Implement SafeProcessHandle APIs for macOS

[Copilot]

Description

Implements the macOS-specific managed and native layers for the new SafeProcessHandle APIs (Start, Open, WaitForExit*, Kill, Resume, Signal), using posix_spawn for process creation and kqueue for wait/timeout/cancellation.

Managed changes

• SafeProcessHandle.Unix.cs: Full implementation of StartCore, OpenCore, WaitForExitCore, TryWaitForExitCore, WaitForExitOrKillOnTimeoutCore, WaitForExitAsyncCore, WaitForExitOrKillOnCancellationAsyncCore, KillCore, ResumeCore, SendSignalCore. Uses NoPidFd = int.MinValue (not -1) since the handle derives from SafeHandleZeroOrMinusOneIsInvalid. All error paths use throw new Win32Exception() (parameterless) to let it fetch the last error automatically. OpenCore correctly detects group leader status by calling getpgid(pid) via native OpenProcess and comparing with pid, rather than hardcoding false. StartCore detects terminal usage via Interop.Sys.IsATty on stdin/stdout/stderr and calls ProcessUtils.ConfigureTerminalForChildProcesses accordingly, with proper s_processStartLock read/write lock usage. _usesTerminal readonly field is stored and used by OnProcessExited helper (called from all WaitForExit* methods) to decrement terminal child count on exit.
• ProcessUtils.Unix.cs: Extracted CreateEnvp, AllocNullTerminatedArray, FreeArray as internal shared methods, reused by both Process.Unix.cs and SafeProcessHandle.Unix.cs.
• ProcessUtils.ConfigureTerminalForChildProcesses.Unix.cs (new): Moved terminal configuration logic (ConfigureTerminalForChildProcesses, SetDelayedSigChildConsoleConfigurationHandler, DelayedSigChildConsoleConfiguration, AreChildrenUsingTerminal) from Process to ProcessUtils for shared access by both Process and SafeProcessHandle.
• ProcessUtils.ConfigureTerminalForChildProcesses.iOS.cs (new): iOS stub with [Conditional("unnecessary")] no-ops, mirroring the original Process.ConfigureTerminalForChildProcesses.iOS.cs.
• Process.Unix.cs: All callers updated to call ProcessUtils.ConfigureTerminalForChildProcesses, ProcessUtils.SetDelayedSigChildConsoleConfigurationHandler, and ProcessUtils.AreChildrenUsingTerminal directly (no wrapper methods).
• ProcessWaitState.Unix.cs: Updated to call ProcessUtils.ConfigureTerminalForChildProcesses directly instead of through Process.
• Process.ConfigureTerminalForChildProcesses.Unix.cs: Removed — all callers now use ProcessUtils directly.
• Process.ConfigureTerminalForChildProcesses.iOS.cs: Removed — all callers now use ProcessUtils directly.
• Interop.IsATty.cs: Added SafeFileHandle overload for terminal detection in StartCore.
• Interop.SpawnProcess.cs: New LibraryImport declarations (EntryPoint = "SystemNative_*") for SpawnProcess, SendSignal, WaitForExitAndReap, TryWaitForExit, TryWaitForExitCancellable, WaitForExitOrKillOnTimeout, TryGetExitCode, OpenProcess. OpenProcess returns the group leader status via an isGroupLeader parameter.
• Interop.ForkAndExecProcess.cs: Delegates to shared ProcessUtils methods.
• csproj: Added Interop.Pipe.cs, Interop.SpawnProcess.cs, Interop.IsATty.cs, and new ProcessUtils.ConfigureTerminalForChildProcesses.*.cs files for Unix builds. Removed references to deleted Process.ConfigureTerminalForChildProcesses.*.cs files.

