Refactor Process.StartCore to accept SafeFileHandle parameters for stdin/stdout/stderr

[Copilot]

Description

Refactors StartCore on both Windows and Unix to accept SafeFileHandle instances for child process standard streams, enabling future scenarios where callers provide pre-existing handles. Pipe creation and stream setup are lifted into the shared Process.cs:Start() method, with platform-specific OpenStream and encoding helper methods defined directly in each platform file (no partial methods).

Native layer (pal_process.c, pal_process.h, pal_process_wasi.c)

• stdinFd/stdoutFd/stderrFd changed from int32_t* (out) to int32_t (in) — caller now owns pipe creation
• Removed internal pipe creation (SystemNative_Pipe calls) and associated ProcessCreateLock
• dup2 of the provided fds onto STDIN_FILENO/STDOUT_FILENO/STDERR_FILENO is now unconditional (CLOEXEC flags are stripped by dup2 itself since it doesn't copy descriptor flags)
• Removed redirectStdin/redirectStdout/redirectStderr parameters from native signature

New native entry point (pal_io.c, pal_io.h)

• Added SystemNative_IsAtomicNonInheritablePipeCreationSupported — returns 1 when HAVE_PIPE2 is defined, 0 otherwise; used by managed code to decide whether pipe creation requires a write lock

Interop layer (Interop.ForkAndExecProcess.cs)

• P/Invoke signature changed from out int stdinFd/stdoutFd/stderrFd to SafeFileHandle parameters (marshalled as int32_t values)
• Removed redirectStdin/redirectStdout/redirectStderr boolean parameters

New interop declarations

• Interop.IsATty.cs: Added SafeFileHandle overload of IsATty
• Interop.IsAtomicNonInheritablePipeCreationSupported.cs: New P/Invoke with NullableBool caching for SystemNative_IsAtomicNonInheritablePipeCreationSupported

Managed layer

• Process.cs: Start() now creates pipes via SafeFileHandle.CreateAnonymousPipe directly (with Console.OpenStandard*Handle() fallbacks for non-redirected streams). Pipe creation is guarded by !startInfo.UseShellExecute || !OperatingSystem.IsWindows(). On platforms without pipe2, a WriteLock wraps pipe creation to prevent accidental handle inheritance. After StartCore, sets up _standardInput/_standardOutput/_standardError streams via platform-specific OpenStream. The CantRedirectStreams validation for UseShellExecute is moved here from platform files.
• Process.Unix.cs: StartCore takes SafeFileHandle? parameters (asserted non-null). Terminal detection (usesTerminal) changed from checking redirect booleans to IsATty() calls on the actual handles. OpenStream transfers ownership from SafeFileHandle to SafePipeHandle and wraps in AnonymousPipeClientStream. GetStandardInputEncoding/GetStandardOutputEncoding return Encoding.Default. s_processStartLock moved to shared ProcessUtils.
• Process.Windows.cs: StartWithCreateProcess takes non-nullable SafeFileHandle parameters. Handles are duplicated as inheritable via DuplicateAsInheritable. The old CreatePipe helper and s_createProcessLock are removed. The lock is replaced by ProcessUtils.s_processStartLock.EnterWriteLock(). OpenStream wraps handle in FileStream. GetStandardInputEncoding/GetStandardOutputEncoding use console code pages.
• Process.Win32.cs: StartCore signature updated; asserts that UseShellExecute implies all-null handles. CantRedirectStreams check removed (moved to shared Process.cs).
• ProcessUtils.cs: Now hosts s_processStartLock (shared across platforms).
• Process.ConfigureTerminalForChildProcesses.Unix.cs: References ProcessUtils.s_processStartLock instead of the removed instance field.

