Provided by: manpages-posix-dev_2017a-2_all 
PROLOG
This manual page is part of the POSIX Programmer's Manual. The Linux implementation of this interface
may differ (consult the corresponding Linux manual page for details of Linux behavior), or the interface
may not be implemented on Linux.
NAME
posix_spawn, posix_spawnp — spawn a process (ADVANCED REALTIME)
SYNOPSIS
#include <spawn.h>
int posix_spawn(pid_t *restrict pid, const char *restrict path,
const posix_spawn_file_actions_t *file_actions,
const posix_spawnattr_t *restrict attrp,
char *const argv[restrict], char *const envp[restrict]);
int posix_spawnp(pid_t *restrict pid, const char *restrict file,
const posix_spawn_file_actions_t *file_actions,
const posix_spawnattr_t *restrict attrp,
char *const argv[restrict], char *const envp[restrict]);
DESCRIPTION
The posix_spawn() and posix_spawnp() functions shall create a new process (child process) from the
specified process image. The new process image shall be constructed from a regular executable file called
the new process image file.
When a C program is executed as the result of this call, it shall be entered as a C-language function
call as follows:
int main(int argc, char *argv[]);
where argc is the argument count and argv is an array of character pointers to the arguments themselves.
In addition, the following variable:
extern char **environ;
shall be initialized as a pointer to an array of character pointers to the environment strings.
The argument argv is an array of character pointers to null-terminated strings. The last member of this
array shall be a null pointer and is not counted in argc. These strings constitute the argument list
available to the new process image. The value in argv[0] should point to a filename string that is
associated with the process image being started by the posix_spawn() or posix_spawnp() function.
The argument envp is an array of character pointers to null-terminated strings. These strings constitute
the environment for the new process image. The environment array is terminated by a null pointer.
The number of bytes available for the combined argument and environment lists of the child process is
{ARG_MAX}. The implementation shall specify in the system documentation (see the Base Definitions volume
of POSIX.1‐2017, Chapter 2, Conformance) whether any list overhead, such as length words, null
terminators, pointers, or alignment bytes, is included in this total.
The path argument to posix_spawn() is a pathname that identifies the new process image file to execute.
The file parameter to posix_spawnp() shall be used to construct a pathname that identifies the new
process image file. If the file parameter contains a <slash> character, the file parameter shall be used
as the pathname for the new process image file. Otherwise, the path prefix for this file shall be
obtained by a search of the directories passed as the environment variable PATH (see the Base Definitions
volume of POSIX.1‐2017, Chapter 8, Environment Variables). If this environment variable is not defined,
the results of the search are implementation-defined.
If file_actions is a null pointer, then file descriptors open in the calling process shall remain open in
the child process, except for those whose close-on-exec flag FD_CLOEXEC is set (see fcntl()). For those
file descriptors that remain open, the child process shall not inherit any file locks, but all remaining
attributes of the corresponding open file descriptions (see fcntl()), shall remain unchanged.
If file_actions is not NULL, then the file descriptors open in the child process shall be those open in
the calling process as modified by the spawn file actions object pointed to by file_actions and the
FD_CLOEXEC flag of each remaining open file descriptor after the spawn file actions have been processed.
The effective order of processing the spawn file actions shall be:
1. The set of open file descriptors for the child process shall initially be the same set as is open for
the calling process. The child process shall not inherit any file locks, but all remaining attributes
of the corresponding open file descriptions (see fcntl()), shall remain unchanged.
2. The signal mask, signal default actions, and the effective user and group IDs for the child process
shall be changed as specified in the attributes object referenced by attrp.
3. The file actions specified by the spawn file actions object shall be performed in the order in which
they were added to the spawn file actions object.
4. Any file descriptor that has its FD_CLOEXEC flag set (see fcntl()) shall be closed.
If file descriptor 0, 1, or 2 would otherwise be closed in the new process image created by posix_spawn()
or posix_spawnp(), implementations may open an unspecified file for the file descriptor in the new
process image. If a standard utility or a conforming application is executed with file descriptor 0 not
open for reading or with file descriptor 1 or 2 not open for writing, the environment in which the
utility or application is executed shall be deemed non-conforming, and consequently the utility or
application might not behave as described in this standard.
The posix_spawnattr_t spawn attributes object type is defined in <spawn.h>. It shall contain at least
the attributes defined below.
If the POSIX_SPAWN_SETPGROUP flag is set in the spawn-flags attribute of the object referenced by attrp,
and the spawn-pgroup attribute of the same object is non-zero, then the child's process group shall be as
specified in the spawn-pgroup attribute of the object referenced by attrp.
