Skip to content

Fix #10968: spawnProcess fails when RLIMIT_NOFILE exceeds int.max#10969

Open
Poita wants to merge 8 commits into
dlang:masterfrom
Poita:fix-unlimited-fd-limit
Open

Fix #10968: spawnProcess fails when RLIMIT_NOFILE exceeds int.max#10969
Poita wants to merge 8 commits into
dlang:masterfrom
Poita:fix-unlimited-fd-limit

Conversation

@Poita
Copy link
Copy Markdown
Contributor

@Poita Poita commented Mar 5, 2026
edited
Loading

Fix #10968

Summary

When RLIMIT_NOFILE is unlimited or exceeds int.max, spawnProcess fails with "Cannot allocate memory" due to integer overflow in the fd-closing code after fork().

Changes

  • Use long instead of cast(int) for maxDescriptors to preserve the actual rlim_cur value
  • Always try /dev/fd (or /proc/self/fd) enumeration first, regardless of the limit value — this is the most efficient path and avoids the malloc entirely
  • Cap the brute-force fallback to 1M descriptors when the limit is huge
  • Add unittest that sets RLIMIT_NOFILE above int.max and verifies process spawning works

Root cause

cast(int) of RLIM_INFINITY (2^63-1) wraps to -1, which:

  1. Skips the /dev/fd enumeration path (since -1 < 128K)
  2. Falls into the poll() path which tries to malloc a huge buffer and fails

Testing

  • Standalone test confirms the bug reproduces with the system std.process and passes with the fix
  • Added in-tree unittest for regression coverage

Poita and others added 2 commits March 5, 2026 08:30
@Poita @claude
Fix process spawning failure when RLIMIT_NOFILE is unlimited
0269641 
When RLIMIT_NOFILE is set to unlimited (RLIM_INFINITY), r.rlim_cur is
a huge value (e.g. 2^63-1). The cast(int) on this value wraps to -1,
which causes the /dev/fd fast path to be skipped (since -1 < 128K)
and the poll() path to attempt a massive malloc that fails.

This manifests as "Failed to allocate memory (Cannot allocate memory)"
on any process spawn, making dub completely unusable on systems with
unlimited file descriptor limits (common on macOS).

Fix by:
- Using long instead of cast(int) for maxDescriptors
- Always trying /dev/fd enumeration first (it's the most efficient
  path and works regardless of the limit value)
- Capping the slow close() fallback to 1M descriptors to avoid
  iterating over billions when the limit is huge

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Poita @claude
Add unittest for process spawning with large RLIMIT_NOFILE
8611dbb 
Regression test that sets RLIMIT_NOFILE above int.max and verifies
process spawning still works. Without the previous fix, this triggers
"Failed to allocate memory" due to integer overflow in the fd-closing
code.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@dlang-bot
Copy link
Copy Markdown
Contributor

dlang-bot commented Mar 5, 2026

Thanks for your pull request and interest in making D better, @Poita! We are looking forward to reviewing it, and you should be hearing from a maintainer soon.
Please verify that your PR follows this checklist:

  • My PR is fully covered with tests (you can see the coverage diff by visiting the details link of the codecov check)
  • My PR is as minimal as possible (smaller, focused PRs are easier to review than big ones)
  • I have provided a detailed rationale explaining my changes
  • New or modified functions have Ddoc comments (with Params: and Returns:)

Please see CONTRIBUTING.md for more information.

If you have addressed all reviews or aren't sure how to proceed, don't hesitate to ping us with a simple comment.

Bugzilla references

Your PR doesn't reference any Bugzilla issue.

If your PR contains non-trivial changes, please reference a Bugzilla issue or create a manual changelog.

Testing this PR locally

If you don't have a local development environment setup, you can use Digger to test this PR:

dub run digger -- build "master + phobos#10969"

@Poita Poita marked this pull request as ready for review March 5, 2026 12:04
@0xEAB 0xEAB linked an issue Mar 5, 2026 that may be closed by this pull request
std.process.spawnProcess fails if ulimit is too large #10515
Open
0xEAB
0xEAB reviewed Mar 6, 2026
View reviewed changes
Comment thread std/process.d
Comment thread std/process.d Outdated
ibuclaw
ibuclaw reviewed Mar 6, 2026
View reviewed changes
Comment thread std/process.d Outdated
@Poita
Address review feedback on PR dlang#10969
bc0204b 
- Drop explicit `long` type, use inferred type from r.rlim_cur (0xEAB)
- Revert else+if merge back to original else { if ... } structure (0xEAB)
- Guard test with static if (rlim_t.sizeof > int.sizeof) for platform
  safety, and use cast(rlim_t) instead of cast(ulong) (ibuclaw)
0xEAB
0xEAB reviewed Mar 6, 2026
View reviewed changes
Comment thread std/process.d Outdated
0xEAB
0xEAB reviewed Mar 8, 2026
View reviewed changes
Comment thread std/process.d
@Poita
Copy link
Copy Markdown
Contributor Author

Poita commented May 30, 2026

Friendly bump on this one. Would be really nice to be able to use dub with ghostty on Mac without having to workaround. It's a very bad initial experience for anyone trying D on Mac that happens to use ghostty.

@Poita @claude
Explain origin of the 1_048_576 fd-close cap
7a95d7a 
Address review feedback on PR dlang#10969: document why the slow-path
fallback caps descriptor closing at 1_048_576 (2^20) — it is a
deliberately arbitrary 'sane limit' for an essentially-never-taken
path, bounding the worst case when rlim_cur is huge or unlimited.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@0xEAB 0xEAB requested a review from ibuclaw May 30, 2026 20:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@0xEAB 0xEAB 0xEAB left review comments

@CyberShadow CyberShadow Awaiting requested review from CyberShadow CyberShadow is a code owner

@schveiguy schveiguy Awaiting requested review from schveiguy schveiguy is a code owner

@ibuclaw ibuclaw Awaiting requested review from ibuclaw

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Severity:Bug Fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

std.process.spawnProcess fails if ulimit is too large std.process: spawnProcess fails with "Cannot allocate memory" when RLIMIT_NOFILE is unlimited

4 participants

@Poita @dlang-bot @ibuclaw @0xEAB