Connect with us

FACEBOOK

Facebook Fast Facts

Published

on

Here’s a look at the social media network, Facebook.

Facts

Facebook had 2.74 billion monthly active users around the world, as of September 30, 2020.

It is blocked in North Korea and China.

There were 56,653 full-time employees at Facebook, as of September 30, 2020.

Facebook introduced words such as “friending” to the lexicon.

Advertisement
free widgets for website

Timeline

February 4, 2004 – Facebook is launched by Mark Zuckerberg, Dustin Moskovitz, Chris Hughes and Eduardo Saverin at Harvard University, in Cambridge, Massachusetts.

March 1, 2004 – Students at Stanford, Columbia and Yale universities are allowed to join.

June 1, 2004 The company moves to Palo Alto, California.

December 1, 2004 One million users are active on the site.

September 1, 2005 High school students are allowed to join Facebook.

Advertisement
free widgets for website

September 20, 2005 – The company drops the “the” from the name and becomes Facebook.

December 1, 2005 – Six million users are active on the site.

April 1, 2006 – Facebook for Mobile launches.

September 5, 2006 – The News Feed is introduced.

September 26, 2006 – Facebook expands to allow anyone to register.

Advertisement
free widgets for website

March 28, 2007 – Former Harvard classmates Cameron and Tyler Winklevoss sue Zuckerberg in federal court, alleging that he stole the idea for Facebook from them. The two sides later agree to a $65 million settlement.

October 24, 2007 Microsoft buys a 1.6% stake in Facebook for $240 million.

March 2008 – Facebook hires Sheryl Sandberg to be the company’s chief operating officer.

February 9, 2009 – Facebook introduces the “Like” button.

June 2009 – Facebook becomes the No. 1 social network in the United States, surpassing MySpace, according to PC World magazine.

Advertisement
free widgets for website

October 1, 2010 The movie “The Social Network,” a fictionalized account of the start of Facebook, is released.

September 22, 2011 Facebook introduces the Timeline feature.

November 2011 – Facebook settles charges brought by the Federal Trade Commission that it engaged in deceptive practices concerning users’ privacy.

April 9, 2012 – Facebook announces that it has purchased photo-sharing site Instagram for $1 billion.

May 18, 2012 – The initial public offering of Facebook stock takes place.

Advertisement
free widgets for website

October 4, 2012 Facebook reaches one billion active monthly users.

June 2013 – Edward Snowden releases documents on the NSA’s Prism program. Snowden claims that the NSA has monitored the users of Facebook and other internet companies. Zuckerberg denies Facebook cooperated with the NSA in a post.

February 19, 2014 – Facebook announces that it is purchasing mobile messaging service WhatsApp for $19 billion.

March 25, 2014 – Facebook announces plans to purchase virtual reality company Oculus VR, Inc. for $2 billion.

June 17, 2014 – A study by researchers at Cornell, the University of California San Francisco and Facebook is published in Proceedings of the National Academy of Science. For one week in early 2012, according to the study, Facebook changed the content mix in the news feed of approximately 690,000 users and manipulated the content to gauge the user’s emotional response. The study found that users who were shown negative content were slightly more likely to produce negative posts. Users in the positive group responded with more upbeat posts. Many users react with anger at what they say is a dangerous social experiment.

Advertisement
free widgets for website

June 23, 2015 – Stock rises 3% to reach an all-time high. The company’s market value is close to $245 billion, making it worth more than Walmart, a $235 billion company.

August 24, 2015 – Facebook hits a milestone when one billion users log in to the social network in a single day.

April 27, 2016 – Shares rise almost 9% to hit an all-time high of more than $118 after the company reports first-quarter sales jumped 52% and profits were up nearly 200% compared with the first quarter of 2015.

October 30, 2016 – A ProPublica report says Facebook’s Ethnic Affinities ad-customization option can be used to discriminate against users in housing-related ads, which is forbidden under the Fair Housing Act. In the wake of the report, the company announces that it plans to disable the ethnic affinity feature on ads for housing, employment and credit.

See also  100 days of twitter ban: Twitter drops market share to 2.8%, Facebook, Instagram gain ...

November 15, 2016 – Facebook and Google announce they will no longer allow fake news publishers to use their ad selling services. Facebook says material from fake news publications falls under the category of “illegal, misleading or deceptive” content. Zuckerberg, however, rejects the idea that fake news on Facebook influenced the recent US presidential election.

Advertisement
free widgets for website

April 13, 2017 Announces that it has cracked down on 30,000 fake accounts in France ahead of the country’s presidential election. The accounts were targeted to prevent trolling, spam and hoaxes, a Facebook spokesman says.

August 3, 2017 – Rolls out a “Related Articles” feature that provides links to stories from fact checking sites such as Snopes and PolitiFact.

September 6, 2017 – The company reveals that it sold about $100,000 worth of ads during the 2016 US presidential election cycle from inauthentic accounts and pages “likely operated out of Russia.”

September 14, 2017 – ProPublica reports that Facebook’s platform allows advertisers to target users who enter terms such as “Jew hater” in the education or employment fields of their personal profiles. The next day, Facebook announces it removed anti-Semitic advertising categories.

September 15, 2017 – The Wall Street Journal reports that Facebook has given Special Counsel Robert Mueller records related to Russia-linked ads that were posted on the social network during the US presidential campaign.

Advertisement
free widgets for website

September 21, 2017 – Says it will share content and related information from more than 3,000 ads it sold to Russia-linked accounts with the US House and Senate intelligence committees.