Native changes

• pal_process.c: macOS implementation using posix_spawn with POSIX_SPAWN_CLOEXEC_DEFAULT, posix_spawn_file_actions_addinherit_np, posix_spawn_file_actions_addchdir_np, POSIX_SPAWN_START_SUSPENDED. The implementation is guarded by #if defined(__APPLE__) && !defined(TARGET_MACCATALYST) && !defined(TARGET_TVOS) to exclude Mac Catalyst and tvOS (iOS is supported). posix_spawn_file_actions_addchdir_np retains HAVE_POSIX_SPAWN_FILE_ACTIONS_ADDCHDIR_NP feature detection since it is not available on tvOS. Wait functions use kqueue/EVFILT_PROC/NOTE_EXIT (guarded by existing HAVE_KQUEUE) for timeout and cancellation support. Signal mapping reuses SystemNative_GetPlatformSignalNumber and TryConvertSignalCodeToPosixSignal from pal_signal.c instead of duplicating the logic. Environment variable resolution is extracted into a GetEnvVars helper for reuse. OpenProcess uses kill(pid, 0) to check process existence without requiring a child-process relationship, and detects group leader status via getpgid(pid) == pid, returning the result through an out_isGroupLeader output parameter. Both SpawnProcess and OpenProcess set out_pidfd to INT_MIN (not -1) since the managed layer treats -1 as an invalid handle due to SafeHandleZeroOrMinusOneIsInvalid.
• pal_signal.c / pal_signal.h: Made TryConvertSignalCodeToPosixSignal non-static and added its declaration to the header for reuse by pal_process.c.
• pal_process_wasi.c: Stubs returning -1 with errno = ENOTSUP.
• pal_process.h: New function declarations with reordered SpawnProcess arguments (path, argv, envp, working_dir, inherited_handles, inherited_handles_count, stdin/stdout/stderr fds, flags, out params). OpenProcess signature includes out_isGroupLeader parameter.
• entrypoints.c: New DllImportEntry entries.
• configure.cmake / pal_config.h.in: Added HAVE_POSIX_SPAWN_FILE_ACTIONS_ADDCHDIR_NP feature detection (not available on tvOS). No other HAVE_POSIX_SPAWN* defines are added — macOS platform checks (#ifdef __APPLE__) are used instead. Existing HAVE_KQUEUE is reused for sys/event.h inclusion.

Test changes

• SafeProcessHandleTests.cs: Extended [PlatformSpecific] to TestPlatforms.OSX | TestPlatforms.Windows. All ProcessStartOptions creation uses platform detection (OperatingSystem.IsWindows() ternary). CreateTenSecondSleep returns sleep 10 on Unix. Start_WithNoArguments_Succeeds uses hostname on Windows and pwd on Unix (platform-specific, since pwd is not a standalone executable on Windows). Kill tests assert PosixSignal.SIGKILL and exit code > 128 on Unix. Open_CurrentProcess_Succeeds is annotated [PlatformSpecific(TestPlatforms.Windows)].
• SafeProcessHandleTests.Unix.cs: macOS-specific tests for Signal(SIGTERM), Signal(SIGINT), invalid signal, and signal-to-exited-process behavior. All long-running tests use CreateTenSecondSleep(). The ProcessId test uses started.Kill() (not the non-owning copy) since the copy handle has no valid pid.

CI changes

• eng/pipelines/runtime.yml: Added copilot/*.* to CI branch triggers to enable pipeline runs for this branch.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[adamsitnik]

@copilot please address my feedback.

Moreover, please modify the .yml file that is required to let the CI run for this branch. I am not an expert in this area, but I think it should be enough to modify this file:

runtime/eng/pipelines/runtime.yml

Lines 33 to 37 in fdaebbf

	pr:
	branches:
	include:
	- main
	- release/*.*

and list copilot/*.* after release/*.*

     - release/*.* 
     - copilot/*.* 

[Copilot]

@copilot please address my feedback.

Moreover, please modify the .yml file that is required to let the CI run for this branch. I am not an expert in this area, but I think it should be enough to mo...

All feedback addressed and copilot/*.* added to the CI branch triggers in eng/pipelines/runtime.yml in 28845d4.

[Copilot]

Pull request overview

This PR implements SafeProcessHandle APIs for macOS using posix_spawn for process creation and kqueue for wait/timeout/cancellation operations. The implementation provides parity with the Windows implementation, enabling cross-platform process management through the new SafeProcessHandle APIs.

