Provided by: explain_1.4.D001-7_amd64 bug

NAME

       explain_lca2010  -  No  medium  found: when it's time to stop trying to read strerror(3)'s
       mind.

MOTIVATION

       The idea for libexplain occurred to me back in the early 1980s.  Whenever  a  system  call
       returns  an  error,  the  kernel knows exactly what went wrong... and compresses this into
       less that 8 bits of errno.  User space has access to the  same  data  as  the  kernel,  it
       should be possible for user space to figure out exactly what happened to provoke the error
       return, and use this to write good error messages.

       Could it be that simple?

   Error messages as finesse
       Good error messages are often those “one percent” tasks that  get  dropped  when  schedule
       pressure  squeezes  your  project.   However,  a  good  error  message  can  make  a huge,
       disproportionate improvement to the user experience, when the  user  wanders  into  scarey
       unknown territory not usually encountered.  This is no easy task.

       As a larval programmer, the author didn't see the problem with (completely accurate) error
       messages like this one:
              floating exception (core dumped)
       until the alternative non‐programmer interpretation was pointed out.  But that  isn't  the
       only thing wrong with Unix error messages.  How often do you see error messages like:
              $ ./stupid
              can't open file
              $
       There are two options for a developer at this point:

       1.
         you can run a debugger, such as gdb(1), or

       2.
         you can use strace(1) or truss(1) to look inside.

       • Remember  that your users may not even have access to these tools, let alone the ability
         to use them.  (It's a very long time since Unix beginner meant  “has  only  written  one
         device driver”.)

       In this example, however, using strace(1) reveals
              $ strace -e trace=open ./stupid
              open("some/file", O_RDONLY) = -1 ENOENT (No such file or directory)
              can't open file
              $
       This  is  considerably  more  information than the error message provides.  Typically, the
       stupid source code looks like this
              int fd = open("some/thing", O_RDONLY);
              if (fd < 0)
              {
                  fprintf(stderr, "can't open file\n");
                  exit(1);
              }
       The user isn't told which file, and also fails to tell the user which error.  Was the file
       even  there?   Was  there a permissions problem?  It does tell you it was trying to open a
       file, but that was probably by accident.

       Grab your clue stick and go beat the larval programmer with it.  Tell him about perror(3).
       The next time you use the program you see a different error message:
              $ ./stupid
              open: No such file or directory
              $
       Progress, but not what we expected.  How can the user fix the problem if the error message
       doesn't tell him what the problem was?  Looking at the source, we see
              int fd = open("some/thing", O_RDONLY);
              if (fd < 0)
              {
                  perror("open");
                  exit(1);
              }
       Time for another run with the clue stick.  This time, the error  message  takes  one  step
       forward and one step back:
              $ ./stupid
              some/thing: No such file or directory
              $
       Now we know the file it was trying to open, but are no longer informed that it was open(2)
       that failed.  In this case it is probably not significant, but it can be  significant  for
       other  system  calls.   It  could  have  been creat(2) instead, an operation implying that
       different permissions are necessary.
              const char *filename = "some/thing";
              int fd = open(filename, O_RDONLY);
              if (fd < 0)
              {
                  perror(filename);
                  exit(1);
              }
       The above example code is unfortunately typical of non‐larval programmers as  well.   Time
       to tell our padawan learner about the strerror(3) system call.
              $ ./stupid
              open some/thing: No such file or directory
              $
       This  maximizes  the  information  that can be presented to the user.  The code looks like
       this:
              const char *filename = "some/thing";
              int fd = open(filename, O_RDONLY);
              if (fd < 0)
              {
                  fprintf(stderr, "open %s: %s\n", filename, strerror(errno));
                  exit(1);
              }
       Now we have the system call, the filename, and the error string.  This  contains  all  the
       information that strace(1) printed.  That's as good as it gets.

       Or is it?

   Limitations of perror and strerror
       The  problem  the author saw, back in the 1980s, was that the error message is incomplete.
       Does “no such file or directory” refer to the “some” directory, or to the “thing” file  in
       the “some” directory?

       A quick look at the man page for strerror(3) is telling:
              strerror - return string describing error number
       Note well: it is describing the error number, not the error.

       On the other hand, the kernel knows what the error was.  There was a specific point in the
       kernel code, caused by a specific condition, where the kernel code branched and said “no”.
       Could  a  user‐space  program  figure  out the specific condition and write a better error
       message?

       However, the problem goes deeper.  What if the problem occurs during  the  read(2)  system
       call,  rather  than  the open(2) call?  It is simple for the error message associated with
       open(2) to include the file name, it's right there.  But to be able to include a file name
       in  the  error associated with the read(2) system call, you have to pass the file name all
       the way down the call stack, as well as the file descriptor.

       And here is the bit that grates:  the  kernel  already  knows  what  file  name  the  file
       descriptor  is  associated  with.  Why should a programmer have to pass redundant data all
       the way down the call stack just to improve an error message that may never be issued?  In
       reality, many programmers don't bother, and the resulting error messages are the worse for
       it.

       But that was the 1980s, on a PDP11, with limited resources and no shared libraries.   Back
       then,  no  flavor of Unix included /proc even in rudimentary form, and the lsof(1) program
       was over a decade away.  So the idea was shelved as impractical.

   Level Infinity Support
       Imagine that you are level infinity support.  Your job description  says  that  you  never
       ever have to talk to users.  Why, then, is there still a constant stream of people wanting
       you, the local Unix guru, to decipher yet another error message?