September 27, 2017 – CNN reports that at least one of the Facebook ads purchased by Russians during the 2016 US presidential campaign referenced Black Lives Matter and was targeted to reach users in Baltimore and Ferguson, Missouri.

October 2, 2017 – Facebook gives Congress copies of the 3,000 political ads linked to Russia. CNN reports that some of the ads depicted refugees as rapists and others promoted gun rights. A ranking member of the House Intelligence Committee says he hopes to release a sampling of the ads to the public.

October 27, 2017 – The company announces new transparency measures including a requirement for election-related advertisements to disclose the individual or organization that paid for the post.

October 30, 2017 – CNN reports that Facebook executives will inform Congress that roughly 126 million Americans may have viewed content generated by a Kremlin-connected troll farm between June 2015 and August 2017. The next day, representatives from Facebook, Twitter and Google testify before the Senate Judiciary Subcommittee on Crime and Terrorism as legislators continue to probe Russian meddling in the 2016 election.

Advertisement
free widgets for website

November 21, 2017 – ProPublica reports that it was able to buy dozens of housing advertisements targeted to audiences that excluded “African Americans, mothers of high school kids, people interested in wheelchair ramps, Jews, expats from Argentina and Spanish speakers.” The company had said that it removed discriminatory ad tools after ProPublica publised a report in September. A Facebook executive says that a technical glitch allowed ProPublica to purchase the ads.

January 19, 2018 – Zuckerberg announces that Facebook is surveying users to rate news organizations and assign them trust scores. The scores and other factors are going to determine how much content from each publication will appear in news feeds.

March 16, 2018 – Facebook announces that it is suspending a data firm called Strategic Communication Laboratories and its subsidiary Cambridge Analytica, which provided the Donald Trump presidential campaign with digital voter outreach services. In a statement, the social network’s vice president and deputy general counsel say that Cambridge Analytica harvested user data through a third party app, violating the company’s policies protecting people’s information. The data was gathered by Aleksandr Kogan, a Russian-American psychology professor who built a Facebook app and got about 270,000 volunteers to take a personality quiz. The volunteers consented to share info from their profiles with Kogan for academic purposes. Kogan then turned over the data to Cambridge Analytica. When Facebook learned of the violation in 2015, the company removed the app and asked Cambridge Analytica to certify that it had deleted the harvested data.

See also  Google and Facebook dominate Spanish online ad market

March 17, 2018 – A joint investigation by the New York Times and the Observer of London reports that Cambridge Analytica obtained data from 50 million American Facebook users via Kogan’s app. Cambridge Analytica covered the expenses of creating the app and used the information to create targeted political advertising for Trump, according to the investigation.

March 20, 2018 – A group of Facebook investors file a federal lawsuit against the company for allegedly making “materially false and misleading statements” about its privacy policies.

Advertisement
free widgets for website

March 21, 2018 – During an interview on CNN, Zuckerberg acknowledges that Facebook made mistakes and should have responded more robustly to secure user data. He also says that his company is prepping to combat potential meddling in the 2018 midterm elections. Earlier in the day, Zuckerberg posts a timeline of events that led to the Cambridge Analytica leak.

July 26, 2018 – Shares plunge 19% after executives warn that revenue growth would slow as the company focuses on user privacy. The sell-off vaporizes about $119 billion in market value – the biggest single-day loss for any public company in history.

July 31, 2018 – Facebook announces it has removed a network of suspected Russia-linked accounts and pages involved in organizing political events in the United States.

September 28, 2018 – Facebook announces that an attack on the social network has exposed information on nearly 50 million users. The FBI is called in to investigate to attack, according to Facebook. On the day the breach is announced, two users file a class action lawsuit against the company.

October 12, 2018 – The company announces that it is investigating a security breach that enabled hackers to access phone numbers and email addresses for 30 million users.

Advertisement
free widgets for website

November 5, 2018 – Facebook releases a report documenting the company’s failure to prevent the spread of misinformation in Myanmar, where the government has been accused of carrying out a brutal campaign of violence and oppression against the Rohingya, a religious minority of Muslims. Government propaganda was posted on Facebook. The propaganda linked the Rohingya to terrorists.

November 14, 2018 – The New York Times publishes an investigation into Facebook’s aggressive crisis management tactics amid the controversy over Russia’s alleged use of the platform to meddle in the 2016 election. The newspaper reports that the company hired an opposition research firm called Definers Public Affairs which engaged in campaigns against Facebook critics. Definers allegedly encouraged reporters to investigate possible ties between an anti-Facebook group and the liberal billionaire George Soros. After the New York Times story is published, Facebook announces that it no longer associates with Definers.

November 15, 2018 – During a conference call with reporters, Zuckerberg says that he learned of the company’s relationship with Definers via the New York Times article. The company posts a response to the article citing alleged inaccuracies.

November 27, 2018 – Lawmakers from nine countries hold a hearing on Facebook and disinformation in London. Richard Allan, the company’s vice president of public policy for Europe, the Middle East and Africa, attends the session on Zuckerberg’s behalf.

December 14, 2018 – Facebook announces that a bug allowed third-party app developers to access photos people may not have shared publicly. As many as 6.8 million users could be affected.

Advertisement
free widgets for website

December 18, 2018 – The New York Times reports that Facebook offered more of its users’ data to companies than it has admitted. Despite assurances from Zuckerberg that people “have complete control” over who sees their content, The Times said documents and interviews with 50 former Facebook employees indicate that the company gave other firms access to user data.

March 21, 2019 – Facebook discloses that a vast collection of the data of two third-party app users had been exposed to the public via Amazon’s cloud computing servers in a way that allowed it to be downloaded by the public.

