Do not chdir before calling posix_spawn

We allow users to set the working directory of the child process when
they use the Process API. Unfortunately, this was implemented by calling
chdir in the parent process, which has nasty global effects on the
process and cannot safely be used concurrently.

glibc has a non-POSIX extension to posix_spawn that can call chdir in
the child process, so we add that call instead where it's available, and
add a regression test.

Author: Lukasa

Sources/Foundation/Process.swift

@@ -938,6 +938,17 @@ open class Process: NSObject {
         }
 #endif
 
+        #if os(Linux)
+        if let dir = currentDirectoryURL?.path {
+            try _throwIfPosixError(posix_spawn_file_actions_addchdir_np(fileActions, dir))
+        }
+        #else
+        // This is an unfortunate workaround: posix_spawn has no POSIX-specified way to set the working directory
+        // of the child process. glibc has a non-POSIX API option, which we use above. Here we take a brute-force
+        // approach of just changing our current working directory. This is not a great implementation and it's likely
+        // to cause subtle issues in those environments. However, the Apple Foundation library doesn't have this problem,
+        // and this library does the right thing on Linux and Windows, so the overwhelming majority of users are
+        // well-served.
         let fileManager = FileManager()
         let previousDirectoryPath = fileManager.currentDirectoryPath
         if let dir = currentDirectoryURL?.path, !fileManager.changeCurrentDirectoryPath(dir) {
@@ -948,6 +959,7 @@ open class Process: NSObject {
             // Reset the previous working directory path.
             fileManager.changeCurrentDirectoryPath(previousDirectoryPath)
         }
+        #endif
 
         // Launch
         var pid = pid_t()

Tests/Foundation/Tests/TestProcess.swift

@@ -7,6 +7,8 @@
 // See http://swift.org/CONTRIBUTORS.txt for the list of Swift project authors
 //
 
+import Dispatch
+
 class TestProcess : XCTestCase {
 
     func test_exit0() throws {
@@ -699,6 +701,53 @@ class TestProcess : XCTestCase {
         }
     }
 
+    func test_currentDirectoryDoesNotChdirParentProcess() throws {
+        // This test only behaves correctly on Linux and Windows: other platforms don't have an
+        // appropriate API for this in posix_spawn or similar.
+        #if os(Linux) || os(Windows)
+        let backgroundQueue = DispatchQueue(label: "background-processor")
+        let group = DispatchGroup()
+        let startSemaphore = DispatchSemaphore()
+        let currentWorkingDirectory = FileManager.shared.currentDirectoryPath
+        var shouldRun = true
+        let shouldRunLock = Lock()
+
+        XCTAssertNotEqual(currentWorkingDirectory, "/")
+
+        // Kick off the background task. This will spin on our current working directory and confirm
+        // it doesn't change.
+        backgroundQueue.async(group: group) {
+            startSemaphore.signal()
+
+            while true {
+                let newCWD = FileManager.shared.currentDirectoryPath
+                XCTAssertEqual(newCWD, currentWorkingDirectory)
+
+                shouldRunLock.lock()
+                if shouldRun {
+                    shouldRunLock.unlock()
+                } else {
+                    shouldRunLock.unlock()
+                    break
+                }
+            }
+        }
+
+        startSemaphore.wait()
+
+        // We run the task 50 times just to try to encourage it to fail.
+        for _ in 0..<50 {
+            XCTAssertNoThrow(try runTask([xdgTestHelperURL().path, "--getcwd"], currentDirectoryPath: "/"))
+        }
+
+        shouldRunLock.lock()
+        shouldRun = false
+        shouldRunLock.unlock()
+
+        group.wait()
+        #endif
+    }
+
     #if !os(Windows)
     func test_fileDescriptorsAreNotInherited() throws {
         let task = Process()