       Strangely, 25 years later, despite a simple permissions system, implemented with  complete
       consistency, most Unix users still have no idea how to decode “No such file or directory”,
       or any of the other cryptic error messages they see every day.  Or, at least,  cryptic  to
       them.

       Wouldn't  it  be  nice  if first level tech support didn't need error messages deciphered?
       Wouldn't it be nice to have error messages that users  could  understand  without  calling
       tech support?

       These days /proc on Linux is more than able to provide the information necessary to decode
       the vast majority of error messages, and point the user to the proximate  cause  of  their
       problem.   On systems with a limited /proc implementation, the lsof(1) command can fill in
       many of the gaps.

       In 2008, the stream of translation requests happened to the author way too often.  It  was
       time to re‐examine that 25 year old idea, and libexplain is the result.

USING THE LIBRARY

       The  interface to the library tries to be consistent, where possible.  Let's start with an
       example using strerror(3):
              if (rename(old_path, new_path) < 0)
              {
                  fprintf(stderr, "rename %s %s: %s\n", old_path, new_path,
                      strerror(errno));
                  exit(1);
              }
       The idea behind libexplain is to provide a strerror(3) equivalent for  each  system  call,
       tailored  specifically  to  that system call, so that it can provide a more detailed error
       message, containing much of the information you see under the “ERRORS” heading of  section
       2  and 3 man pages, supplemented with information about actual conditions, actual argument
       values, and system limits.

   The Simple Case
       The strerror(3) replacement:
              if (rename(old_path, new_path) < 0)
              {
                  fprintf(stderr, "%s\n", explain_rename(old_path, new_path));
                  exit(1);
              }

   The Errno Case
       It is also possible to pass an  explicit  errno(3)  value,  if  you  must  first  do  some
       processing that would disturb errno, such as error recovery:
              if (rename(old_path, new_path < 0))
              {
                  int old_errno = errno;
                  ...code that disturbs errno...
                  fprintf(stderr, "%s\n", explain_errno_rename(old_errno,
                      old_path, new_path));
                  exit(1);
              }

   The Multi‐thread Cases
       Some  applications  are multi‐threaded, and thus are unable to share libexplain's internal
       buffer.  You can supply your own buffer using
              if (unlink(pathname))
              {
                  char message[3000];
                  explain_message_unlink(message, sizeof(message), pathname);
                  error_dialog(message);
                  return -1;
              }
       And for completeness, both errno(3) and thread‐safe:
              ssize_t nbytes = read(fd, data, sizeof(data));
              if (nbytes < 0)
              {
                  char message[3000];
                  int old_errno = errno;
                  ...error recovery...
                  explain_message_errno_read(message, sizeof(message),
                      old_errno, fd, data, sizeof(data));
                  error_dialog(message);
                  return -1;
              }

       These are replacements for strerror_r(3), on systems that have it.

   Interface Sugar
       A set of functions  added  as  convenience  functions,  to  woo  programmers  to  use  the
       libexplain library, turn out to be the author's most commonly used libexplain functions in
       command line programs:
              int fd = explain_creat_or_die(filename, 0666);
       This function attempts to create a new file.  If it can't, it prints an error message  and
       exits with EXIT_FAILURE.  If there is no error, it returns the new file descriptor.

       A related function:
              int fd = explain_creat_on_error(filename, 0666);
       will  print  the error message on failure, but also returns the original error result, and
       errno(3) is unmolested, as well.

   All the other system calls
       In general, every system call has its own include file
              #include <libexplain/name.h>
       that defines function prototypes for six functions:

       • explain_name,

       • explain_errno_name,

       • explain_message_name,

       • explain_message_errno_name,

       • explain_name_or_die and

       • explain_name_on_error.

       Every function prototype has Doxygen documentation, and this documentation is not stripped
       when the include files are installed.

       The wait(2) system call (and friends) have some extra variants that also interpret failure
       to be an exit status that isn't EXIT_SUCCESS.  This applies to system(3) and pclose(3)  as
       well.

       Coverage  includes  221  system  calls and 547 ioctl requests.  There are many more system
       calls yet to implement.  System calls that never return, such as exit(2), are not  present
       in the library, and will never be.  The exec family of system calls are supported, because
       they return when there is an error.

   Cat
       This is what a hypothetical “cat” program could look  like,  with  full  error  reporting,
       using libexplain.
              #include <libexplain/libexplain.h>
              #include <stdlib.h>
              #include <unistd.h>
       There  is one include for libexplain, plus the usual suspects.  (If you wish to reduce the
       preprocessor load, you can use the specific <libexplain/name.h> includes.)
              static void
              process(FILE *fp)
              {
                  for (;;)
                  {
                      char buffer[4096];
                      size_t n = explain_fread_or_die(buffer, 1, sizeof(buffer), fp);
                      if (!n)
                          break;
                      explain_fwrite_or_die(buffer, 1, n, stdout);
                  }
              }
       The process function copies a file stream to the standard output.  Should an  error  occur
       for  either  reading  or writing, it is reported (and the pathname will be included in the
       error) and the command exits with EXIT_FAILURE.  We don't even worry  about  tracking  the
       pathnames, or passing them down the call stack.
              int
              main(int argc, char **argv)
              {
                  for (;;)
                  {
                      int c = getopt(argc, argv, "o:");
                      if (c == EOF)
                          break;
                      switch (c)
                      {
                      case 'o':
                          explain_freopen_or_die(optarg, "w", stdout);
                          break;
       The fun part of this code is that libexplain can report errors including the pathname even
       if you don't explicitly re‐open stdout as  is  done  here.   We  don't  even  worry  about
       tracking the file name.
                      default:
                          fprintf(stderr, "Usage: %ss [ -o <filename> ] <filename>...\n",
                              argv[0]);
                          return EXIT_FAILURE;
                      }
                  }
                  if (optind == argc)
                      process(stdin);
                  else
                  {
                      while (optind < argc)
                      {
                          FILE *fp = explain_fopen_or_die(argv[optind]++, "r");
                          process(fp);
                          explain_fclose_or_die(fp);
                      }
                  }
       The  standard  output  will  be  closed implicitly, but too late for an error report to be
       issued, so we do that here, just in case the buffered I/O hasn't written anything yet, and
       there is an ENOSPC error or something.
                  explain_fflush_or_die(stdout);
                  return EXIT_SUCCESS;
              }
       That's all.  Full error reporting, clear code.

