Comments on: Ride on a White Horse

by: Jonathan Allen

Tue, 25 Jul 2006 17:41:19 +0000

I am not arguing that your code isn’t more robust. Rather, I am suggesting that it is solving the wrong problem.

While your solution does help somewhat, it doesn’t solve the underlying problem of other programs messing with your directories. Solve that, and your solution becomes moot.

by: Raphaël Quinet

Mon, 24 Jul 2006 19:42:19 +0000

It would be more precise to say “did indeed exist at the moment of the syscall”. Someone might have deleted it since then.

It is harder to exploit a race condition requiring the deletion and re-creation of a directory.

If the parent directory has the “sticky bit” set (like for /tmp), then it will not be possible for other users to delete or rename that sub-directory, so the operation is safe.

by: Marius Gedminas

Mon, 24 Jul 2006 18:59:23 +0000

At the end of the if block we are guaranteed that the file or the directory does indeed exist […]

It would be more precise to say “did indeed exist at the moment of the syscall”. Someone might have deleted it since then.

Nevertheless your code is more reliable than the original one.

by: ebassi

Mon, 24 Jul 2006 18:36:29 +0000

sorry - I must be on crack. my code does not have the race condition: if the syscall fails, then we are inside the error trap and we can gracefully exit; if the syscall succeds then we are safe.

the race condition of the test-then-do code is that there’s a gap between the test and the actual syscall; trapping the error when the test fails is much more harder and makes the code uglier (you have to check twice: one for the test and one for the syscall).

by: ebassi

Mon, 24 Jul 2006 18:10:07 +0000

jonathan: while it’s true that there can be a race inverse to the one that I exposed, the code is nevertheless more robust: the check-then-do moves the burden to userspace and the programmer, while the do-then-deal-with-error moves the burden to the kernel.

and trying to create a directory and failing is, at most, going to cost you the same as the stat() that g_file_test() performs, only that - if the underlying C library is doing thinks right - you get one less indirection (mkdir -> return EEXIST vs. g_file_test -> stat -> check against flags -> return).

by: Jonathan Allen

Mon, 24 Jul 2006 17:47:54 +0000

Your solution to what you call an “implicit race condition” is wrong.

While it is true that someone can come in during that split second and create the directory, they can also delete that directory immediately after you create it. Thus you have not fixed anything.

The correct solution is to create a private directory system that your program controls. Sure there is no guarantee that a rogue program isn’t going to damage your program’s bit of the file system, but this gets you a lot closer than trying to perform atomic directory creation.

Also, what is the cost of trying and failing to create a directory versus just checking to see if it exists? In order to show your solution doesn’t cause more harm than good, you need to investigate that aspect.