As a special case, if the POSIX_SPAWN_SETPGROUP flag is set in the spawn-flags attribute of the object
referenced by attrp, and the spawn-pgroup attribute of the same object is set to zero, then the child
shall be in a new process group with a process group ID equal to its process ID.
If the POSIX_SPAWN_SETPGROUP flag is not set in the spawn-flags attribute of the object referenced by
attrp, the new child process shall inherit the parent's process group.
If the POSIX_SPAWN_SETSCHEDPARAM flag is set in the spawn-flags attribute of the object referenced by
attrp, but POSIX_SPAWN_SETSCHEDULER is not set, the new process image shall initially have the scheduling
policy of the calling process with the scheduling parameters specified in the spawn-schedparam attribute
of the object referenced by attrp.
If the POSIX_SPAWN_SETSCHEDULER flag is set in the spawn-flags attribute of the object referenced by
attrp (regardless of the setting of the POSIX_SPAWN_SETSCHEDPARAM flag), the new process image shall
initially have the scheduling policy specified in the spawn-schedpolicy attribute of the object
referenced by attrp and the scheduling parameters specified in the spawn-schedparam attribute of the same
object.
The POSIX_SPAWN_RESETIDS flag in the spawn-flags attribute of the object referenced by attrp governs the
effective user ID of the child process. If this flag is not set, the child process shall inherit the
effective user ID of the parent process. If this flag is set, the effective user ID of the child process
shall be reset to the parent's real user ID. In either case, if the set-user-ID mode bit of the new
process image file is set, the effective user ID of the child process shall become that file's owner ID
before the new process image begins execution.
The POSIX_SPAWN_RESETIDS flag in the spawn-flags attribute of the object referenced by attrp also governs
the effective group ID of the child process. If this flag is not set, the child process shall inherit the
effective group ID of the parent process. If this flag is set, the effective group ID of the child
process shall be reset to the parent's real group ID. In either case, if the set-group-ID mode bit of the
new process image file is set, the effective group ID of the child process shall become that file's group
ID before the new process image begins execution.
If the POSIX_SPAWN_SETSIGMASK flag is set in the spawn-flags attribute of the object referenced by attrp,
the child process shall initially have the signal mask specified in the spawn-sigmask attribute of the
object referenced by attrp.
If the POSIX_SPAWN_SETSIGDEF flag is set in the spawn-flags attribute of the object referenced by attrp,
the signals specified in the spawn-sigdefault attribute of the same object shall be set to their default
actions in the child process. Signals set to the default action in the parent process shall be set to the
default action in the child process.
Signals set to be caught by the calling process shall be set to the default action in the child process.
Except for SIGCHLD, signals set to be ignored by the calling process image shall be set to be ignored by
the child process, unless otherwise specified by the POSIX_SPAWN_SETSIGDEF flag being set in the spawn-
flags attribute of the object referenced by attrp and the signals being indicated in the spawn-sigdefault
attribute of the object referenced by attrp.
If the SIGCHLD signal is set to be ignored by the calling process, it is unspecified whether the SIGCHLD
signal is set to be ignored or to the default action in the child process, unless otherwise specified by
the POSIX_SPAWN_SETSIGDEF flag being set in the spawn_flags attribute of the object referenced by attrp
and the SIGCHLD signal being indicated in the spawn_sigdefault attribute of the object referenced by
attrp.
If the value of the attrp pointer is NULL, then the default values are used.
All process attributes, other than those influenced by the attributes set in the object referenced by
attrp as specified above or by the file descriptor manipulations specified in file_actions, shall appear
in the new process image as though fork() had been called to create a child process and then a member of
the exec family of functions had been called by the child process to execute the new process image.
It is implementation-defined whether the fork handlers are run when posix_spawn() or posix_spawnp() is
called.
RETURN VALUE
Upon successful completion, posix_spawn() and posix_spawnp() shall return the process ID of the child
process to the parent process, in the variable pointed to by a non-NULL pid argument, and shall return
zero as the function return value. Otherwise, no child process shall be created, the value stored into
the variable pointed to by a non-NULL pid is unspecified, and an error number shall be returned as the
function return value to indicate the error. If the pid argument is a null pointer, the process ID of the
child is not returned to the caller.
ERRORS
These functions may fail if:
EINVAL The value specified by file_actions or attrp is invalid.
If this error occurs after the calling process successfully returns from the posix_spawn() or
posix_spawnp() function, the child process may exit with exit status 127.
