isn't fork safe.
   (https://github.com/libvips/libvips/discussions/3577)
 
-No other gem is known to be incompatible for now, but if you find one please open an issue to add it to the list.
+- Any gem binding with `libgobject`, such as the `gda` gem, likely aren't fork safe.
+
+No other gem is known to be incompatible for now, but if you find one, please open an issue to add it to the list.

data/docs/PHILOSOPHY.md

@@ -80,8 +80,8 @@ Suitable options include `nginx`, `caddy` and likely several others.
 One of the main advantages of threaded servers over preforking servers is their
 lower memory usage.
 
-However `pitchfork` solves this with its reforking feature. If enabled and properly configured
-it very significantly increase Copy-on-Write performance, closing the gap with threaded servers.
+However `pitchfork` solves this with its reforking feature. If enabled and properly configured,
+it can very significantly increase Copy-on-Write performance, closing the gap with threaded servers.
 
 ## Assume Modern Deployment Methods
 

data/docs/REFORKING.md

@@ -21,7 +21,7 @@ forked processes are essentially free.
 So in theory, preforking servers shouldn't use more memory than threaded servers.
 
 However, in a Ruby process, there is generally a lot of memory regions that are lazily initialized.
-This include the Ruby Virtual Machine inline caches, JITed code if you use YJIT, and also
+This includes the Ruby Virtual Machine inline caches, JITed code if you use YJIT, and also
 some common patterns in applications, such as memoization:
 
 ```ruby
@@ -35,13 +35,13 @@ end
 However, since workers are forked right after boot, most codepaths have never been executed,
 so most of these caches are not yet initialized.
 
-As more code get executed, more an more memory pages get invalidated. If you were to graph the ratio
-of shared memory of a ruby process over time, you'd likely see a logarithmic curve, with a quick degradation
+As more code gets executed, more and more memory pages get invalidated. If you were to graph the ratio
+of shared memory of a Ruby process over time, you'd likely see a logarithmic curve, with a quick degradation
 during the first few processed request as the most common code paths get warmed up, and then a stabilization.
 
 ### Reforking
 
-That is where reforking helps. Since move of these invalidations only happens when a codepath is executed for the
+That is where reforking helps. Since most of these invalidations only happen when a code path is executed for the
 first time, if you take a warmed up worker out of rotation, and use it to fork new workers, warmed up pages will
 be shared again, and most of them won't be invalidated anymore.
 
@@ -123,9 +123,9 @@ PID   COMMAND
 ```
 
 However the `pitchfork` master process registers itself as a "child subreaper" via [`PR_SET_CHILD_SUBREAPER`](https://man7.org/linux/man-pages/man2/prctl.2.html).
-This means any descendant process that is orphaned will be re-parented as a child of the master rather than a child of the init process (pid 1).
+This means that any descendant process that is orphaned will be re-parented as a child of the master process rather than a child of the init process (pid 1).
 
-With this in mind, the mold forks twice to create an orphaned process that will get re-attached to the master,
+With this in mind, the mold forks twice to create an orphaned process that will get re-attached to the master process,
 effectively forking a sibling rather than a child. Similarly, workers do the same when forking new molds.
 This technique eases killing previous generations of molds and workers.
 

data/docs/SIGNALS.md

@@ -1,6 +1,6 @@
 ## Signal handling
 
-In general, signals need only be sent to the master process. However,
+In general, signals need to only be sent to the master process. However,
 the signals Pitchfork uses internally to communicate with the worker
 processes are documented here as well.
 
@@ -22,8 +22,8 @@ processes are documented here as well.
 ### Worker Processes
 
 Note: the master uses a pipe to signal workers
-instead of `kill(2)` for most cases.  Using signals still (and works and
-remains supported for external tools/libraries), however.
+instead of `kill(2)` for most cases.  Using signals still works and
+remains supported for external tools/libraries, however.
 