Console changes (Android support)

• ConsolePal.Android.cs: OpenStandardInputHandle/OpenStandardOutputHandle/OpenStandardErrorHandle now return SafeFileHandle(0/1/2, ownsHandle: false) instead of throwing PlatformNotSupportedException, matching the existing Unix/Wasi behavior.
• Console.cs: Removed [UnsupportedOSPlatform("android")] from all three OpenStandard*Handle methods.
• Ref assembly (System.Console.cs): Removed [UnsupportedOSPlatformAttribute("android")] from all three methods.
• Tests (ConsoleHandles.cs): Updated platform filters to include Android in valid-handle tests and exclude it from throws-on-unsupported tests.

Build verification

• Managed build passes for all target frameworks (including Android)
• Native build passes
• Tests pass (372/373, 1 unrelated flaky failure in TestGetProcesses)

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/area-system-diagnostics-process
See info in area-owners.md if you want to be subscribed.

[adamsitnik]

@copilot address my feedback

[Copilot]

@copilot address my feedback

All feedback addressed in commit 07d9369:

• Removed partial method declarations; OpenStream/encoding methods defined directly in platform files
• Pipe creation uses SafeFileHandle.CreateAnonymousPipe directly in Process.cs:Start() with !startInfo.UseShellExecute || !OperatingSystem.IsWindows() condition
• Console.OpenStandard*Handle() called from Start() for non-redirected streams
• Windows StartWithCreateProcess just calls DuplicateAsInheritable for all 3 handles
• Removed CreatePipe from both platforms, s_invalidSafeFileHandle from Unix, Interop.Pipe.cs from csproj
• Removed XML docs from non-public methods
• Build passes all targets; 372/373 tests pass (1 flaky TestGetProcesses failure unrelated to changes)

[adamsitnik]

To review this file I recommend hiding whitespace changes:

[adamsitnik]

@copilot please update the PR description based on my commits and then invoke the code-review skill and post your analysis/results as a comment on this PR

[Copilot]

@copilot please update the PR description based on my commits and then invoke the code-review skill and post your analysis/results as a comment on this PR

PR description updated. Code review follows below.

🤖 Copilot Code Review

Holistic Assessment

Motivation: This refactoring lifts pipe creation out of platform-specific code into the shared Process.cs:Start() method, making StartCore accept pre-created SafeFileHandle parameters. This enables future scenarios where callers provide pre-existing handles and unifies the pipe creation logic across platforms.

Approach: The approach is sound — pipes are created uniformly via SafeFileHandle.CreateAnonymousPipe in shared code, with Console.OpenStandard*Handle() fallbacks for non-redirected streams. Platform-specific OpenStream and encoding methods are defined directly in each platform file without partial methods. The locking strategy is carefully designed to prevent accidental handle inheritance.

Summary: ✅ LGTM. The refactoring is correct, handles resource management properly, and the locking scheme is well-designed. Two models (Gemini 2.5 Pro and Claude Opus 4.5) reviewed this independently; their findings converge. No blocking issues found.

---

Detailed Findings

✅ Resource management — Console handles are safe to dispose

The finally block in Process.cs:Start() disposes childInputPipeHandle, childOutputPipeHandle, childErrorPipeHandle. When not redirecting, these are assigned from Console.OpenStandard*Handle(). Verified that both Unix and Windows implementations create these with ownsHandle: false:

• Unix: new SafeFileHandle(fd, ownsHandle: false) (ConsolePal.Unix.cs)
• Windows: new SafeFileHandle(handle, ownsHandle: false) (ConsolePal.Windows.cs)

Disposing a non-owning SafeFileHandle is a no-op — no risk of closing actual stdin/stdout/stderr descriptors.

✅ Handle ownership transfer in Unix OpenStream — No double-dispose

The Unix OpenStream method transfers ownership from SafeFileHandle to SafePipeHandle:

SafePipeHandle safePipeHandle = new(handle.DangerousGetHandle(), ownsHandle: true);
handle.SetHandleAsInvalid();
handle.Dispose();

The parent pipe handles (parentInputPipeHandle etc.) are only disposed in the catch block on exception, which runs before OpenStream is called. On success, OpenStream takes ownership and no double-dispose occurs.