   Rusty's Scale of Interface Goodness
       For those of you not familiar with it, Rusty Russel's “How Do I Make This Hard to Misuse?”
       page is a must‐read for API designers.
       http://ozlabs.org/~rusty/index.cgi/tech/2008‐03‐30.html

       10. It's impossible to get wrong.

       Goals need to be set high, ambitiously high, lest you accomplish them and  think  you  are
       finished when you are not.

       The libexplain library detects bogus pointers and many other bogus system call parameters,
       and generally tries to avoid segfaults in even the most trying circumstances.

       The libexplain library is designed to be thread safe.  More  real‐world  use  will  likely
       reveal places this can be improved.

       The biggest problem is with the actual function names themselves.  Because C does not have
       name‐spaces, the libexplain library always uses an explain_  name  prefix.   This  is  the
       traditional  way  of  creating  a  pseudo‐name‐space  in  order to avoid symbol conflicts.
       However, it results in some unnatural‐sounding names.

       9. The compiler or linker won't let you get it wrong.

       A  common  mistake  is  to  use  explain_open  where  explain_open_or_die  was   intended.
       Fortunately,  the  compiler will often issue a type error at this point (e.g. can't assign
       const char * rvalue to an int lvalue).

       8. The compiler will warn if you get it wrong.

       If explain_rename is used when explain_rename_or_die was intended, this  can  cause  other
       problems.   GCC  has  a  useful  warn_unused_result function attribute, and the libexplain
       library attaches it to all the explain_name function calls to produce a warning  when  you
       make this mistake.  Combine this with gcc -Werror to promote this to level 9 goodness.

       7. The obvious use is (probably) the correct one.

       The  function  names  have  been  chosen  to  convey their meaning, but this is not always
       successful.  While explain_name_or_die and explain_name_on_error are  fairly  descriptive,
       the less‐used thread safe variants are harder to decode.  The function prototypes help the
       compiler towards understanding, and the Doxygen comments in the header files help the user
       towards understanding.

       6. The name tells you how to use it.

       It  is  particularly  important  to  read  explain_name_or_die as “explain (name or die)”.
       Using a consistent explain_ name‐space prefix has some  unfortunate  side‐effects  in  the
       obviousness department, as well.

       The  order  of  words in the names also indicate the order of the arguments.  The argument
       lists always end with the same arguments as passed to the system call; all  of  them.   If
       _errno_  appears  in the name, its argument always precedes the system call arguments.  If
       _message_ appears in the name, its two arguments always come first.

       5. Do it right or it will break at runtime.

       The libexplain library detects bogus pointers and many other bogus system call parameters,
       and  generally  tries to avoid segfaults in even the most trying circumstances.  It should
       never break at runtime, but more real‐world use will no doubt improve this.

       Some error messages are aimed at developers and maintainers rather than end users, as this
       can  assist  with  bug  resolution.   Not so much “break at runtime” as “be informative at
       runtime” (after the system call barfs).

       4. Follow common convention and you'll get it right.

       Because C does not have name‐spaces, the libexplain library always uses an  explain_  name
       prefix.   This  is  the  traditional way of creating a pseudo‐name‐space in order to avoid
       symbol conflicts.

       The trailing arguments of all the libexplain call are identical to the  system  call  they
       are  describing.   This  is intended to provide a consistent convention in common with the
       system calls themselves.

       3. Read the documentation and you'll get it right.

       The libexplain library aims to have complete Doxygen  documentation  for  each  and  every
       public API call (and internally as well).

MESSAGE CONTENT

       Working  on libexplain is a bit like looking at the underside of your car when it is up on
       the hoist at the mechanic's.  There's some ugly stuff under there, plus mud and crud,  and
       users  rarely  see  it.  A good error message needs to be informative, even for a user who
       has been fortunate enough not to have to look at  the  under‐side  very  often,  and  also
       informative  for the mechanic listening to the user's description over the phone.  This is
       no easy task.

       Revisiting our first example, the code would like this if it uses libexplain:
              int fd = explain_open_or_die("some/thing", O_RDONLY, 0);
       will fail with an error message like this
              open(pathname = "some/file", flags = O_RDONLY) failed, No such  file  or  directory
              (2, ENOENT) because there is no "some" directory in the current directory
       This breaks down into three pieces
              system‐call failed, system‐error because
              explanation

   Before Because
       It is possible to see the part of the message before “because” as overly technical to non‐
       technical users, mostly as a result of accurately printing the system call itself  at  the
       beginning  of  the  error  message.   And  it  looks like strace(1) output, for bonus geek
       points.
              open(pathname = "some/file", flags = O_RDONLY) failed, No such  file  or  directory
              (2, ENOENT)
       This  part of the error message is essential to the developer when he is writing the code,
       and equally important to the maintainer who has to read bug reports and fix  bugs  in  the
       code.  It says exactly what failed.