Changes:

• Native layer: Added macOS-specific implementations using posix_spawn, kqueue, and waitpid for process creation and management
• Managed layer: Implemented all core SafeProcessHandle methods (Start, Open, WaitForExit*, Kill, Resume, Signal) with proper error handling
• Code refactoring: Extracted shared utility methods (CreateEnvp, AllocNullTerminatedArray, FreeArray) from Interop.ForkAndExecProcess.cs to ProcessUtils.Unix.cs for reuse
• Tests: Extended cross-platform tests to support macOS and added macOS-specific signal tests

Reviewed changes

Copilot reviewed 16 out of 16 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
src/native/libs/configure.cmake	Added CMake feature detection for posix_spawn APIs and kqueue on macOS
src/native/libs/Common/pal_config.h.in	Added configuration defines for detected posix_spawn features
src/native/libs/System.Native/pal_process.h	Declared new native API functions for process spawning, signaling, and waiting
src/native/libs/System.Native/pal_process.c	Implemented macOS-specific process APIs using posix_spawn and kqueue, including signal mapping
src/native/libs/System.Native/pal_process_wasi.c	Added ENOTSUP stubs for WASI platform
src/native/libs/System.Native/entrypoints.c	Registered new native function entry points
src/libraries/Common/src/Interop/Unix/System.Native/Interop.SpawnProcess.cs	Added P/Invoke declarations for new native APIs
src/libraries/Common/src/Interop/Unix/System.Native/Interop.ForkAndExecProcess.cs	Refactored to use shared ProcessUtils methods
src/libraries/System.Diagnostics.Process/src/System/Diagnostics/ProcessUtils.Unix.cs	Added shared utility methods for environment and array marshalling
src/libraries/System.Diagnostics.Process/src/System/Diagnostics/Process.Unix.cs	Updated to use ProcessUtils.CreateEnvp instead of local implementation
src/libraries/System.Diagnostics.Process/src/Microsoft/Win32/SafeHandles/SafeProcessHandle.Unix.cs	Implemented all SafeProcessHandle core methods for macOS
src/libraries/System.Diagnostics.Process/src/System.Diagnostics.Process.csproj	Added Interop.SpawnProcess.cs and Interop.Pipe.cs to Unix builds
src/libraries/System.Diagnostics.Process/tests/SafeProcessHandleTests.cs	Extended platform support to include macOS and updated tests for cross-platform compatibility
src/libraries/System.Diagnostics.Process/tests/SafeProcessHandleTests.Unix.cs	Added macOS-specific signal tests
src/libraries/System.Diagnostics.Process/tests/System.Diagnostics.Process.Tests.csproj	Added SafeProcessHandleTests.Unix.cs to Unix test builds
eng/pipelines/runtime.yml	Added copilot/. branch trigger (intended for development, should be removed)

[adamsitnik]

@copilot please address all unresolved feedback

[Copilot]

@copilot please address all unresolved feedback

All unresolved feedback addressed in cdd13b0: simplified OpenProcess to kill(pid, 0), removed SIGSTOP from signal mappings, and fixed pwd test to be platform-specific.

[adamsitnik]

@copilot please give my suggestion a try.

[Copilot]

@copilot please give my suggestion a try.

Done in 4b02d2e — replaced all HAVE_POSIX_SPAWN* feature detection with #ifdef __APPLE__ platform checks and removed the cmake/config defines.

[adamsitnik]

@copilot please address my feedback

Also, annotate the Open_CurrentProcess_Succeeds test with [PlatformSpecific(TestPlatforms.Windows)]

[jkotas]

Should this set isGroupLeader based on whether the process is group leader or not?

I am not following why we need to have cached _isGroupLeader flag on SafeProcessHandle in the first place.

[adamsitnik]

I am not following why we need to have cached _isGroupLeader flag on SafeProcessHandle in the first place.

To ensure the WaitForExitOrKillOn* methods kill entire process group rather than just the leader.

[jkotas]

Do you need to cache it on SafeProcesssHandle for that? You can always check whether the process is a process group leader by calling the system APIs, especially if it is only needed on a rare expensive path.

[adamsitnik]

Do you need to cache it on SafeProcesssHandle for that? You can always check whether the process is a process group leader by calling the system APIs, especially if it is only needed on a rare expensive path.

Do you have any data to prove that this is going to be a rare execution path? Or any data showing that our customers have plenty of SafeProcesssHandle instances in their apps and the size of SafeProcesssHandle is important enough to not cache such information?

[jkotas]

My primary concern is correctness: The cached isGroupLeader is not going to match the actual state when the handle is created through this path.

Performance is not my primary concern.

[Copilot]

Fixed the correctness issue in 33db32f. SystemNative_OpenProcess now checks getpgid(pid) == pid and returns the result via a new out_isGroupLeader parameter. OpenCore uses this to set _isGroupLeader accurately instead of hardcoding false.