March 28 2019 – The Department of Housing and Urban Development announces it is charging Facebook with violating the Fair Housing Act. This follows a formal complaint filed in August 2018 where HUD claimed Facebook allows landlords and people selling homes to use its advertising platform to “engage in housing discrimination.” The complaint said advertisers can dictate who sees housing-related ads based on demographics.

See also  A major battle over free speech on social media is playing out in India during the pandemic

May 2, 2019 – Facebook announces it had designated some high-profile people, including Nation of Islam leader Louis Farrakhan, who’s known for using anti-Semitic language, and right-wing conspiracy theorist Alex Jones, as “dangerous” and said it will be purging them from its platforms. Other people banned include Paul Nehlen, an anti-Semite who unsuccessfully ran for Congress in 2016 and 2018, and fringe right-wing media personalities Laura Loomer, Milo Yiannopoulos and Paul Joseph Watson.

July 24, 2019 – The Federal Trade Commission announces a $5 billion settlement with Facebook, resolving a sweeping investigation by regulators into how the company lost control over massive troves of personal data and mishandled its communications with users. It is the largest fine in FTC history.

Advertisement
free widgets for website

September 6, 2019 – New York Attorney General Letitia James announces the attorneys general of eight states and the District of Columbia are launching an antitrust investigation into Facebook. James said “We will use every investigative tool at our disposal to determine whether Facebook’s actions may have endangered consumer data, reduced the quality of consumers’ choices, or increased the price of advertising.”

September 24, 2019 – Facebook announces it will hire third-party fact checkers to analyze content in order to get ready for the 2020 election, but will continue to exclude politicians and political ads from its fact-checking processs.

October 21, 2019 – Facebook announces it will start labeling publications that are “wholly or partially under the editorial control of their government as state-controlled media,” as part of a broader effort to prevent its platform from being abused to interfere with the 2020 US elections.

October 23, 2019 – Zuckerberg testifies before the House Financial Services Committee about Facebook’s plans for Libra, its cryptocurrency project. The focus of the hearing expands to include a wide range of concerns about Facebook, including questions for Zuckerberg over his company’s policy to not fact-check political ads run by elected officials and candidates.

May 6, 2020 – Nearly 18 months after announcing an independent board designed to hold it more accountable in content moderation decisions, Facebook announces the names of the first 20 members, which include: Helle Thorning-Schmidt, former prime minister of Denmark; Alan Rusbridger, former editor-in-chief of The Guardian; and Tawakkol Karman, a Nobel Peace Prize laureate who promoted non-violent change in Yemen during the Arab Spring.

Advertisement
free widgets for website

June 1, 2020 – Some Facebook employees stage a virtual walkout to protest Zuckerberg’s decision not to take action on a series of controversial posts from Trump. A source tells CNN that managers at Facebook were told by the company’s human resources department not to retaliate against staff who are planning to protest, or to make them used paid time-off.

July 29, 2020 – Zuckerberg, Amazon CEO Jeff Bezos, Apple CEO Tim Cook and CEO of Google’s parent company Sundar Pichai all testify before a House subcommittee on antitrust to address concerns that their businesses may be harming competition.

September 3, 2020 – Zuckerberg announces that Facebook will not accept new political ads in the final week of the 2020 election campaign, but the platform will continue to allow politicians to run lies in ads through Election Day.

December 9, 2020 – Dozens of states and the federal government sue Facebook in twin antitrust lawsuits, alleging that the social media giant engaged in anticompetitive behavior. The company may eventually be required to divest assets, including Instagram and WhatsApp, effectively breaking up Facebook.

January 2021 – In the wake of the US Capitol riots, a Facebook spokesperson tells CNN that the company has removed pages and groups representing militarized social movements and is continuing to take those pages down. However, posts promoting violence during inauguration week have continued to circulate on the platform. On January 7, Zuckerberg says in a blog post that Facebook will ban President Trump’s account from posting for at least the remainder of his term in office and perhaps “indefinitely.”

Advertisement
free widgets for website

Read More

FACEBOOK

Upcoming Restriction Period for US ads about social issues, elections, or politics

Published

on

By

upcoming-restriction-period-for-us-ads-about-social-issues,-elections,-or-politics

In recent years, Meta has developed a comprehensive approach to protecting elections on our technologies. These efforts continue in advance of the US 2022 Midterms, which you can read more about in our Newsroom.

Implementing a restriction period for ads about social issues, elections or politics in the US

Consistent with our approach during the US 2020 General Election, we are introducing a restriction period for ads about social issues, elections or politics in the US. The restriction period will run from 12:01 AM PT on Tuesday, November 1, 2022 through 11:59 PM PT on Tuesday, November 8, 2022.

We are putting this restriction period in place again because we found that the restriction period achieves the right balance of giving campaigns a voice while providing additional time for scrutiny of issue, electoral, and political ads in the Ad Library. We are sharing the requirements and key dates ahead of time, so advertisers are able to prepare their campaigns in the months and weeks ahead.

What to know about the ad restriction period in the US

We will not allow any new ads about social issues, elections or politics in the US from 12:01 AM PT on Tuesday, November 1, 2022 through 11:59 PM PT on Tuesday, November 8, 2022.

In order to run ads about social issues, elections or politics in the US during the restriction period, the ads must be created with a valid disclaimer and have delivered an impression prior to 12:01 AM PT on Tuesday, November 1, 2022, but with limited editing capabilities.