       If  this  text  is not presented to the user then the user cannot copy‐and‐paste it into a
       bug report, and if it isn't in the bug report the maintainer can't know what actually went
       wrong.

       Frequently  tech  staff  will use strace(1) or truss(1) to get this exact information, but
       this avenue is not open when reading bug reports.  The bug reporter's system  is  far  far
       away,  and,  by  now, in a far different state.  Thus, this information needs to be in the
       bug report, which means it must be in the error message.

       The system call representation also gives context to the rest of  the  message.   If  need
       arises,  the  offending system call argument may be referred to by name in the explanation
       after “because”.  In addition, all strings are fully quoted  and  escaped  C  strings,  so
       embedded  newlines  and  non‐printing  characters will not cause the user's terminal to go
       haywire.

       The system‐error is what comes out of strerror(2), plus the error symbol.   Impatient  and
       expert  sysadmins could stop reading at this point, but the author's experience to date is
       that reading further is rewarding.  (If it isn't  rewarding,  it's  probably  an  area  of
       libexplain that can be improved.  Code contributions are welcome, of course.)

   After Because
       This  is  the  portion of the error message aimed at non‐technical users.  It looks beyond
       the simple system call arguments, and looks for something more specific.
              there is no "some" directory in the current directory
       This portion attempts to explain the proximal cause of the error in plain language, and it
       is here that internationalization is essential.

       In  general,  the  policy  is to include as much information as possible, so that the user
       doesn't need to go looking for it (and doesn't leave it out of the bug report).

   Internationalization
       Most of the error messages in the libexplain library have been  internationalized.   There
       are  no  localizations  as  yet,  so if you want the explanations in your native language,
       please contribute.

       The  “most  of”  qualifier,  above,  relates  to  the  fact  that   the   proof‐of‐concept
       implementation  did  not  include  internationalization  support.   The code base is being
       revised progressively, usually as a result of refactoring  messages  so  that  each  error
       message string appears in the code exactly once.

       Provision has been made for languages that need to assemble the portions of
              system‐call failed, system‐error because explanation
       in different orders for correct grammar in localized error messages.

   Postmortem
       There  are  times  when  a  program has yet to use libexplain, and you can't use strace(1)
       either.  There is an explain(1) command included with  libexplain  that  can  be  used  to
       decipher error messages, if the state of the underlying system hasn't changed too much.
              $ explain rename foo /tmp/bar/baz -e ENOENT
              rename(oldpath = "foo", newpath = "/tmp/bar/baz") failed, No such file or directory
              (2, ENOENT) because there is no "bar" directory in the newpath "/tmp" directory
              $
       Note how the path ambiguity is resolved by  using  the  system  call  argument  name.   Of
       course, you have to know the error and the system call for explain(1) to be useful.  As an
       aside, this is one of the ways used by the libexplain automatic test suite to verify  that
       libexplain is working.

   Philosophy
       “Tell me everything, including stuff I didn't know to look for.”

       The  library  is  implemented in such a way that when statically linked, only the code you
       actually use will be linked.  This is achieved by having one  function  per  source  file,
       whenever feasible.

       When  it is possible to supply more information, libexplain will do so.  The less the user
       has to track down for themselves, the better.  This means that UIDs are accompanied by the
       user  name,  GIDs  are  accompanied by the group name, PIDs are accompanied by the process
       name, file descriptors and streams are accompanied by the pathname, etc.

       When resolving paths, if a path component does not exist, libexplain will look for similar
       names, in order to suggest alternatives for typographical errors.

       The libexplain library tries to use as little heap as possible, and usually none.  This is
       to avoid perturbing the process state, as  far  as  possible,  although  sometimes  it  is
       unavoidable.

       The  libexplain  library attempts to be thread safe, by avoiding global variables, keeping
       state on the stack as much as possible.  There is a single common message buffer, and  the
       functions that use it are documented as not being thread safe.

       The  libexplain  library  does  not  disturb  a  process's  signal  handlers.   This makes
       determining whether a pointer would segfault a challenge, but not impossible.

       When information is available via a system call as  well  as  available  through  a  /proc
       entry,  the  system  call  is preferred.  This is to avoid disturbing the process's state.
       There are also times when no file descriptors are available.

       The libexplain library is compiled with large  file  support.   There  is  no  large/small
       schizophrenia.  Where this affects the argument types in the API, and error will be issued
       if the necessary large file defines are absent.

       FIXME: Work is needed to make sure that file system quotas are handled in the code.   This
       applies to some getrlimit(2) boundaries, as well.

       There  are  cases  when  relatives  paths are uninformative.  For example: system daemons,
       servers and background processes.  In these cases, absolute paths are used  in  the  error
       explanations.

PATH RESOLUTION

       Short version: see path_resolution(7).

       Long  version:  Most users have never heard of path_resolution(7), and many advanced users
       have never read it.  Here is an annotated version:

   Step 1: Start of the resolution process
       If the pathname starts with the slash (“/”) character, the starting  lookup  directory  is
       the root directory of the calling process.

       If  the  pathname  does  not  start  with  the  slash(“/”)  character, the starting lookup
       directory of the resolution process is the current working directory of the process.

   Step 2: Walk along the path
       Set the current lookup directory to the starting lookup directory.   Now,  for  each  non‐
       final component of the pathname, where a component is a substring delimited by slash (“/”)
       characters, this component is looked up in the current lookup directory.