✅ Platform-conditional handle creation — Assertions are correct

The condition !startInfo.UseShellExecute || !OperatingSystem.IsWindows():

• On Unix: Always true → handles are always created. The assertion stdinHandle is not null && ... is correct.
• On Windows: true only when !UseShellExecute → handles are null for ShellExecute. The assertion UseShellExecute == (handles are null) is correct.

✅ Native dup2 now unconditional — Safe

The native code now always calls dup2(stdinFd, STDIN_FILENO) etc. When not redirecting, the caller passes the actual stdin fd (from Console.OpenStandardInputHandle()), so stdinFd == STDIN_FILENO. Per POSIX, dup2(fd, fd) is a no-op that returns fd without error.

✅ Locking scheme — Correctly prevents handle inheritance leaks

• On platforms without pipe2: WriteLock wraps pipe creation (preventing other processes from inheriting pipes during the non-atomic create+set-CLOEXEC window).
• On Windows: WriteLock wraps DuplicateAsInheritable + CreateProcess (preventing concurrent processes from inheriting each other's inheritable handles).
• On Unix: ReadLock during ForkAndExecProcess allows concurrent process starts while being mutually exclusive with WriteLock operations.

The lock is shared across platforms via ProcessUtils.s_processStartLock, which is correct since the same ReaderWriterLockSlim instance must be used for read/write coordination.

💡 Minor — Comment could be more precise

The comment at line 1372 ("We MUST close the parent copies of the child handles") is slightly misleading for the non-redirect case where handles came from Console.OpenStandard*Handle() — these aren't "parent copies of child handles" but non-owning wrappers. This is a cosmetic observation, not a blocker.

---

Models contributing to this review: Claude Sonnet 4 (primary), Gemini 2.5 Pro, Claude Opus 4.5

[Copilot]

Pull request overview

This PR refactors System.Diagnostics.Process startup so that platform StartCore implementations accept SafeFileHandle instances for stdin/stdout/stderr, with pipe creation moved into the shared Process.Start() path. It also updates the native/interop layers to accept provided fds instead of creating pipes in native code, enabling future scenarios where callers supply pre-existing standard stream handles.

Changes:

• Managed: Move stdio pipe creation + stream setup into Process.Start(), and update Unix/Windows StartCore to accept SafeFileHandle parameters.
• Native/Interop: Change SystemNative_ForkAndExecProcess to take stdinFd/stdoutFd/stderrFd as inputs and add a native probe for pipe2 support (SystemNative_IsAtomicNonInheritablePipeCreationSupported).
• Tests/Project: Update Windows window-style test expectations and add new Unix interop sources + NullableBool inclusion in the Process project.