Advertisement
free widgets for website

What advertisers can do during the restriction period for eligible ads:

  • Edit bid amount, budget amount and scheduled end date
  • Pause and unpause eligible ads that have already served at least 1 impression with a valid disclaimer prior to the restriction period going into effect
See also  Myanmar cuts Facebook access as military tightens grip following coup

What advertisers cannot do during the restriction period for eligible ads, includes but is not limited to:

  • Editing certain aspects of eligible ads, such as ad creative (including ad copy, image/video assets, website URL)
  • Editing targeting, placement, optimization or campaign objective
  • Removing or adding a disclaimer
  • Copy, duplicating or boosting ads

See the Help Center for detailed requirements of what is or isn’t allowed during the restriction period.

Planning ahead for key dates

Keep in mind the following dates as you plan your campaign to avoid delays or disapprovals that may prevent your ads from running during the restriction period:

  • By Tuesday, October 18, 2022: Complete the ad authorization process to get authorized to run ads about social issues, elections or politics, which includes setting up an approved disclaimer for your ads.

  • By Tuesday, October 25, 2022: Submit your issue, electoral or political ads in order to best ensure that your ads are live and have delivered at least 1 impression with a valid disclaimer before the restriction period begins.
    • Please ensure that you add your approved disclaimer to these ads by choosing ISSUES_ELECTIONS_POLITICS in the special_ad_categories field. You will not be able to add a disclaimer after 12:01 AM PT on Tuesday, November 1, 2022.

  • Between Tuesday, November 1, 2022 and Tuesday, November 8, 2022: The ad restriction period will be in effect. We will not allow any new ads to run about social issues, elections or politics in the US starting 12:01 AM PT on Tuesday, November 1 through 11:59 PM PT on Tuesday, November 8, 2022.
  • At 12:00 AM PT on Wednesday, November 9, 2022: We will allow new ads about social issues, elections or politics to be published.

As the restriction period approaches, we encourage you to review these ad restriction period best practices to properly prepare ahead of time.

We will continue to provide updates on our approach to elections integrity or on any changes regarding the restriction period via this blog.

Visit the Elections Hub or our FAQ for more advertising resources.

First seen at developers.facebook.com

Advertisement
free widgets for website
Continue Reading

FACEBOOK

Signals in prod: dangers and pitfalls

Published

on

By

signals-in-prod:-dangers-and-pitfalls

In this blog post, Chris Down, a Kernel Engineer at Meta, discusses the pitfalls of using Linux signals in Linux production environments and why developers should avoid using signals whenever possible.

What are Linux Signals?

A signal is an event that Linux systems generate in response to some condition. Signals can be sent by the kernel to a process, by a process to another process, or a process to itself. Upon receipt of a signal, a process may take action.

Signals are a core part of Unix-like operating environments and have existed since more or less the dawn of time. They are the plumbing for many of the core components of the operating system—core dumping, process life cycle management, etc.—and in general, they’ve held up pretty well in the fifty or so years that we have been using them. As such, when somebody suggests that using them for interprocess communication (IPC) is potentially dangerous, one might think these are the ramblings of someone desperate to invent the wheel. However, this article is intended to demonstrate cases where signals have been the cause of production issues and offer some potential mitigations and alternatives.

Signals may appear attractive due to their standardization, wide availability and the fact that they don’t require any additional dependencies outside of what the operating system provides. However, they can be difficult to use safely. Signals make a vast number of assumptions which one must be careful to validate to match their requirements, and if not, one must be careful to configure correctly. In reality, many applications, even widely known ones, do not do so, and may have hard-to-debug incidents in the future as a result.

Let us look into a recent incident that occurred in the Meta production environment, reinforcing the pitfalls of using signals. We’ll go briefly over the history of some signals and how they led us to where we are today, and then we’ll contrast that with our current needs and issues that we’re seeing in production.

Advertisement
free widgets for website

The Incident

First, let’s rewind a bit. The LogDevice team cleaned up their codebase, removing unused code and features. One of the features that was deprecated was a type of log that documents certain operations performed by the service. This feature eventually became redundant, had no consumers and as such was removed. You can see the change here on GitHub. So far, so good.

The next little while after the change passed without much to speak about, production continued ticking on steadily and serving traffic as usual. A few weeks later, a report that service nodes were being lost at a staggering rate was received. It was something to do with the rollout of the new release, but what exactly was wrong was unclear. What was different now that had caused things to fall over?

The team in question narrowed the problem to the code change we mentioned earlier, deprecating these logs. But why? What’s wrong with that code? If you don’t already know the answer, we invite you to look at that diff and try to work out what’s wrong because it’s not immediately obvious, and it’s a mistake anyone could make.

logrotate, Enter the Ring

logrotate is more or less the standard tool for log rotation when using Linux. It’s been around for almost thirty years now, and the concept is simple: manage the life cycle of logs by rotating and vacuuming them.

logrotate doesn’t send any signals by itself, so you won’t find much, if anything, about them in the logrotate main page or its documentation. However, logrotate can take arbitrary commands to execute before or after its rotations. Just as a basic example from the default logrotate configuration in CentOS, you can see this configuration:

Advertisement
free widgets for website
 /var/log/cron /var/log/maillog /var/log/messages /var/log/secure /var/log/spooler {     sharedscripts     postrotate         /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true     endscript } 

A bit brittle, but we’ll forgive that and assume that this works as intended. This configuration says that after logrotate rotates any of the files listed, it should send SIGHUP to the pid contained in /var/run/syslogd.pid, which should be that of the running syslogd instance.

This is all well and good for something with a stable public API like syslog, but what about something internal where the implementation of SIGHUP is an internal implementation detail that could change at any time?