       If the process does not have search permission on the current lookup directory, an  EACCES
       error is returned ("Permission denied").
              open(pathname   =  "/home/archives/.ssh/private_key",  flags  =  O_RDONLY)  failed,
              Permission denied (13, EACCES) because the process does not have search  permission
              to  the  pathname  "/home/archives/.ssh"  directory, the process effective GID 1000
              "pmiller" does  not  match  the  directory  owner  1001  "archives"  so  the  owner
              permission  mode  "rwx"  is  ignored,  the others permission mode is "---", and the
              process is not privileged (does not have the DAC_READ_SEARCH capability)

       If the component is not found, an ENOENT error is returned ("No such file or directory").
              unlink(pathname = "/home/microsoft/rubbish") failed, No such file or directory  (2,
              ENOENT) because there is no "microsoft" directory in the pathname "/home" directory

       There is also some support for users when they mis‐type pathnames, making suggestions when
       ENOENT is returned:
              open(pathname = "/user/include/fcntl.h", flags = O_RDONLY) failed, No such file  or
              directory  (2,  ENOENT)  because  there  is no "user" directory in the pathname "/"
              directory, did you mean the "usr" directory instead?

       If  the  component  is found, but is neither a directory nor a symbolic link,  an  ENOTDIR
       error is returned ("Not a directory").
              open(pathname  =  "/home/pmiller/.netrc/lca",  flags  =  O_RDONLY)  failed,  Not  a
              directory  (20,  ENOTDIR)  because  the  ".netrc"  regular  file  in  the  pathname
              "/home/pmiller" directory is being used as a directory when it is not

       If  the component is found and is a directory, we set the current lookup directory to that
       directory, and go to the next component.

       If the component is found and is a symbolic link (symlink), we first resolve this symbolic
       link  (with  the current lookup directory as starting lookup directory).  Upon error, that
       error is returned.  If the result is not a directory, an ENOTDIR error is returned.
              unlink(pathname = "/tmp/dangling/rubbish") failed, No such file  or  directory  (2,
              ENOENT)  because  the  "dangling"  symbolic  link  in the pathname "/tmp" directory
              refers to "nowhere" that does not exist
       If the resolution of the symlink is successful and returns a directory, we set the current
       lookup  directory  to  that  directory,  and  go  to  the  next  component.  Note that the
       resolution process here involves recursion.  In order to protect the kernel against  stack
       overflow,  and  also to protect against denial of service, there are limits on the maximum
       recursion depth, and on the maximum number of symbolic links followed.  An ELOOP error  is
       returned when the maximum is exceeded ("Too many levels of symbolic links").
              open(pathname  =  "/tmp/dangling",  flags  =  O_RDONLY)  failed, Too many levels of
              symbolic links (40,  ELOOP)  because  a  symbolic  link  loop  was  encountered  in
              pathname, starting at "/tmp/dangling"
       It is also possible to get an ELOOP or EMLINK error if there are too many symlinks, but no
       loop was detected.
              open(pathname = "/tmp/rabbit‐hole", flags = O_RDONLY) failed, Too  many  levels  of
              symbolic  links  (40,  ELOOP)  because  too many symbolic links were encountered in
              pathname (8)
       Notice how the actual limit is also printed.

   Step 3: Find the final entry
       The lookup of the final component of the  pathname  goes  just  like  that  of  all  other
       components, as described in the previous step, with two differences:

       (i) The  final  component  need not be a directory (at least as far as the path resolution
           process is concerned.  It may have to be a directory, or a non‐directory,  because  of
           the requirements of the specific system call).

       (ii)
           It  is not necessarily an error if the final component is not found; maybe we are just
           creating it.  The details on the treatment of the final entry  are  described  in  the
           manual pages of the specific system calls.

       (iii)
           It is also possible to have a problem with the last component if it is a symbolic link
           and it should not be followed.  For example, using the open(2) O_NOFOLLOW flag:
           open(pathname = "a‐symlink", flags = O_RDONLY | O_NOFOLLOW) failed, Too many levels of
           symbolic  links  (ELOOP)  because  O_NOFOLLOW  was  specified but pathname refers to a
           symbolic link

       (iv)
           It is common for users to make mistakes when typing pathnames.  The libexplain library
           attempts to make suggestions when ENOENT is returned, for example:
           open(pathname = "/usr/include/filecontrl.h", flags = O_RDONLY) failed, No such file or
           directory (2, ENOENT) because there is no "filecontrl.h" regular file in the  pathname
           "/usr/include" directory, did you mean the "fcntl.h" regular file instead?

       (v) It  is also possible that the final component is required to be something other than a
           regular file:
           readlink(pathname = "just‐a‐file",  data  =  0x7F930A50,  data_size  =  4097)  failed,
           Invalid argument (22, EINVAL) because pathname is a regular file, not a symbolic link

       (vi)
           FIXME: handling of the "t" bit.

   Limits
       There are a number of limits with regards to pathnames and filenames.