If posix_spawn() or posix_spawnp() fail for any of the reasons that would cause fork() or one of the exec
family of functions to fail, an error value shall be returned as described by fork() and exec,
respectively (or, if the error occurs after the calling process successfully returns, the child process
shall exit with exit status 127).
If POSIX_SPAWN_SETPGROUP is set in the spawn-flags attribute of the object referenced by attrp, and
posix_spawn() or posix_spawnp() fails while changing the child's process group, an error value shall be
returned as described by setpgid() (or, if the error occurs after the calling process successfully
returns, the child process shall exit with exit status 127).
If POSIX_SPAWN_SETSCHEDPARAM is set and POSIX_SPAWN_SETSCHEDULER is not set in the spawn-flags attribute
of the object referenced by attrp, then if posix_spawn() or posix_spawnp() fails for any of the reasons
that would cause sched_setparam() to fail, an error value shall be returned as described by
sched_setparam() (or, if the error occurs after the calling process successfully returns, the child
process shall exit with exit status 127).
If POSIX_SPAWN_SETSCHEDULER is set in the spawn-flags attribute of the object referenced by attrp, and if
posix_spawn() or posix_spawnp() fails for any of the reasons that would cause sched_setscheduler() to
fail, an error value shall be returned as described by sched_setscheduler() (or, if the error occurs
after the calling process successfully returns, the child process shall exit with exit status 127).
If the file_actions argument is not NULL, and specifies any close, dup2, or open actions to be performed,
and if posix_spawn() or posix_spawnp() fails for any of the reasons that would cause close(), dup2(), or
open() to fail, an error value shall be returned as described by close(), dup2(), and open(),
respectively (or, if the error occurs after the calling process successfully returns, the child process
shall exit with exit status 127). An open file action may, by itself, result in any of the errors
described by close() or dup2(), in addition to those described by open().
The following sections are informative.
EXAMPLES
None.
APPLICATION USAGE
These functions are part of the Spawn option and need not be provided on all implementations.
See also the APPLICATION USAGE section for exec.
RATIONALE
The posix_spawn() function and its close relation posix_spawnp() have been introduced to overcome the
following perceived difficulties with fork(): the fork() function is difficult or impossible to implement
without swapping or dynamic address translation.
* Swapping is generally too slow for a realtime environment.
* Dynamic address translation is not available everywhere that POSIX might be useful.
* Processes are too useful to simply option out of POSIX whenever it must run without address
translation or other MMU services.
Thus, POSIX needs process creation and file execution primitives that can be efficiently implemented
without address translation or other MMU services.
The posix_spawn() function is implementable as a library routine, but both posix_spawn() and
posix_spawnp() are designed as kernel operations. Also, although they may be an efficient replacement for
many fork()/exec pairs, their goal is to provide useful process creation primitives for systems that have
difficulty with fork(), not to provide drop-in replacements for fork()/exec.
This view of the role of posix_spawn() and posix_spawnp() influenced the design of their API. It does not
attempt to provide the full functionality of fork()/exec in which arbitrary user-specified operations of
any sort are permitted between the creation of the child process and the execution of the new process
image; any attempt to reach that level would need to provide a programming language as parameters.
Instead, posix_spawn() and posix_spawnp() are process creation primitives like the Start_Process and
Start_Process_Search Ada language bindings package POSIX_Process_Primitives and also like those in many
operating systems that are not UNIX systems, but with some POSIX-specific additions.
To achieve its coverage goals, posix_spawn() and posix_spawnp() have control of six types of inheritance:
file descriptors, process group ID, user and group ID, signal mask, scheduling, and whether each signal
ignored in the parent will remain ignored in the child, or be reset to its default action in the child.
Control of file descriptors is required to allow an independently written child process image to access
data streams opened by and even generated or read by the parent process without being specifically coded
to know which parent files and file descriptors are to be used. Control of the process group ID is
required to control how the job control of the child process relates to that of the parent.
Control of the signal mask and signal defaulting is sufficient to support the implementation of system().
Although support for system() is not explicitly one of the goals for posix_spawn() and posix_spawnp(), it
is covered under the ``at least 50%'' coverage goal.
The intention is that the normal file descriptor inheritance across fork(), the subsequent effect of the
specified spawn file actions, and the normal file descriptor inheritance across one of the exec family of
functions should fully specify open file inheritance. The implementation need make no decisions regarding
the set of open file descriptors when the child process image begins execution, those decisions having
already been made by the caller and expressed as the set of open file descriptors and their FD_CLOEXEC
flags at the time of the call and the spawn file actions object specified in the call. We have been
assured that in cases where the POSIX Start_Process Ada primitives have been implemented in a library,
this method of controlling file descriptor inheritance may be implemented very easily.