A History of Hangups

One of the problems here is that, except for signals which cannot be caught in user space and thus have only one meaning, like SIGKILL and SIGSTOP, the semantic meaning of signals is up to application developers and users to interpret and program. In some cases, the distinction is largely academic, like SIGTERM, which is pretty much universally understood to mean “terminate gracefully as soon as possible.” However, in the case of SIGHUP, the meaning is significantly less clear.

SIGHUP was invented for serial lines and was originally used to indicate that the other end of the connection had dropped the line. Nowadays, we still carry our lineage with us of course, so SIGHUP is still sent for its modern equivalent: where a pseudo or virtual terminal is closed (hence tools like nohup, which mask it).

In the early days of Unix, there was a need to implement daemon reloading. This usually consists at least of configuration/log file reopening without restarting, and signals seemed like a dependency-free way to achieve that. Of course, there was no signal for such a thing, but as these daemons have no controlling terminal, there should be no reason to receive SIGHUP, so it seemed like a convenient signal to piggyback onto without any obvious side effects.

Advertisement
free widgets for website

There is a small hitch with this plan though. The default state for signals is not “ignored,” but signal-specific. So, for example, programs don’t have to configure SIGTERM manually to terminate their application. As long as they don’t set any other signal handler, the kernel just terminates their program for free, without any code needed in user space. Convenient!

What’s not so convenient though, is that SIGHUP also has the default behavior of terminating the program immediately. This works great for the original hangup case, where these applications likely aren’t needed anymore, but is not so great for this new meaning.

This would be fine of course, if we removed all the places which could potentially send SIGHUP to the program. The problem is that in any large, mature codebase, that is difficult. SIGHUP is not like a tightly controlled IPC call for which you can easily grep the codebase for. Signals can come from anywhere, at any time, and there are few checks on their operation (other than the most basic “are you this user or have CAP_KILL“). The bottom line is that it’s hard to determine where signals could come from, but with more explicit IPC, we would know that this signal doesn’t mean anything to us and should be ignored.

See also  Facebook Question - Feb. 8th, 2021

From Hangup to Hazard

By now, I suppose you may have started to guess what happened. A LogDevice release started one fateful afternoon containing the aforementioned code change. At first, nothing had gone awry, but at midnight the next day, everything mysteriously started falling over. The reason is the following stanza in the machine’s logrotate configuration, which sends a now unhandled (and therefore fatal) SIGHUP to the logdevice daemon:

 /var/log/logdevice/audit.log {   daily   # [...]   postrotate     pkill -HUP logdeviced   endscript } 

Missing just one short stanza of a logrotate configuration is incredibly easy and common when removing a large feature. Unfortunately, it’s also hard to be certain that every last vestige of its existence was removed at once. Even in cases that are easier to validate than this, it’s common to mistakenly leave remnants when doing code cleanup. Still, usually, it’s without any destructive consequences, that is, the remaining detritus is just dead or no-op code.

Advertisement
free widgets for website

Conceptually, the incident itself and its resolution are simple: don’t send SIGHUP, and spread LogDevice actions out more over time (that is, don’t run this at midnight on the dot). However, it’s not just this one incident’s nuances that we should focus on here. This incident, more than anything, has to serve as a platform to discourage the use of signals in production for anything other than the most basic, essential cases.

The Dangers of Signals

What Signals are Good For

First, using signals as a mechanism to affect changes in the process state of the operating system is well founded. This includes signals like SIGKILL, which are impossible to install a signal handler for and does exactly what you would expect, and the kernel-default behavior of SIGABRT, SIGTERM, SIGINT, SIGSEGV, and SIGQUIT and the like, which are generally well understood by users and programmers.

What these signals all have in common is that once you’ve received them, they’re all progressing towards a terminal end state within the kernel itself. That is, no more user space instructions will be executed once you get a SIGKILL or SIGTERM with no user space signal handler.

A terminal end state is important because it usually means you’re working towards decreasing the complexity of the stack and code currently being executed. Other desired states often result in the complexity actually becoming higher and harder to reason about as concurrency and code flow become more muddled.

Dangerous Default Behavior

You may notice that we didn’t mention some other signals that also terminate by default. Here’s a list of all of the standard signals that terminate by default (excluding core dump signals like SIGABRT or SIGSEGV, since they’re all sensible):

Advertisement
free widgets for website
  • SIGALRM
  • SIGEMT
  • SIGHUP
  • SIGINT
  • SIGIO
  • SIGKILL
  • SIGLOST
  • SIGPIPE
  • SIGPOLL
  • SIGPROF
  • SIGPWR
  • SIGSTKFLT
  • SIGTERM
  • SIGUSR1
  • SIGUSR2
  • SIGVTALRM

At first glance, these may seem reasonable, but here are a few outliers:

  • SIGHUP: If this was used only as it was originally intended, defaulting to terminate would be sensible. With the current mixed usage meaning “reopen files,” this is dangerous.
  • SIGPOLL and SIGPROF: These are in the bucket of “these should be handled internally by some standard function rather than your program.” However, while probably harmless, the default behavior to terminate still seems nonideal.
  • SIGUSR1 and SIGUSR2: These are “user-defined signals” that you can ostensibly use however you like. But because these are terminal by default, if you implement USR1 for some specific need and later don’t need that, you can’t just safely remove the code. You have to consciously think to explicitly ignore the signal. That’s really not going to be obvious even to every experienced programmer.

So that’s almost one-third of terminal signals, which are at best questionable and, at worst, actively dangerous as a program’s needs change. Worse still, even the supposedly “user-defined” signals are a disaster waiting to happen when someone forgets to explicitly SIG_IGN it. Even an innocuous SIGUSR1 or SIGPOLL may cause incidents.