       Pathname length limit
               There  is  a  maximum length for pathnames.  If the pathname (or some intermediate
               pathname obtained while resolving symbolic links) is  too  long,  an  ENAMETOOLONG
               error is returned ("File name too long").  Notice how the system limit is included
               in the error message.
               open(pathname = "very...long", flags = O_RDONLY) failed, File name too  long  (36,
               ENAMETOOLONG) because pathname exceeds the system maximum path length (4096)

       Filename length limit
               Some  Unix  variants  have  a limit on the number of bytes in each path component.
               Some of them deal with this silently, and some give ENAMETOOLONG;  the  libexplain
               library  uses  pathconf(3) _PC_NO_TRUNC to tell which.  If this error happens, the
               libexplain library will state the  limit  in  the  error  message,  the  limit  is
               obtained  from  pathconf(3) _PC_NAME_MAX.  Notice how the system limit is included
               in the error message.
               open(pathname = "system7/only-had-14-characters", flags = O_RDONLY)  failed,  File
               name  too  long  (36,  ENAMETOOLONG) because "only-had-14-characters" component is
               longer than the system limit (14)

       Empty pathname
               In the original Unix, the  empty  pathname  referred  to  the  current  directory.
               Nowadays POSIX decrees that an empty pathname must not be resolved successfully.
               open(pathname  =  "",  flags  =  O_RDONLY)  failed,  No such file or directory (2,
               ENOENT) because POSIX  decrees  that  an  empty  pathname  must  not  be  resolved
               successfully

   Permissions
       The  permission  bits of a file consist of three groups of three bits.  The first group of
       three is used when the effective user ID of the calling process equals the owner ID of the
       file.   The  second group of three is used when the group ID of the file either equals the
       effective group ID of the calling process, or is one of the supplementary group IDs of the
       calling process.  When neither holds, the third group is used.
              open(pathname  =  "/etc/passwd",  flags  = O_WRONLY) failed, Permission denied (13,
              EACCES) because the process does not have write permission to the "passwd"  regular
              file  in  the  pathname  "/etc" directory, the process effective UID 1000 "pmiller"
              does not match the regular file owner 0 "root" so the owner permission  mode  "rw-"
              is  ignored, the others permission mode is "r--", and the process is not privileged
              (does not have the DAC_OVERRIDE capability)
       Some considerable space is given to this explanation, as most users do not know that  this
       is  how  the  permissions  system  works.   In  particular:  the  owner,  group  and other
       permissions are exclusive, they are not “OR”ed together.

STRANGE AND INTERESTING SYSTEM CALLS

       The process of writing a specific  error  handler  for  each  system  call  often  reveals
       interesting quirks and boundary conditions, or obscure errno(3) values.

   ENOMEDIUM, No medium found
       The act of copying a CD was the source of the title for this paper.
              $ dd if=/dev/cdrom of=fubar.iso
              dd: opening “/dev/cdrom”: No medium found
              $
       The  author  wondered why his computer was telling him there is no such thing as a psychic
       medium.  Quite apart from the fact that huge numbers of native English  speakers  are  not
       even  aware  that “media” is a plural, let alone that “medium” is its singular, the string
       returned by strerror(3) for ENOMEDIUM is so terse as  to  be  almost  completely  free  of
       content.

       When  open(2)  returns ENOMEDIUM it would be nice if the libexplain library could expand a
       little on this, based on the type of drive it is.  For example:
         ... because there is no disk in the floppy drive
         ... because there is no disc in the CD‐ROM drive
         ... because there is no tape in the tape drive
         ... because there is no memory stick in the card reader

       And so it came to pass...
              open(pathname = "/dev/cdrom", flags =  O_RDONLY)  failed,  No  medium  found  (123,
              ENOMEDIUM) because there does not appear to be a disc in the CD‐ROM drive
       The  trick,  that  the  author was previously unaware of, was to open the device using the
       O_NONBLOCK flag, which will allow you to open a drive with no  medium  in  it.   You  then
       issue  device  specific  ioctl(2) requests until you figure out what the heck it is.  (Not
       sure if this is POSIX, but it also seems to work that way in BSD and Solaris, according to
       the wodim(1) sources.)

       Note  also the differing uses of “disk” and “disc” in context.  The CD standard originated
       in France, but everything else has a “k”.

   EFAULT, Bad address
       Any system call that takes a pointer argument can return EFAULT.  The  libexplain  library
       can  figure  out which argument is at fault, and it does it without disturbing the process
       (or thread) signal handling.

       When available, the mincore(2) system call is used, to ask if the memory region is  valid.
       It  can  return  three  results: mapped but not in physical memory, mapped and in physical
       memory, and not mapped.  When testing the validity of a pointer, the first two  are  “yes”
       and the last one is “no”.

       Checking  C  strings  are more difficult, because instead of a pointer and a size, we only
       have a pointer.  To determine the size we would have to  find  the  NUL,  and  that  could
       segfault, catch‐22.

       To  work  around  this,  the libexplain library uses the lstat(2) sysem call (with a known
       good second argument) to test C strings for validity.  A failure return && errno == EFAULT
       is  a  “no”,  and  anythng  else  is  a “yes”.  This, of course limits strings to PATH_MAX
       characters, but that usually isn't a problem for the libexplain library, because  that  is
       almost always the longest strings it cares about.

   EMFILE, Too many open files
       This  error occurs when a process already has the maximum number of file descriptors open.
       If the actual limit is to be printed, and the libexplain library tries to, you can't  open
       a file in /proc to read what it is.
              open_max = sysconf(_SC_OPEN_MAX);
       This one wan't so difficult, there is a sysconf(3) way of obtaining the limit.

   ENFILE, Too many open files in system
       This  error  occurs  when  the  system  limit  on  the total number of open files has been
       reached.  In this case there is no handy sysconf(3) way of obtain the limit.

       Digging deeper, one may discover that on Linux there is a /proc entry  we  could  read  to
       obtain  this  value.  Catch‐22: we are out of file descriptors, so we can't open a file to
       read the limit.