 Sending signals directly to the worker processes should not normally be
 needed.  If the master process is running, any exited worker will be

data/ext/pitchfork_http/epollexclusive.h

@@ -21,6 +21,16 @@
 #  define USE_EPOLL (0)
 #endif
 
+#ifndef HAVE_RB_IO_DESCRIPTOR /* Ruby < 3.1 */
+static int rb_io_descriptor(VALUE io)
+{
+    rb_io_t *fptr;
+    GetOpenFile(io, fptr);
+    rb_io_check_closed(fptr);
+    return fptr->fd;
+}
+#endif
+
 #if USE_EPOLL
 /*
  * :nodoc:
@@ -54,8 +64,7 @@ static VALUE prep_readers(VALUE cls, VALUE readers)
 		 */
 		e.events = EPOLLEXCLUSIVE | EPOLLIN;
 		io = rb_io_get_io(io);
-		GetOpenFile(io, fptr);
-		rc = epoll_ctl(epfd, EPOLL_CTL_ADD, fptr->fd, &e);
+		rc = epoll_ctl(epfd, EPOLL_CTL_ADD, rb_io_descriptor(io), &e);
 		if (rc < 0) rb_sys_fail("epoll_ctl");
 	}
 	return epio;
@@ -65,7 +74,7 @@ static VALUE prep_readers(VALUE cls, VALUE readers)
 #if USE_EPOLL
 struct ep_wait {
 	struct epoll_event event;
-	rb_io_t *fptr;
+	VALUE io;
 	int timeout_msec;
 };
 
@@ -79,7 +88,7 @@ static void *do_wait(void *ptr) /* runs w/o GVL */
 	 * at-a-time (c.f. fs/eventpoll.c in linux.git, it's quite
 	 * easy-to-understand for anybody familiar with Ruby C).
 	 */
-	return (void *)(long)epoll_wait(epw->fptr->fd, &epw->event, 1,
+	return (void *)(long)epoll_wait(rb_io_descriptor(epw->io), &epw->event, 1,
 					epw->timeout_msec);
 }
 
@@ -93,11 +102,10 @@ get_readers(VALUE epio, VALUE ready, VALUE readers, VALUE timeout_msec)
 
 	Check_Type(ready, T_ARRAY);
 	Check_Type(readers, T_ARRAY);
-	epio = rb_io_get_io(epio);
-	GetOpenFile(epio, epw.fptr);
-
+	epw.io = rb_io_get_io(epio);
 	epw.timeout_msec = NUM2INT(timeout_msec);
 	n = (long)rb_thread_call_without_gvl(do_wait, &epw, RUBY_UBF_IO, NULL);
+	RB_GC_GUARD(epw.io);
 	if (n < 0) {
 		if (errno != EINTR) rb_sys_fail("epoll_wait");
 	} else if (n > 0) { /* maxevents is hardcoded to 1 */

data/ext/pitchfork_http/extconf.rb

@@ -3,6 +3,8 @@ require 'mkmf'
 
 have_const("PR_SET_CHILD_SUBREAPER", "sys/prctl.h")
 have_func("rb_enc_interned_str", "ruby.h") # Ruby 3.0+
+have_func("rb_io_descriptor", "ruby.h") # Ruby 3.1+
+
 if RUBY_VERSION.start_with?('3.0.')
   # https://bugs.ruby-lang.org/issues/18772
   $CFLAGS << ' -DRB_ENC_INTERNED_STR_NULL_CHECK=1 '

data/lib/pitchfork/children.rb

@@ -66,6 +66,11 @@ module Pitchfork
       @workers.key?(nr)
     end
 
+    def abandon(worker)
+      @workers.delete(worker.nr)
+      @pending_workers.delete(worker.nr)
+    end
+
     def reap(pid)
       if child = @children.delete(pid)
         @pending_workers.delete(child.nr)
@@ -73,6 +78,9 @@ module Pitchfork
         @molds.delete(child.pid)
         @workers.delete(child.nr)
         if @mold == child
+          @pending_workers.reject! do |nr, worker|
+            worker.generation == @mold.generation
+          end
           @mold = nil
         end
       end
@@ -99,6 +107,10 @@ module Pitchfork
       @molds.values
     end
 
+    def empty?
+      @children.empty?
+    end
+
     def each(&block)
       @children.each_value(&block)
     end
@@ -126,14 +138,6 @@ module Pitchfork
       end
     end
 