This is not simply a question of familiarity. No matter how well you know how signals work, it’s still extremely hard to write signal-correct code the first time around because, despite their appearance, signals are far more complex than they seem.

Code flow, Concurrency, and the Myth of SA_RESTART

Programmers generally do not spend their entire day thinking about the inner workings of signals. This means that when it comes to actually implementing signal handling, they often subtly do the wrong thing.

I’m not even talking about the “trivial” cases, like safety in a signal handling function, which is mostly solved by only bumping a sig_atomic_t, or using C++’s atomic signal fence stuff. No, that’s mostly easily searchable and memorable as a pitfall by anyone after their first time through signal hell. What’s a lot harder is reasoning about the code flow of the nominal portions of a complex program when it receives a signal. Doing so requires either constantly and explicitly thinking about signals at every part of the application life cycle (hey, what about EINTR, is SA_RESTART enough here? What flow should we go into if this terminates prematurely? I now have a concurrent program, what are the implications of that?), or setting up a sigprocmask or pthread_setmask for some part of your application life cycle and praying that the code flow never changes (which is certainly not a good guess in an atmosphere of fast-paced development). signalfd or running sigwaitinfo in a dedicated thread can help somewhat here, but both of these have enough edge cases and usability concerns to make them hard to recommend.

We like to believe that most experienced programmers know by now that even a facetious example of correctly writing thread-safe code is very hard. Well, if you thought correctly writing thread-safe code was hard, signals are significantly harder. Signal handlers must only rely on strictly lock-free code with atomic data structures, respectively, because the main flow of execution is suspended and we don’t know what locks it’s holding, and because the main flow of execution could be performing non-atomic operations. They must also be fully reentrant, that is, they must be able to nest within themselves since signal handlers can overlap if a signal is sent multiple times (or even with one signal, with SA_NODEFER). That’s one of the reasons why you can’t use functions like printf or malloc in a signal handler because they rely on global mutexes for synchronization. If you were holding that lock when the signal was received and then called a function requiring that lock again, your application would end up deadlocked. This is really, really hard to reason about. That’s why many people simply write something like the following as their signal handling:

 static volatile sig_atomic_t received_sighup;   static void sighup(int sig __attribute__((unused))) { received_sighup = 1; }  static int configure_signal_handlers(void) {   return sigaction(     SIGHUP,     &(const struct sigaction){.sa_handler = sighup, .sa_flags = SA_RESTART},     NULL); }  int main(int argc, char *argv[]) {   if (configure_signal_handlers()) {        /* failed to set handlers */   }    /* usual program flow */    if (received_sighup) {     /* reload */     received_sighup = 0;   }    /* usual program flow */ }  

The problem is that, while this, signalfd, or other attempts at async signal handling might look fairly simple and robust, it ignores the fact that the point of interruption is just as important as the actions performed after receiving the signal. For example, suppose your user space code is doing I/O or changing the metadata of objects that come from the kernel (like inodes or FDs). In this case, you’re probably actually in a kernel space stack at the time of interruption. For example, here’s how a thread might look when it’s trying to close a file descriptor:

Advertisement
free widgets for website
# cat /proc/2965230/stack  [<0>] schedule+0x43/0xd0  [<0>] io_schedule+0x12/0x40  [<0>] wait_on_page_bit+0x139/0x230  [<0>] filemap_write_and_wait+0x5a/0x90  [<0>] filp_close+0x32/0x70  [<0>] __x64_sys_close+0x1e/0x50  [<0>] do_syscall_64+0x4e/0x140  [<0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Here, __x64_sys_close is the x86_64 variant of the close system call, which closes a file descriptor. At this point in its execution, we’re waiting for the backing storage to be updated (that’s this wait_on_page_bit). Since I/O work is usually several orders of magnitude slower than other operations, schedule here is a way of voluntarily hinting to the kernel’s CPU scheduler that we are about to perform a high-latency operation (like disk or network I/O) and that it should consider finding another process to schedule instead of the current process for now. This is good, as it allows us to signal to the kernel that it is a good idea to go ahead and pick a process that will actually make use of the CPU instead of wasting time on one which can’t continue until it’s finished waiting for a response from something that may take a while.

Imagine that we send a signal to the process we were running. The signal that we have sent has a user space handler in the receiving thread, so we’ll resume in user space. One of the many ways this race can end up is that the kernel will try to come out of schedule, further unwind the stack and eventually return an errno of ESYSRESTART or EINTR to user space to indicate that we were interrupted. But how far did we get in closing it? What’s the state of the file descriptor now?

Now that we’ve returned to user space, we’ll run the signal handler. When the signal handler exits, we’ll propagate the error to the user space libc’s close wrapper, and then to the application, which, in theory, can do something about the situation encountered. We say “in theory” because it’s really hard to know what to do about many of these situations with signals, and many services in production do not handle the edge cases here very well. That might be fine in some applications where data integrity isn’t that important. However, in production applications that do care about data consistency and integrity, this presents a significant problem: the kernel doesn’t expose any granular way to understand how far it got, what it achieved and didn’t and what we should actually do about the situation. Even worse, if close returns with EINTR, the state of the file descriptor is now unspecified:

“If close() is interrupted by a signal [...] the state of [the file descriptor] is unspecified.”