       On Linux there is a system call to obtain it, but it has no [e]glibc wrapper function,  so
       you have to all it very carefully:
              long
              explain_maxfile(void)
              {
              #ifdef __linux__
                  struct __sysctl_args args;
                  int32_t maxfile;
                  size_t maxfile_size = sizeof(maxfile);
                  int name[] = { CTL_FS, FS_MAXFILE };
                  memset(&args, 0, sizeof(struct __sysctl_args));
                  args.name = name;
                  args.nlen = 2;
                  args.oldval = &maxfile;
                  args.oldlenp = &maxfile_size;
                  if (syscall(SYS__sysctl, &args) >= 0)
                      return maxfile;
              #endif
                  return -1;
              }
       This permits the limit to be included in the error message, when available.

   EINVAL “Invalid argument” vs ENOSYS “Function not implemented”
       Unsupported  actions  (such  as  symlink(2)  on  a  FAT  file  system)  are  not  reported
       consistently from one system call to the next.  It is possible to have  either  EINVAL  or
       ENOSYS returned.

       As  a  result, attention must be paid to these error cases to get them right, particularly
       as the EINVAL could also be referring to problems with one or more system call arguments.

   Note that errno(3) is not always set
       There are times when it is necessary to read the [e]glibc sources  to  determine  how  and
       when errors are returned for some system calls.

       feof(3), fileno(3)
           It is often assumed that these functions cannot return an error.  This is only true if
           the stream argument is valid,  however  they  are  capable  of  detecting  an  invalid
           pointer.

       fpathconf(3), pathconf(3)
           The  return  value  of fpathconf(2) and pathconf(2) could legitimately be -1, so it is
           necessary to see if errno(3) has been explicitly set.

       ioctl(2)
           The return value of ioctl(2) could legitimately be -1, so it is necessary  to  see  if
           errno(3) has been explicitly set.

       readdir(3)
           The  return  value  of  readdir(3)  is  NULL  for  both errors and end‐of‐file.  It is
           necessary to see if errno(3) has been explicitly set.

       setbuf(3), setbuffer(3), setlinebuf(3), setvbuf(3)
           All but the last of these functions return void.  And setvbuf(3) is only documented as
           returning “non‐zero” on error.  It is necessary to see if errno(3) has been explicitly
           set.

       strtod(3), strtol(3), strtold(3), strtoll(3), strtoul(3), strtoull(3)
           These functions return 0 on error, but that is also a legitimate return value.  It  is
           necessary to see if errno(3) has been explicitly set.

       ungetc(3)
           While  only  a single character of backup is mandated by the ANSI C standard, it turns
           out that [e]glibc permits more...  but that means it can fail  with  ENOMEM.   It  can
           also  fail with EBADF if fp is bogus.  Most difficult of all, if you pass EOF an error
           return occurs, but errno is not set.

       The libexplain library detects all of these errors correctly,  even  in  cases  where  the
       error values are poorly documented, if at all.

   ENOSPC, No space left on device
       When this error refers to a file on a file system, the libexplain library prints the mount
       point of the file system with the problem.  This can make the source  of  the  error  much
       clearer.
              write(fildes = 1 "example", data = 0xbfff2340, data_size = 5) failed, No space left
              on device (28, ENOSPC) because the file system containing fildes ("/home")  has  no
              more space for data
       As more special device support is added, error messages are expected to include the device
       name and actual size of the device.

   EROFS, Read‐only file system
       When this error refers to a file on a file system, the libexplain library prints the mount
       point  of  the  file  system with the problem.  This can make the source of the error much
       clearer.

       As more special device support is added, error messages are expected to include the device
       name and type.
              open(pathname = "/dev/fd0", O_RDWR, 0666) failed, Read‐only file system (30, EROFS)
              because the floppy disk has the write protect tab set

       ...because a CD‐ROM is not writable
       ...because the memory card has the write protect tab set
       ...because the ½ inch magnetic tape does not have a write ring

   rename
       The rename(2) system call is used to change the location or name  of  a  file,  moving  it
       between  directories  if  required.  If the destination pathname already exists it will be
       atomically replaced, so that there is no point at  which  another  process  attempting  to
       access it will find it missing.

       There  are  limitations,  however:  you  can  only  rename  a  directory on top of another
       directory if the destination directory is not empty.
              rename(oldpath  =  "foo",  newpath  =  "bar")  failed,  Directory  not  empty  (39,
              ENOTEMPTY)  because newpath is not an empty directory; that is, it contains entries
              other than "." and ".."
       You can't rename a directory on top of a non‐directory, either.
              rename(oldpath = "foo", newpath = "bar") failed,  Not  a  directory  (20,  ENOTDIR)
              because oldpath is a directory, but newpath is a regular file, not a directory
       Nor is the reverse allowed
              rename(oldpath  =  "foo",  newpath  =  "bar")  failed,  Is a directory (21, EISDIR)
              because newpath is a directory, but oldpath is a regular file, not a directory

       This, of course,  makes  the  libexplain  library's  job  more  complicated,  because  the
       unlink(2)  or  rmdir(2)  system  call is called implicitly by rename(2), and so all of the
       unlink(2) or rmdir(2) errors must be detected and handled, as well.

   dup2
       The dup2(2) system call is used to create a second file  descriptor  that  references  the
       same object as the first file descriptor.  Typically this is used to implement shell input
       and output redirection.

       The fun thing is that, just as rename(2) can  atomically  rename  a  file  on  top  of  an
       existing  file  and  remove  the  old  file, dup2(2) can do this onto an already‐open file
       descriptor.

       Once again, this makes the libexplain library's job more complicated, because the close(2)
       system  call  is  called  implicitly  by  dup2(2), and so all of close(2)'s errors must be
       detected and handled, as well.