-    def hard_timeout(child)
-      child.hard_timeout!
-    rescue Errno::ESRCH
-      reap(child.pid)
-      child.close
-      true
-    end
-
     def workers
       @workers.values
     end

data/lib/pitchfork/configurator.rb

@@ -34,9 +34,11 @@ module Pitchfork
       :soft_timeout => 20,
       :cleanup_timeout => 2,
       :spawn_timeout => 10,
+      :timeout_signal => -> (_pid) { :KILL },
       :timeout => 22,
       :logger => default_logger,
       :worker_processes => 1,
+      :before_fork => nil,
       :after_worker_fork => lambda { |server, worker|
         server.logger.info("worker=#{worker.nr} gen=#{worker.generation} pid=#{$$} spawned")
       },
@@ -133,6 +135,10 @@ module Pitchfork
       set[:logger] = obj
     end
 
+    def before_fork(*args, &block)
+      set_hook(:before_fork, block_given? ? block : args[0], 1)
+    end
+
     def after_worker_fork(*args, &block)
       set_hook(:after_worker_fork, block_given? ? block : args[0])
     end
@@ -175,6 +181,19 @@ module Pitchfork
       set_int(:timeout, soft_timeout + cleanup_timeout, 5)
     end
 
+    def timeout_signal(*args, &block)
+      if block_given?
+        set_hook(:timeout_signal, block, 1)
+      elsif args.first.respond_to?(:call)
+        set_hook(:timeout_signal, args.first, 1)
+      elsif args.first.is_a?(Symbol)
+        signal = args.first
+        set_hook(:timeout_signal, ->(_pid) { signal }, 1)
+      else
+        raise ArgumentError, "timeout_signal must be a symbol or a proc"
+      end
+    end
+
     def spawn_timeout(seconds)
       set_int(:spawn_timeout, seconds, 1)
     end

data/lib/pitchfork/http_parser.rb

@@ -193,7 +193,12 @@ module Pitchfork
 
     # called by ext/pitchfork_http/pitchfork_http.rl via rb_funcall
     def self.is_chunked?(v) # :nodoc:
-      vals = v.split(/[ \t]*,[ \t]*/).map!(&:downcase)
+      vals = v.split(',')
+      vals.each do |val|
+        val.strip!
+        val.downcase!
+      end
+
       if vals.pop == 'chunked'.freeze
         return true unless vals.include?('chunked'.freeze)
         raise Pitchfork::HttpParserError, 'double chunked', []

data/lib/pitchfork/http_response.rb

@@ -14,6 +14,8 @@ module Pitchfork
     STATUS_CODES = defined?(Rack::Utils::HTTP_STATUS_CODES) ?
                    Rack::Utils::HTTP_STATUS_CODES : {}
 
+    ILLEGAL_HEADER_VALUE = /[\x00-\x08\x0A-\x1F]/
+
     # internal API, code will always be common-enough-for-even-old-Rack
     def err_response(code, response_start_sent)
       "#{response_start_sent ? '' : 'HTTP/1.1 '}" \
@@ -23,10 +25,16 @@ module Pitchfork
     def append_header(buf, key, value)
       case value
       when Array # Rack 3
-        value.each { |v| buf << "#{key}: #{v}\r\n" }
+        value.each do |v|
+          next if ILLEGAL_HEADER_VALUE.match?(v)
+          buf << "#{key}: #{v}\r\n"
+        end
       when /\n/ # Rack 2
         # avoiding blank, key-only cookies with /\n+/
-        value.split(/\n+/).each { |v| buf << "#{key}: #{v}\r\n" }
+        value.split(/\n+/).each do |v|
+          next if ILLEGAL_HEADER_VALUE.match?(v)
+          buf << "#{key}: #{v}\r\n"
+        end
       else
         buf << "#{key}: #{value}\r\n"
       end

data/lib/pitchfork/http_server.rb

@@ -74,8 +74,8 @@ module Pitchfork
     end
 
     # :stopdoc:
-    attr_accessor :app, :timeout, :soft_timeout, :cleanup_timeout, :spawn_timeout, :worker_processes,
-                  :after_worker_fork, :after_mold_fork,
+    attr_accessor :app, :timeout, :timeout_signal, :soft_timeout, :cleanup_timeout, :spawn_timeout, :worker_processes,
+                  :before_fork, :after_worker_fork, :after_mold_fork,
                   :listener_opts, :children,
                   :orig_app, :config, :ready_pipe,
                   :default_middleware, :early_hints
@@ -201,7 +201,7 @@ module Pitchfork
       else
         build_app!
         bind_listeners!
-        after_mold_fork.call(self, Worker.new(nil, pid: $$).promoted!)
+        after_mold_fork.call(self, Worker.new(nil, pid: $$).promoted!(@spawn_timeout))
       end
 
