Fix supervisor race condition on Windows trampoline bounce

[zanieb]

Create trampoline children with CREATE_SUSPENDED, assign them to the supervisor job object, then resume the primary thread. This avoids a post-spawn assignment race for short-lived child processes.

Hopefully, this addresses a bug observed as a CI flake where python_upgrade_transparent_from_venv_preview failed with:

  error: uv trampoline failed to assign child process to job object                                     
    Caused by: failed to assign process to job object (os error -2147024891)                            

[EliteTK]

I am not a fan of this code, but that's not this PR's fault.

We actually don't care if the child dies before we add it to the job object, and an easier fix here would just be to ignore that case.

But! This does fix another race, which is the one where we spawn the process and we get killed before we add the child to the job object. And that's definitely a win.

[EliteTK]

Actually, never mind, I can't find anything that explains what happens if we die while we have a suspended child... So this might mean we leave a suspended child lying around forever.

So maybe the best solution for now is to ignore that error... At least then we can't leak a permanently suspended process.

[EliteTK]

Found https://devblogs.microsoft.com/oldnewthing/20230209-00/?p=107812 . Apparently we want PROC_THREAD_ATTRIBUTE_JOB_LIST. It's windows 10+ only though. Not sure if we care about supporting anything older as even Windows 10 is now out of support?

Some enterprises may still be running earlier versions either in locked down environments or using extended support patchsets.

[EliteTK]

I wonder if we can add ourselves to the job object and then spawn the child. Normally this isn't what you want since you'd be restricting yourself somehow in some way which you don't intend, but in this case it seems like it wouldn't have any unintended impact.

If we are already in a job and it's pre windows 8 then assigning ourselves to another job would fail, but we already have that problem with the existing code since the child will inherit any job we're in.

[EliteTK]

A nitpick: I would drop this bit after the comma. It's somewhat unbefitting a function doc comment to attempt to document the call site.

[EliteTK]

If there is an error and it's not ERROR_INSUFFICIENT_BUFFER then I don't think we can assume that attr_list_size hasn't been modified to some nonsensical value. We should actually explicitly check that the error was the expected one rather than relying on attr_list_size being non-zero.

[EliteTK]

I could be wrong but if we're allocating for u8 then rust only guarantees that the resulting buffer is aligned for u8 at best? Is it safe to cast this to a type with potentially stricter alignment requirements here?

[zanieb]

Suggested change

	// SAFETY: layout has non-zero size (attr_list_size comes from InitializeProcThreadAttributeList).
	// SAFETY: layout has non-zero size (attr_list_size comes from InitializeProcThreadAttributeList).

[zanieb]

Can we avoid variables like si? Use a clear name

[samypr100]

Agreed. Name originally mimicked distlib's launcher.c

[zanieb]

What does it mean that this may fail at any point?

Why is this a separate function at all?

[zanieb]

This comment is confusing

[zanieb]

What is the first point at which this would fail? Won't that tell us if the attribute list API is supported and everything after that should be an error instead of None?

[zanieb]

Suggested change

	// Try the race-free path first: spawn the child directly into the job using
	// PROC_THREAD_ATTRIBUTE_JOB_LIST (Windows 10+). If that's not available,
	// fall back to spawning normally and assigning afterward.
	let child_handle = spawn_child_in_job(&si, child_cmdline.clone(), &job)
	.unwrap_or_else(|| spawn_child_and_assign_to_job(&si, child_cmdline, &job));
	let child_handle = spawn_child_in_job(&si, child_cmdline.clone(), &job)
	// If the Windows 10 API is not available, fallback to the mode that can race
	.unwrap_or_else(|| spawn_child_and_assign_to_job(&si, child_cmdline, &job));

[samypr100]

Found https://devblogs.microsoft.com/oldnewthing/20230209-00/?p=107812 . Apparently we want PROC_THREAD_ATTRIBUTE_JOB_LIST. It's windows 10+ only though. Not sure if we care about supporting anything older as even Windows 10 is now out of support?

One consequence of this approach is that it moves us much further away from matching distlib's approach in launcher.c or cpython's launcher2.c.

The blog post highlights a scenario which I think doesn't exactly apply since in distlib AssignProcessToJobObject is a best-effort attempt, which is why I believe distlib's approach doesn't use suspend either. The attribute list approach can also fail depending on existing nested jobs and parent state (which is a possibility with the flake).

Was the goal of this PR to try to reduce the risk of failure or enforcement? I'd be curious has this flake occured before or is it after the recent trampoline changes.

If the goal was to reduce risk of failure, I think a smaller simpler change as seen below be a better first step instead, e.g.

-    if let Err(e) = unsafe { job.assign_process(child_handle) } {
-        print_job_error_and_exit(
-            "uv trampoline failed to assign child process to job object",
-            e,
-        );
-    }
+    if let Err(e) = unsafe { job.assign_process(child_handle) } {
+        warn!(
+            "uv trampoline failed to assign child process to job object\n  Caused by: {} (os error {})"
+            e.message(),
+            e.code(),
+        );
+    }

This is permissive, matches distlib more closely, and job assignment will still in most cases work.

[codspeed-hq]

Merging this PR will not alter performance

✅ 5 untouched benchmarks

---

_{Comparing zb/fix-bounce-race-ii (9b01d99) with main (2591bfb)}

[zanieb]

We decided on #18291 instead for now