Good luck trying to reason about how to handle that safely and securely in your application. In general, handling EINTR even for well-behaved syscalls is complicated. There are plenty of subtle issues forming a large part of the reason why SA_RESTART is not enough. Not all system calls are restartable, and expecting every single one of your application’s developers to understand and mitigate the deep nuances of getting a signal for every single syscall at every single call site is asking for outages. From man 7 signal:

Advertisement
free widgets for website

“The following interfaces are never restarted after being interrupted by a signal handler, regardless of the use of SA_RESTART; they always fail with the error EINTR [...]”

Likewise, using a sigprocmask and expecting code flow to remain static is asking for trouble as developers do not typically spend their lives thinking about the bounds of signal handling or how to produce or preserve signal-correct code. The same goes for handling signals in a dedicated thread with sigwaitinfo, which can easily end up with GDB and similar tools being unable to debug the process. Subtly wrong code flows or error handling can result in bugs, crashes, difficult to debug corruptions, deadlocks and many more issues that will send you running straight into the warm embrace of your preferred incident management tool.

High Complexity in Multithreaded Environments

If you thought all this talk of concurrency, reentrancy and atomicity was bad enough, throwing multithreading into the mix makes things even more complicated. This is especially important when considering the fact that many complex applications run separate threads implicitly, for example, as part of jemalloc, GLib, or similar. Some of these libraries even install signal handlers themselves, opening a whole other can of worms.

Overall, man 7 signal has this to say on the matter:

“A signal may be generated (and thus pending) for a process as a whole (e.g., when sent using kill(2)) or for a specific thread [...] If more than one of the threads has the signal unblocked, then the kernel chooses an arbitrary thread to which to deliver the signal.”

Advertisement
free widgets for website

More succinctly, “for most signals, the kernel sends the signal to any thread that doesn’t have that signal blocked with sigprocmask“. SIGSEGV, SIGILL and the like resemble traps, and have the signal explicitly directed at the offending thread. However, despite what one might think, most signals cannot be explicitly sent to a single thread in a thread group, even with tgkill or pthread_kill.

This means that you can’t trivially change overall signal handling characteristics as soon as you have a set of threads. If a service needs to do periodic signal blocking with sigprocmask in the main thread, you need to somehow communicate to other threads externally about how they should handle that. Otherwise, the signal may be swallowed by another thread, never to be seen again. Of course, you can block signals in child threads to avoid this, but if they need to do their own signal handling, even for primitive things like waitpid, it will end up making things complex.

Just as with everything else here, these aren’t technically insurmountable problems. However, one would be negligent in ignoring the fact that the complexity of synchronization required to make this work correctly is burdensome and lays the groundwork for bugs, confusion and worse.

Lack of Definition and Communication of Success or Failure

Signals are propagated asynchronously in the kernel. The kill syscall returns as soon as the pending signal is recorded for the process or thread’s task_struct in question. Thus, there’s no guarantee of timely delivery, even if the signal isn’t blocked.

Even if there is timely delivery of the signal, there’s no way to communicate back to the signal issuer what the status of their request for action is. As such, any meaningful action should not be delivered by signals, since they only implement fire-and-forget with no real mechanism to report the success or failure of delivery and subsequent actions. As we’ve seen above, even seemingly innocuous signals can be dangerous when they are not configured in user space.

Advertisement
free widgets for website

Anyone using Linux for long enough has undoubtedly run into a case where they want to kill some process but find that the process is unresponsive even to supposedly always fatal signals like SIGKILL. The problem is that misleadingly, kill(1)’s purpose isn’t to kill processes, but just to queue a request to the kernel (with no indication about when it will be serviced) that someone has requested some action to be taken.

The kill syscall’s job is to mark the signal as pending in the kernel’s task metadata, which it does successfully even when a SIGKILL task doesn’t die. In the case of SIGKILL in particular, the kernel guarantees that no more user mode instructions will be executed, but we may still have to execute instructions in kernel mode to complete actions that otherwise may result in data corruption or to release resources. For this reason, we still succeed even if the state is D (uninterruptible sleep). Kill itself doesn’t fail unless you provided an invalid signal, you don’t have permission to send that signal or the pid that you requested to send a signal to does not exist and is thus not useful to reliably propagate non-terminal states to applications.

In Conclusion

  • Signals are fine for terminal state handled purely in-kernel with no user space handler. For signals that you actually would like to immediately kill your program, leave those signals alone for the kernel to handle. This also means that the kernel may be able to exit early from its work, freeing up your program resources more quickly, whereas a user space IPC request would have to wait for the user space portion to start executing again.
  • A way to avoid getting into trouble handling signals is to not handle them at all. However, for applications handling state processing that must do something about cases like SIGTERM, ideally use a high-level API like folly::AsyncSignalHandler where a number of the warts have already been made more intuitive.

  • Avoid communicating application requests with signals. Use self-managed notifications (like inotify) or user space RPC with a dedicated part of the application life cycle to handle it instead of relying on interrupting the application.
  • Where possible, limit the scope of signals to a subsection of your program or threads with sigprocmask, reducing the amount of code that needs to be regularly scrutinized for signal-correctness. Bear in mind that if code flows or threading strategies change, the mask may not have the effect you intended.
  • At daemon start, mask terminal signals that are not uniformly understood and could be repurposed at some point in your program to avoid falling back to kernel default behavior. My suggestion is the following:
 signal(SIGHUP, SIG_IGN); signal(SIGQUIT, SIG_IGN); signal(SIGUSR1, SIG_IGN); signal(SIGUSR2, SIG_IGN); 

Signal behavior is extremely complicated to reason about even in well-authored programs, and its use presents an unnecessary risk in applications where other alternatives are available. In general, do not use signals for communicating with the user space portion of your program. Instead, either have the program transparently handle events itself (for example, with inotify), or use user space communication that can report back errors to the issuer and is enumerable and demonstrable at compile time, like Thrift, gRPC or similar.