       if sync
@@ -315,7 +315,7 @@ module Pitchfork
         end
       end
       stop # gracefully shutdown all workers on our way out
-      logger.info "master complete"
+      logger.info "master complete status=#{@exit_status}"
       @exit_status
     end
 
@@ -368,7 +368,7 @@ module Pitchfork
       when Message::WorkerSpawned
         worker = @children.update(message)
         # TODO: should we send a message to the worker to acknowledge?
-        logger.info "worker=#{worker.nr} pid=#{worker.pid} registered"
+        logger.info "worker=#{worker.nr} pid=#{worker.pid} gen=#{worker.generation} registered"
       when Message::MoldSpawned
         new_mold = @children.update(message)
         logger.info("mold pid=#{new_mold.pid} gen=#{new_mold.generation} spawned")
@@ -394,7 +394,7 @@ module Pitchfork
       wait_for_pending_workers
       self.listeners = []
       limit = Pitchfork.time_now + timeout
-      until @children.workers.empty? || Pitchfork.time_now > limit
+      until @children.empty? || Pitchfork.time_now > limit
         if graceful
           @children.soft_kill_all(:TERM)
         else
@@ -404,11 +404,17 @@ module Pitchfork
           return StopIteration
         end
       end
-      @children.hard_kill_all(:KILL)
+
+      @children.each do |child|
+        if child.pid
+          @children.hard_kill(@timeout_signal.call(child.pid), child)
+        end
+      end
       @promotion_lock.unlink
     end
 
     def worker_exit(worker)
+      logger.info "worker=#{worker.nr} pid=#{worker.pid} gen=#{worker.generation} exiting"
       proc_name status: "exiting"
 
       if @before_worker_exit
@@ -494,8 +500,8 @@ module Pitchfork
       now = Pitchfork.time_now(true)
       next_sleep = @timeout - 1
 
-      @children.workers.each do |worker|
-        deadline = worker.deadline
+      @children.each do |child|
+        deadline = child.deadline
         if 0 == deadline # worker is idle
           next
         elsif deadline > now # worker still has time
@@ -506,28 +512,34 @@ module Pitchfork
           next
         else # worker is out of time
           next_sleep = 0
-          hard_timeout(worker)
+          hard_timeout(child)
         end
       end
 
       next_sleep <= 0 ? 1 : next_sleep
     end
 
-    def hard_timeout(worker)
-      if @after_worker_hard_timeout
+    def hard_timeout(child)
+      if child.pid.nil? # Not yet registered, likely never spawned
+        logger.error "worker=#{child.nr} timed out during spawn, abandoning"
+        @children.abandon(worker)
+        return
+      end
+
+      if @after_worker_hard_timeout && !child.mold?
         begin
-          @after_worker_hard_timeout.call(self, worker)
+          @after_worker_hard_timeout.call(self, child)
         rescue => error
           Pitchfork.log_error(@logger, "after_worker_hard_timeout callback", error)
         end
       end
 
-      if worker.mold?
-        logger.error "mold pid=#{worker.pid} timed out, killing"
+      if child.mold?
+        logger.error "mold pid=#{child.pid} gen=#{child.generation} timed out, killing"
       else
-        logger.error "worker=#{worker.nr} pid=#{worker.pid} timed out, killing"
+        logger.error "worker=#{child.nr} pid=#{child.pid} gen=#{child.generation} timed out, killing"
       end
-      @children.hard_timeout(worker) # take no prisoners for hard timeout violations
+      @children.hard_kill(@timeout_signal.call(child.pid), child) # take no prisoners for hard timeout violations
     end
 