We can identify several problems with posix_spawn() and posix_spawnp(), but there does not appear to be a
solution that introduces fewer problems. Environment modification for child process attributes not
specifiable via the attrp or file_actions arguments must be done in the parent process, and since the
parent generally wants to save its context, it is more costly than similar functionality with
fork()/exec. It is also complicated to modify the environment of a multi-threaded process temporarily,
since all threads must agree when it is safe for the environment to be changed. However, this cost is
only borne by those invocations of posix_spawn() and posix_spawnp() that use the additional
functionality. Since extensive modifications are not the usual case, and are particularly unlikely in
time-critical code, keeping much of the environment control out of posix_spawn() and posix_spawnp() is
appropriate design.
The posix_spawn() and posix_spawnp() functions do not have all the power of fork()/exec. This is to be
expected. The fork() function is a wonderfully powerful operation. We do not expect to duplicate its
functionality in a simple, fast function with no special hardware requirements. It is worth noting that
posix_spawn() and posix_spawnp() are very similar to the process creation operations on many operating
systems that are not UNIX systems.
Requirements
The requirements for posix_spawn() and posix_spawnp() are:
* They must be implementable without an MMU or unusual hardware.
* They must be compatible with existing POSIX standards.
Additional goals are:
* They should be efficiently implementable.
* They should be able to replace at least 50% of typical executions of fork().
* A system with posix_spawn() and posix_spawnp() and without fork() should be useful, at least for
realtime applications.
* A system with fork() and the exec family should be able to implement posix_spawn() and posix_spawnp()
as library routines.
Two-Syntax
POSIX exec has several calling sequences with approximately the same functionality. These appear to be
required for compatibility with existing practice. Since the existing practice for the posix_spawn*()
functions is otherwise substantially unlike POSIX, we feel that simplicity outweighs compatibility. There
are, therefore, only two names for the posix_spawn*() functions.
The parameter list does not differ between posix_spawn() and posix_spawnp(); posix_spawnp() interprets
the second parameter more elaborately than posix_spawn().
Compatibility with POSIX.5 (Ada)
The Start_Process and Start_Process_Search procedures from the POSIX_Process_Primitives package from the
Ada language binding to POSIX.1 encapsulate fork() and exec functionality in a manner similar to that of
posix_spawn() and posix_spawnp(). Originally, in keeping with our simplicity goal, the standard
developers had limited the capabilities of posix_spawn() and posix_spawnp() to a subset of the
capabilities of Start_Process and Start_Process_Search; certain non-default capabilities were not
supported. However, based on suggestions by the ballot group to improve file descriptor mapping or drop
it, and on the advice of an Ada Language Bindings working group member, the standard developers decided
that posix_spawn() and posix_spawnp() should be sufficiently powerful to implement Start_Process and
Start_Process_Search. The rationale is that if the Ada language binding to such a primitive had already
been approved as an IEEE standard, there can be little justification for not approving the functionally-
equivalent parts of a C binding. The only three capabilities provided by posix_spawn() and posix_spawnp()
that are not provided by Start_Process and Start_Process_Search are optionally specifying the child's
process group ID, the set of signals to be reset to default signal handling in the child process, and the
child's scheduling policy and parameters.
For the Ada language binding for Start_Process to be implemented with posix_spawn(), that binding would
need to explicitly pass an empty signal mask and the parent's environment to posix_spawn() whenever the
caller of Start_Process allowed these arguments to default, since posix_spawn() does not provide such
defaults. The ability of Start_Process to mask user-specified signals during its execution is
functionally unique to the Ada language binding and must be dealt with in the binding separately from the
call to posix_spawn().
Process Group
The process group inheritance field can be used to join the child process with an existing process group.
By assigning a value of zero to the spawn-pgroup attribute of the object referenced by attrp, the
setpgid() mechanism will place the child process in a new process group.
Threads
Without the posix_spawn() and posix_spawnp() functions, systems without address translation can still use
threads to give an abstraction of concurrency. In many cases, thread creation suffices, but it is not
always a good substitute. The posix_spawn() and posix_spawnp() functions are considerably ``heavier''
than thread creation. Processes have several important attributes that threads do not. Even without
address translation, a process may have base-and-bound memory protection. Each process has a process
environment including security attributes and file capabilities, and powerful scheduling attributes.
Processes abstract the behavior of non-uniform-memory-architecture multi-processors better than threads,
and they are more convenient to use for activities that are not closely linked.