I hope this article has shown you that signals, while they may ostensibly appear simple, are in reality anything but. The aesthetics of simplicity that promote their use as an API for user space software belie a series of implicit design decisions that do not fit most production use cases in the modern era.

Let’s be clear: there are valid use cases for signals. Signals are fine for basic communication with the kernel about a desired process state when there’s no user space component, for example, that a process should be killed. However, it is difficult to write signal-correct code the first time around when signals are expected to be trapped in user space.

Signals may seem attractive due to their standardization, wide availability and lack of dependencies, but they come with a significant number of pitfalls that will only increase concern as your project grows. Hopefully, this article has provided you with some mitigations and alternative strategies that will allow you to still achieve your goals, but in a safer, less subtly complex and more intuitive way.

Advertisement
free widgets for website

To learn more about Meta Open Source, visit our open source site, subscribe to our YouTube channel, or follow us on Twitter, Facebook and LinkedIn.

First seen at developers.facebook.com

Continue Reading

FACEBOOK

Meet the Developers – Linux Kernel Team (David Vernet)

Published

on

By

meet-the-developers-–-linux-kernel-team-(david-vernet)

Credit: Larry Ewing (lewing@isc.tamu.edu) and The GIMP for the original design of Tux the penguin.

Intro

For today’s interview, we have David Vernet, a core systems engineer on the Kernel team at Meta. He works on the BPF (Berkeley Packet Filter) and the Linux kernel scheduler. This series highlights Meta Software Engineers who contribute to the Linux kernel. The Meta Linux Kernel team works with the broader Linux community to add new features to the kernel and makes sure that the kernel works well in Meta production data centers. Engineers on the team work with peers in the industry to make the kernel better for Meta’s workloads and to make Linux better for everyone.

Tell us about yourself.

I’m a systems engineer who’s spent a good chunk of his career in the kernel space, and some time in the user-space as well working on a microkernel. Right now, I’m focusing most of my time on BPF and the Linux kernel scheduler.

I started my career as a web developer after getting a degree in math. After going to grad school, I realized that I was happiest when hacking on low-level systems and figuring out how computers work.

As a kernel developer at Meta, what does your typical day look like?

I’m not a maintainer of any subsystems in the kernel, so my typical day is filled with almost exclusively coding and engineering. That being said, participating in the upstream Linux kernel community is one of the coolest parts of being on the kernel team, so I still spend some time reading over upstream discussions. A typical day goes something like this:

Advertisement
free widgets for website
  1. Read over some of the discussions taking place on various upstream lists, such as BPF and mm. I usually spend about 30-60 minutes or so per day on this, though it depends on the day.

  2. Hack on the project that I’m working on. Lately, that’s adding a user-space ringbuffer map type to BPF.

  3. Work on drafting an article for lwn.net.

What have you been excited about or incredibly proud of lately?

I recently submitted a patch-set to enable a new map type in BPF. This allows user-space to publish messages to BPF programs in the kernel over the ringbuffer. This map type is exciting because it sets the stage to enable frameworks for user-space to drive logic in BPF programs in a performant way.

Is there something especially exciting about being a kernel developer at a company like Meta?

The Meta kernel team has a strong upstream-first culture. Bug fixes that we find in our Meta kernel, and features that we’d like to add, are almost always first submitted to the upstream kernel, and then they are backported to our internal kernel.

Do you have a favorite part of the kernel dev life cycle?

I enjoy architecting and designing APIs. Kernel code can never crash and needs to be able to run forever. I find it gratifying to architect systems in the kernel that make it easy to reason about correctness and robustness and provide intuitive APIs that make it easy for other parts of the kernel to use your code.

I also enjoy iterating with the upstream community. It’s great that your patches have a whole community of people looking at them to help you find bugs in your code and suggest improvements that you may never have considered on your own. A lot of people find this process to be cumbersome, but I find that it’s a small price to pay for what you get out of it.

Tell us a bit about the topic you presented at the Linux Plumbers Conference this year.

We presented the live patch feature in the Linux kernel, describing how we have utilized it at Meta and how our hyper-scale has shown some unique challenges with the feature.

Advertisement
free widgets for website

What are some of the misconceptions about kernel or open source software development that you have encountered in your career?

The biggest misconception is that it’s an exclusive, invite-only club to contribute to the Linux kernel. You certainly must understand operating systems to be an effective contributor and be ready to receive constructive criticism when there is scope for improvement in your code. Still, the community always welcomes people who come in with an open mind and want to contribute.

What resources are helpful in getting started in kernel development?

There is a lot of information out there that people have written on how to get integrated into the Linux kernel community. I wrote a blog post on how to get plugged into Linux kernel upstream mailing list discussions, and another on how to submit your first patch. There is also a video on writing and submitting your first Linux kernel patch from Greg Kroah-Hartman.

In terms of resources to learn about the kernel itself, there are many resources and books, such as:

Where can people find you and follow your work?

I have a blog where I talk about my experiences as a systems engineer: https://www.bytelab.codes/. I publish articles that range from topics that are totally newcomer friendly to more advanced topics that discuss kernel code in more detail. Feel free to check it out and let me know if there’s anything you’d like me to discuss.

To learn more about Meta Open Source, visit our open source site, subscribe to our YouTube channel, or follow us on Twitter, Facebook and LinkedIn.

First seen at developers.facebook.com

Advertisement
free widgets for website
See also  Pakistanis are sharing stories of 'cake fails' on Facebook and they're hilarious
Continue Reading

Trending