     def trigger_refork
@@ -563,7 +575,8 @@ module Pitchfork
       # reason it gets stuck before reaching the worker loop,
       # the monitor process will kill it.
       worker.update_deadline(@spawn_timeout)
-      Pitchfork.fork_sibling do
+      @before_fork&.call(self)
+      fork_sibling("spawn_worker") do
         worker.pid = Process.pid
 
         after_fork_internal
@@ -598,6 +611,8 @@ module Pitchfork
         worker = Pitchfork::Worker.new(worker_nr)
 
         if REFORKING_AVAILABLE
+          worker.generation = @children.mold&.generation || 0
+
           unless @children.mold&.spawn_worker(worker)
             @logger.error("Failed to send a spawn_worker command")
           end
@@ -707,6 +722,7 @@ module Pitchfork
 
       proc_name status: "requests: #{worker.requests_count}, processing: #{env["PATH_INFO"]}"
 
+      env["pitchfork.worker"] = worker
       timeout_handler.rack_env = env
       env["pitchfork.timeout"] = timeout_handler
 
@@ -784,15 +800,18 @@ module Pitchfork
       readers << worker
       trap(:QUIT) { nuke_listeners!(readers) }
       trap(:TERM) { nuke_listeners!(readers) }
+      trap(:INT) { nuke_listeners!(readers); exit!(0) }
       readers
     end
 
     def init_mold_process(mold)
-      proc_name role: "(gen:#{mold.generation}) mold", status: "ready"
+      proc_name role: "(gen:#{mold.generation}) mold", status: "init"
       after_mold_fork.call(self, mold)
       readers = [mold]
       trap(:QUIT) { nuke_listeners!(readers) }
       trap(:TERM) { nuke_listeners!(readers) }
+      trap(:INT) { nuke_listeners!(readers); exit!(0) }
+      proc_name role: "(gen:#{mold.generation}) mold", status: "ready"
       readers
     end
 
@@ -831,7 +850,7 @@ module Pitchfork
               case client
               when Message::PromoteWorker
                 if Info.fork_safe?
-                  spawn_mold(worker.generation)
+                  spawn_mold(worker)
                 else
                   logger.error("worker=#{worker.nr} gen=#{worker.generation} is no longer fork safe, can't refork")
                 end
@@ -852,8 +871,8 @@ module Pitchfork
           if @refork_condition && Info.fork_safe? && !worker.outdated?
             if @refork_condition.met?(worker, logger)
               proc_name status: "requests: #{worker.requests_count}, spawning mold"
-              if spawn_mold(worker.generation)
-                logger.info("Refork condition met, promoting ourselves")
+              if spawn_mold(worker)
+                logger.info("worker=#{worker.nr} gen=#{worker.generation} Refork condition met, promoting ourselves")
               end
               @refork_condition.backoff!
             end
@@ -867,13 +886,17 @@ module Pitchfork
       end
     end
 
-    def spawn_mold(current_generation)
+    def spawn_mold(worker)
       return false unless @promotion_lock.try_lock
 