ADVENTURES IN IOCTL SUPPORT

       The ioctl(2) system call provides device driver authors with a  way  to  communicate  with
       user‐space that doesn't fit within the existing kernel API.  See ioctl_list(2).

   Decoding Request Numbers
       From a cursory look at the ioctl(2) interface, there would appear to be a large but finite
       number of possible ioctl(2) requests.  Each  different  ioctl(2)  request  is  effectively
       another  system  call,  but  without  any  type‐safety  at all - the compiler can't help a
       programmer get these right.  This  was  probably  the  motivation  behind  tcflush(3)  and
       friends.

       The  initial  impression  is  that  you could decode ioctl(2) requests using a huge switch
       statement.  This turns out to be infeasible because one very rapidly discovers that it  is
       impossible  to  include  all of the necessary system headers defining the various ioctl(2)
       requests, because they have a hard time playing nicely with each other.

       A deeper look reveals that there is a range  of  “private”  request  numbers,  and  device
       driver authors are encouraged to use them.  This means that there is a far larger possible
       set of requests, with ambiguous request numbers, than  are  immediately  apparent.   Also,
       there are some historical ambiguities as well.

       We  already  knew  that  the  switch  was  impractical, but now we know that to select the
       appropriate request name and explanation we must consider not only the request number  but
       also the file descriptor.

       The implementation of ioctl(2) support within the libexplain library is to have a table of
       pointers to ioctl(2) request descriptors.  Each of these descriptors includes an  optional
       pointer to a disambiguation function.

       Each  request  is  actually  implemented  in a separate source file, so that the necessary
       include files are relieved of the obligation to play nicely with others.

   Representation
       The philosophy behind the  libexplain  library  is  to  provide  as  much  information  as
       possible,  including  an  accurate  representation  of  the  system  call.  In the case of
       ioctl(2) this means printing the correct request number (by name) and also a  correct  (or
       at least useful) representation of the third argument.

       The ioctl(2) prototype looks like this:
              int ioctl(int fildes, int request, ...);
       which should have your type‐safety alarms going off.  Internal to [e]glibc, this is turned
       into a variety of forms:
              int __ioctl(int fildes, int request, long arg);
              int __ioctl(int fildes, int request, void *arg);
       and the Linux kernel syscall interface expects
              asmlinkage long sys_ioctl(unsigned int fildes, unsigned int request, unsigned  long
              arg);
       The  extreme variability of the third argument is a challenge, when the libexplain library
       tries to print a representation of that third argument.  However, once the request  number
       has  been  disambiguated,  each  entry  in  the the libexplain library's ioctl table has a
       custom print_data function (OO done manually).

   Explanations
       There are fewer problems determining the explanation to be used.  Once the request  number
       has  been  disambiguated,  each entry in the libexplain library's ioctl table has a custom
       print_explanation function (again, OO done manually).

       Unlike section 2 and section 3  system  calls,  most  ioctl(2)  requests  have  no  errors
       documented.   This  means, to give good error descriptions, it is necessary to read kernel
       sources to discover

       • what errno(3) values may be returned, and

       • the cause of each error.

       Because of the OO nature of function call dispatching withing the kernel, you need to read
       all  sources  implementing that ioctl(2) request, not just the generic implementation.  It
       is to be expected that different kernels will have  different  error  numbers  and  subtly
       different error causes.

   EINVAL vs ENOTTY
       The  situation  is even worse for ioctl(2) requests than for system calls, with EINVAL and
       ENOTTY both being used to indicate that an  ioctl(2)  request  is  inappropriate  in  that
       context, and occasionally ENOSYS, ENOTSUP and EOPNOTSUPP (meant to be used for sockets) as
       well.  There are comments in the Linux kernel sources that seem to indicate a  progressive
       cleanup is in progress.  For extra chaos, BSD adds ENOIOCTL to the confusion.

       As  a  result, attention must be paid to these error cases to get them right, particularly
       as the EINVAL could also be referring to problems with one or more system call arguments.

   intptr_t
       The C99 standard defines an integer type that is guaranteed to be able to hold any pointer
       without representation loss.

       The above function syscall prototype would be better written
              long sys_ioctl(unsigned int fildes, unsigned int request, intptr_t arg);
       The problem is the cognitive dissonance induced by device‐specific or file‐system‐specific
       ioctl(2) implementations, such as:
              long vfs_ioctl(struct file *filp, unsigned int cmd, unsigned long arg);
       The majority of ioctl(2) requests actually have an int *arg third argument.  But having it
       declared  long  leads  to  code  treating  this as long *arg.  This is harmless on 32‐bits
       (sizeof(long)  ==  sizeof(int))  but  nasty  on  64‐bits  (sizeof(long)  !=  sizeof(int)).
       Depending on the endian‐ness, you do or don't get the value you expect, but you always get
       a memory scribble or stack scribble as well.

       Writing all of these as
              int ioctl(int fildes, int request, ...);
              int __ioctl(int fildes, int request, intptr_t arg);
              long sys_ioctl(unsigned int fildes, unsigned int request, intptr_t arg);
              long vfs_ioctl(struct file *filp, unsigned int cmd, intptr_t arg);
       emphasizes that the integer is only an integer to represent  a  quantity  that  is  almost
       always an unrelated pointer type.

CONCLUSION

       Use libexplain, your users will like it.

COPYRIGHT

       libexplain version 1.4
       Copyright (C) 2008, 2009, 2010, 2011, 2012, 2013, 2014 Peter Miller

AUTHOR

       Written by Peter Miller <pmiller@opensource.org.au>

                                                                               explain_lca2010(1)