[jkotas]

SafeProcessHandle.DangerousGetHandle returns waithandle today. Does this change mean that it can return pidfd in some cases? I think it would be a breaking change.

[adamsitnik]

@copilot Please address my feedback

[adamsitnik]

@copilot please address this feedback

First of all, we can't use SafeFileHandle.Type to check whether provided standard handles are terminal handles because for both Terminal handles and /dev/null the API returns FileHandleType.CharacterDevice.

But luckily for us, there is already an API for checking that:

runtime/src/libraries/Common/src/Interop/Unix/System.Native/Interop.IsATty.cs

Lines 11 to 13 in 0d0e129

	[LibraryImport(Libraries.SystemNative, EntryPoint = "SystemNative_IsATty")]
	[return: MarshalAs(UnmanagedType.Bool)]
	internal static partial bool IsATty(IntPtr fd);

Please extend Interop.IsATty.cs with an overload that takes SafeFileHandle:

        [LibraryImport(Libraries.SystemNative, EntryPoint = "SystemNative_IsATty")]
        [return: MarshalAs(UnmanagedType.Bool)]
        internal static partial bool IsATty(SafeFileHandle fd);

And use it in StartCore (part of SafeProcessHandle.Unix.cs) to detect if any of the inputHandle/outputHandle/errorHandle point to a terminal:

bool usesTerminal = Interop.Sys.IsATty(inputHandle) || Interop.Sys.IsATty(outputHandle) || Interop.Sys.IsATty(errorHandle);

Moreover, please add a comment explaining why we are doing this similar to this one.

Then move all the logic from src/libraries/System.Diagnostics.Process/src/System/Diagnostics/Process.ConfigureTerminalForChildProcesses.Unix.cs to src/libraries/System.Diagnostics.Process/src/System/Diagnostics/ProcessUtils.ConfigureTerminalForChildProcesses.Unix.cs, and all the logic from src/libraries/System.Diagnostics.Process/src/System/Diagnostics/Process.ConfigureTerminalForChildProcesses.iOS.cs to src/libraries/System.Diagnostics.Process/src/System/Diagnostics/ProcessUtils.ConfigureTerminalForChildProcesses.iOS.cs. Modify the src/libraries/System.Diagnostics.Process/src/System.Diagnostics.Process.csproj file to reflect the changes.

Then update all the calls from Process.Unix.cs and other files like ProcessWaitState.Unix.cs to the moved APIs to call the methods via ProcessUtils type.

Then update StartCore (part of SafeProcessHandle.Unix.cs) to call ProcessUtils.ConfigureTerminalForChildProcesses(1) before starting the process when usesTerminal is true and ProcessUtils.ConfigureTerminalForChildProcesses(-1) in case the Interop.Sys.SpawnProcess failed to spawn the process (and usesTerminal is true).

Extend StartCore to store usesTerminal in a readonly field (_usesTerminal) of SafeProcessHandle.Unix.cs.

Then modify all the WaitForExit* methods (and TryWaitForExitCore) in the src/libraries/System.Diagnostics.Process/src/Microsoft/Win32/SafeHandles/SafeProcessHandle.Unix.cs‎ file to call ProcessUtils.ConfigureTerminalForChildProcesses(-1) when _usesTerminal is true and the process has exited. Ideally move this logic to small helper method (OnProcessExited) and just call the helper everywhere.

[Copilot]

@copilot Please address my feedback

Fixed the _isGroupLeader correctness concern in 33db32f. SystemNative_OpenProcess now detects whether the process is a group leader via getpgid(pid) == pid and returns the result to managed code.

[adamsitnik]

@copilot I've asked you to address #124923 (comment) and you seem to have ignored it. Do address this particular feedback.

[Copilot]

@copilot I've asked you to address #124923 (comment) and you seem to have ignored it. Do address this particular feedback.

Applied the parameter rename in af33fd5.

[jkotas]

I believe that processes can change process groups as long as they stay within the same session. Is that correct? It means that this cached value can be stale.

[adamsitnik]

@copilot address my feedback

[Copilot]

@copilot address my feedback

Done in e88f121 — removed both Process.ConfigureTerminalForChildProcesses wrapper files and updated all callers to use ProcessUtils directly.