+      worker.update_deadline(@spawn_timeout)
+
+      @before_fork&.call(self)
+
       begin
-        Pitchfork.fork_sibling do
-          mold = Worker.new(nil, pid: Process.pid, generation: current_generation)
-          mold.promote!
+        fork_sibling("spawn_mold") do
+          mold = Worker.new(nil, pid: Process.pid, generation: worker.generation)
+          mold.promote!(@spawn_timeout)
           mold.start_promotion(@control_socket[1])
           mold_loop(mold)
         end
@@ -907,8 +930,18 @@ module Pitchfork
             when false
               # no message, keep looping
             when Message::SpawnWorker
+              retries = 1
               begin
                 spawn_worker(Worker.new(message.nr, generation: mold.generation), detach: true)
+              rescue ForkFailure
+                if retries > 0
+                  @logger.fatal("mold pid=#{mold.pid} gen=#{mold.generation} Failed to spawn a worker. Retrying.")
+                  retries -= 1
+                  retry
+                else
+                  @logger.fatal("mold pid=#{mold.pid} gen=#{mold.generation} Failed to spawn a worker twice in a row. Corrupted mold process?")
+                  Process.exit(1)
+                end
               rescue => error
                 raise BootFailure, error.message
               end
@@ -977,5 +1010,61 @@ module Pitchfork
       handler.timeout_request = SoftTimeout.request(@soft_timeout, handler)
       handler
     end
+
+    FORK_TIMEOUT = 5
+
+    def fork_sibling(role, &block)
+      if REFORKING_AVAILABLE
+        r, w = Pitchfork::Info.keep_ios(IO.pipe)
+        # We double fork so that the new worker is re-attached back
+        # to the master.
+        # This requires either PR_SET_CHILD_SUBREAPER which is exclusive to Linux 3.4
+        # or the master to be PID 1.
+        if middle_pid = FORK_LOCK.synchronize { Process.fork } # parent
+          w.close
+          # We need to wait(2) so that the middle process doesn't end up a zombie.
+          # The process only call fork again an exit so it should be pretty fast.
+          # However it might need to execute some `Process._fork` or `at_exit` callbacks,
+          # as well as Ruby's cleanup procedure to run finalizers etc, and there is a risk
+          # of deadlock.
+          # So in case it takes more than 5 seconds to exit, we kill it.
+          # TODO: rather than to busy loop here, we handle it in the worker/mold loop
+          process_wait_with_timeout(middle_pid, FORK_TIMEOUT)
+          pid_str = r.gets
+          r.close
+          if pid_str
+            Integer(pid_str)
+          else
+            raise ForkFailure, "fork_sibling didn't succeed in #{FORK_TIMEOUT} seconds"
+          end
+        else # first child
+          r.close
+          Process.setproctitle("<pitchfork fork_sibling(#{role})>")
+          pid = Pitchfork.clean_fork do
+            # detach into a grand child
+            w.close
+            yield
+          end
+          w.puts(pid)
+          w.close
+          exit
+        end
+      else
+        Pitchfork.clean_fork(&block)
+      end
+    end
+
+    def process_wait_with_timeout(pid, timeout)
+      (timeout * 50).times do
+        _, status = Process.waitpid2(pid, Process::WNOHANG)
+        return status if status
+        sleep 0.02 # 50 * 20ms => 1s
+      end
+
+      # The process didn't exit in the allotted time, so we kill it.
+      Process.kill(@timeout_signal.call(pid), pid)
+      _, status = Process.waitpid2(pid)
+      status
+    end
   end
 end

data/lib/pitchfork/info.rb

@@ -26,7 +26,7 @@ module Pitchfork
         @map.each_key(&block)
       end
     end
-    
+
     @kept_ios = WeakSet.new
 
     class << self

data/lib/pitchfork/refork_condition.rb

@@ -2,6 +2,12 @@
 
 module Pitchfork
   module ReforkCondition
+    @backoff_delay = 10.0
+
+    class << self
+      attr_accessor :backoff_delay
+    end
+
     class RequestsCount
       def initialize(request_counts)
         @limits = request_counts
@@ -31,7 +37,7 @@ module Pitchfork
         end
       end
 
-      def backoff!(delay = 10.0)
+      def backoff!(delay = ReforkCondition.backoff_delay)
         @backoff_until = Pitchfork.time_now + delay
       end
     end

data/lib/pitchfork/shared_memory.rb

@@ -10,7 +10,8 @@ module Pitchfork
     CURRENT_GENERATION_OFFSET = 0
     SHUTDOWN_OFFSET = 1
     MOLD_TICK_OFFSET = 2
-    WORKER_TICK_OFFSET = 3
+    MOLD_PROMOTION_TICK_OFFSET = 3
+    WORKER_TICK_OFFSET = 4
 
     DROPS = [Raindrops.new(PER_DROP)]
 
@@ -49,6 +50,10 @@ module Pitchfork
       self[MOLD_TICK_OFFSET]
     end
 
+    def mold_promotion_deadline
+      self[MOLD_PROMOTION_TICK_OFFSET]
+    end
+
     def worker_deadline(worker_nr)
       self[WORKER_TICK_OFFSET + worker_nr]
     end

data/lib/pitchfork/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module Pitchfork
-  VERSION = "0.10.0"
+  VERSION = "0.11.1"
   module Const
     UNICORN_VERSION = '6.1.0'
   end

data/lib/pitchfork/worker.rb

@@ -27,7 +27,7 @@ module Pitchfork
         @deadline_drop = SharedMemory.worker_deadline(nr)
         self.deadline = 0
       else
-        promoted!
+        promoted!(nil)
       end
     end
 
