I've been studying the documentation of S6. I see that s6-svscan has been designed so that it can run as init (PID==1), and there's a note that most opendir() implementations use malloc, so it may be possible to leak memory.

 No, that's not what I wrote.
 I wrote that s6-svscan will never leak memory, and I stand by it.
 I also wrote is that it's impossible to guarantee that s6-svscan does
not use heap memory at all, because opendir() uses heap memory. But it
does not mean it leaks it.

 Unless, of course, the libc manages to botch opendir/readdir/closedir,
but those are simple functions and I don't know of a libc that does not
get them right.

To protect against this I'm pondering to use suckless init (sinit) as PID 1, and have it spawn something supervising s6-svscan. My understanding is
that sinit won't be able to leak memory in userspace.

 Don't. sinit is not a correct init: it does not supervise any process.
If you kill -9 -1, then exit your shell, sinit is unable to give you back a way of recovering your system and you have effectively bricked it - and
need a hard, physical reboot (and your filesystems will be dirty).

If a suitable sinit -> supervisor -> s6-svscan chain could be made, it
takes a little extra memory and boot-up time, but should mean that if
opendir() leaks memory an s6-svscan dies, then the leaked memory will be
recovered and the supervisor could restart s6-svscan.

 sinit will not respawn s6-svscan if it dies.
 Check it: http://git.suckless.org/sinit/tree/sinit.c

I think it would be worth the trade-off of always using a little extra
resources to get the extra protection. Does it seem wise? Am I overlooking
things or misunderstanding things?

If it makes a difference I plan to use musl libc.

If you are looking to get theoretical correctness, sinit is not what you
want anymore than s6-svscan. Even runit is not (it assumes that you want
to start stage 3 as soon as stage 2 dies, even if it crashed).

 If you are looking to get a working system, you will have no problem
using s6-svscan as process 1, because there will be no memory leak.
If you are using musl, it's easy to check:

 So: don't worry, be happy.


Reply via email to