The posix_spawn() and posix_spawnp() functions may not bring support for multiple processes to every
configuration. Process creation is not the only piece of operating system support required to support
multiple processes. The total cost of support for multiple processes may be quite high in some
circumstances. Existing practice shows that support for multiple processes is uncommon and threads are
common among ``tiny kernels''. There should, therefore, probably continue to be AEPs for operating
systems with only one process.
Asynchronous Error Notification
A library implementation of posix_spawn() or posix_spawnp() may not be able to detect all possible errors
before it forks the child process. POSIX.1‐2008 provides for an error indication returned from a child
process which could not successfully complete the spawn operation via a special exit status which may be
detected using the status value returned by wait(), waitid(), and waitpid().
The stat_val interface and the macros used to interpret it are not well suited to the purpose of
returning API errors, but they are the only path available to a library implementation. Thus, an
implementation may cause the child process to exit with exit status 127 for any error detected during the
spawn process after the posix_spawn() or posix_spawnp() function has successfully returned.
The standard developers had proposed using two additional macros to interpret stat_val. The first,
WIFSPAWNFAIL, would have detected a status that indicated that the child exited because of an error
detected during the posix_spawn() or posix_spawnp() operations rather than during actual execution of the
child process image; the second, WSPAWNERRNO, would have extracted the error value if WIFSPAWNFAIL
indicated a failure. Unfortunately, the ballot group strongly opposed this because it would make a
library implementation of posix_spawn() or posix_spawnp() dependent on kernel modifications to waitpid()
to be able to embed special information in stat_val to indicate a spawn failure.
The 8 bits of child process exit status that are guaranteed by POSIX.1‐2008 to be accessible to the
waiting parent process are insufficient to disambiguate a spawn error from any other kind of error that
may be returned by an arbitrary process image. No other bits of the exit status are required to be
visible in stat_val, so these macros could not be strictly implemented at the library level. Reserving
an exit status of 127 for such spawn errors is consistent with the use of this value by system() and
popen() to signal failures in these operations that occur after the function has returned but before a
shell is able to execute. The exit status of 127 does not uniquely identify this class of error, nor does
it provide any detailed information on the nature of the failure. Note that a kernel implementation of
posix_spawn() or posix_spawnp() is permitted (and encouraged) to return any possible error as the
function value, thus providing more detailed failure information to the parent process.
Thus, no special macros are available to isolate asynchronous posix_spawn() or posix_spawnp() errors.
Instead, errors detected by the posix_spawn() or posix_spawnp() operations in the context of the child
process before the new process image executes are reported by setting the child's exit status to 127.
The calling process may use the WIFEXITED and WEXITSTATUS macros on the stat_val stored by the wait() or
waitpid() functions to detect spawn failures to the extent that other status values with which the child
process image may exit (before the parent can conclusively determine that the child process image has
begun execution) are distinct from exit status 127.
FUTURE DIRECTIONS
None.
SEE ALSO
alarm(), chmod(), close(), dup(), exec, exit(), fcntl(), fork(), fstatat(), kill(), open(),
posix_spawn_file_actions_addclose(), posix_spawn_file_actions_adddup2(),
posix_spawn_file_actions_destroy(), posix_spawnattr_destroy(), posix_spawnattr_getsigdefault(),
posix_spawnattr_getflags(), posix_spawnattr_getpgroup(), posix_spawnattr_getschedparam(),
posix_spawnattr_getschedpolicy(), posix_spawnattr_getsigmask(), sched_setparam(), sched_setscheduler(),
setpgid(), setuid(), times(), wait(), waitid()
The Base Definitions volume of POSIX.1‐2017, Chapter 8, Environment Variables, <spawn.h>
COPYRIGHT
Portions of this text are reprinted and reproduced in electronic form from IEEE Std 1003.1-2017, Standard
for Information Technology -- Portable Operating System Interface (POSIX), The Open Group Base
Specifications Issue 7, 2018 Edition, Copyright (C) 2018 by the Institute of Electrical and Electronics
Engineers, Inc and The Open Group. In the event of any discrepancy between this version and the original
IEEE and The Open Group Standard, the original IEEE and The Open Group Standard is the referee document.
The original Standard can be obtained online at http://www.opengroup.org/unix/online.html .
Any typographical or formatting errors that appear in this page are most likely to have been introduced
during the conversion of the source files to man page format. To report such errors, see
https://www.kernel.org/doc/man-pages/reporting_bugs.html .
IEEE/The Open Group 2017 POSIX_SPAWN(3POSIX)