@@ -55,6 +55,13 @@ module Pitchfork
       message.class.members.each do |member|
         send("#{member}=", message.public_send(member))
       end
+
+      case message
+      when Message::MoldSpawned
+        @deadline_drop = SharedMemory.mold_promotion_deadline
+      when Message::MoldReady
+        @deadline_drop = SharedMemory.mold_deadline
+      end
     end
 
     def register_to_master(control_socket)
@@ -75,6 +82,7 @@ module Pitchfork
       message = Message::MoldReady.new(@nr, @pid, generation)
       control_socket.sendmsg(message)
       SharedMemory.current_generation = @generation
+      @deadline_drop = SharedMemory.mold_deadline
     end
 
     def promote(generation)
@@ -85,16 +93,16 @@ module Pitchfork
       send_message_nonblock(Message::SpawnWorker.new(new_worker.nr))
     end
 
-    def promote!
+    def promote!(timeout)
       @generation += 1
-      promoted!
+      promoted!(timeout)
     end
 
-    def promoted!
+    def promoted!(timeout)
       @mold = true
       @nr = nil
-      @deadline_drop = SharedMemory.mold_deadline
-      self.deadline = 0
+      @deadline_drop = SharedMemory.mold_promotion_deadline
+      update_deadline(timeout) if timeout
       self
     end
 
@@ -143,10 +151,6 @@ module Pitchfork
       Process.kill(sig, pid)
     end
 
-    def hard_timeout!
-      hard_kill(:KILL)
-    end
-
     # this only runs when the Rack app.call is not running
     # act like a listener
     def accept_nonblock(exception: nil) # :nodoc:

data/lib/pitchfork.rb

@@ -33,6 +33,7 @@ module Pitchfork
   ClientShutdown = Class.new(EOFError)
 
   BootFailure = Class.new(StandardError)
+  ForkFailure = Class.new(StandardError)
 
   # :stopdoc:
 
@@ -196,43 +197,6 @@ module Pitchfork
       end
     end
 
-    def fork_sibling(&block)
-      if REFORKING_AVAILABLE
-        # We double fork so that the new worker is re-attached back
-        # to the master.
-        # This requires either PR_SET_CHILD_SUBREAPER which is exclusive to Linux 3.4
-        # or the master to be PID 1.
-        if middle_pid = FORK_LOCK.synchronize { Process.fork } # parent
-          # We need to wait(2) so that the middle process doesn't end up a zombie.
-          # The process only call fork again an exit so it should be pretty fast.
-          # However it might need to execute some `Process._fork` or `at_exit` callbacks,
-          # so it case it takes more than 5 seconds to exit, we kill it with SIGBUS
-          # to produce a crash report, as this is indicative of a nasty bug.
-          process_wait_with_timeout(middle_pid, 5, :BUS)
-        else # first child
-          Process.setproctitle("<pitchfork fork_sibling>")
-          clean_fork(&block) # detach into a grand child
-          exit
-        end
-      else
-        clean_fork(&block)
-      end
-
-      nil # it's tricky to return the PID
-    end
-
-    def process_wait_with_timeout(pid, timeout, timeout_signal = :KILL)
-      (timeout * 200).times do
-        status = Process.wait(pid, Process::WNOHANG)
-        return status if status
-        sleep 0.005 # 200 * 5ms => 1s
-      end
-
-      # The process didn't exit in the allotted time, so we kill it.
-      Process.kill(timeout_signal, pid)
-      Process.wait(pid)
-    end
-
     def time_now(int = false)
       Process.clock_gettime(Process::CLOCK_MONOTONIC, int ? :second : :float_second)
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: pitchfork
 version: !ruby/object:Gem::Version
-  version: 0.10.0
+  version: 0.11.1
 platform: ruby
 authors:
 - Jean Boussier
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-11-02 00:00:00.000000000 Z
+date: 2024-03-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: raindrops
@@ -138,7 +138,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
+rubygems_version: 3.5.5
 signing_key:
 specification_version: 4
 summary: Rack HTTP server for fast clients and Unix