Reviewed changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/native/libs/System.Native/pal_process_wasi.c	Updates WASI ForkAndExecProcess signature to accept stdin/out/err fds as inputs.
src/native/libs/System.Native/pal_process.h	Adjusts native API contract to take stdio fds by value (no redirect booleans / out fds).
src/native/libs/System.Native/pal_process.c	Removes native pipe creation/locking for stdio and unconditionally dup2s provided fds.
src/native/libs/System.Native/pal_io.h	Declares new native capability probe for atomic non-inheritable pipe creation.
src/native/libs/System.Native/pal_io.c	Implements the pipe2 capability probe.
src/native/libs/System.Native/entrypoints.c	Exposes the new native probe via System.Native entrypoints.
src/libraries/System.Diagnostics.Process/tests/ProcessStartInfoTests.Windows.cs	Fixes window-style assertions to mask dwFlags rather than compare full value.
src/libraries/System.Diagnostics.Process/src/System/Diagnostics/ProcessUtils.cs	Centralizes the cross-platform process-start ReaderWriterLockSlim.
src/libraries/System.Diagnostics.Process/src/System/Diagnostics/Process.cs	Creates stdio handles/pipes in shared Start() and initializes redirected streams via platform OpenStream.
src/libraries/System.Diagnostics.Process/src/System/Diagnostics/Process.Windows.cs	Refactors CreateProcess path to take provided handles and duplicates them as inheritable.
src/libraries/System.Diagnostics.Process/src/System/Diagnostics/Process.Win32.cs	Updates StartCore signature, adds atomic pipe creation support flag for Windows, and moves redirect validation to shared code.
src/libraries/System.Diagnostics.Process/src/System/Diagnostics/Process.Unix.cs	Updates StartCore + ForkAndExec interop usage to use provided handles; adjusts terminal detection to use IsATty(handle).
src/libraries/System.Diagnostics.Process/src/System/Diagnostics/Process.ConfigureTerminalForChildProcesses.Unix.cs	Switches to ProcessUtils.s_processStartLock.
src/libraries/System.Diagnostics.Process/src/System.Diagnostics.Process.csproj	Adds new Unix interop sources and moves NullableBool to the broader non-Windows group.
src/libraries/Common/src/Interop/Unix/System.Native/Interop.IsAtomicNonInheritablePipeCreationSupported.cs	Adds cached managed probe for pipe2 support.
src/libraries/Common/src/Interop/Unix/System.Native/Interop.IsATty.cs	Adds SafeFileHandle overload for IsATty.
src/libraries/Common/src/Interop/Unix/System.Native/Interop.ForkAndExecProcess.cs	Updates P/Invoke to pass stdio handles (no redirect booleans / out fds).

---

You can also share your feedback on Copilot code review. Take the survey.

[adamsitnik]

@jkotas The alternative would be to make Console.OpenStandard*Handle not throw and just return 0/1/2. Or use File.OpenNullHandle for Android (and iOS?). What do you think?

[jkotas]

I do not know what works on mobile wrt. Process.Start today. I agree with copilot that we should avoid regressing it.

[jkotas]

@lateralusX Anything to validate here specifically on mobile platforms?

[lateralusX]

Couple of things to have in mind:

On both Android/iOS/TvOS fd 0,1,2 just points to /dev/null (with some exception running under debugger), in order to log to "console" you need to use platform specific API's, logcat on Android and NSLogStream on iOS/TvOS, that is what we do in the console PAL when we open OpenStandardOutput and OpenStandardError. There is no stdin on these platforms, that's why they throw PNS, but fd 0 should still represent stdin and wired to /dev/null, so won't work in practice.

Fork/exec is not allowed in most sandbox scenarios, so on iOS/TvOS, you can't run child process at all, StartCore will even throw PNS.

On Android there are security restrictions around fork/exec, but it should be possible to run system binaries and binaries deployed through the same APK without root permissions. Having that said, Android OS have restricted some of the capabilities over time.

In default case, child process will get fd 0,1,2 pointing to /dev/null. Since most logging in apps on Android goes through logcat, it will never hit stdout or stderr, but if you run shell commands or other processes using regular stderr/stdout, then it's possible to redirect and capture output in parent process.

Looking through this change, it doesn't seem to change current state around fork/exec on any of the mobile platforms, it just adding capability to get hold of stdin/stderr/stdout handles on Android, all pointing to /dev/null (if not redirected). What seems to change is that we now always dup stdin/stdout/stderr in the child process, even when not redirected, so that change might need to be verified on Android.

Doesn't look like we have any explicit test coverage on Android for Process.Start today, some tests are explicitly excluded, while others are guarded with RemoteExecutor.IsSupported. We should probably add something simple to verify the change on Android.

It could be argued if we should change the public API to return handles instead of PNS on Android. Another option could be to do Android specific handles inside the Process class, removing the need to expose it through the public API's.

[adamsitnik]

There is no stdin on these platforms, that's why they throw PNS, but fd 0 should still represent stdin and wired to /dev/null, so won't work in practice.

It could be argued if we should change the public API to return handles instead of PNS on Android. Another option could be to do Android specific handles inside the Process class, removing the need to expose it through the public API's.

The Console.OpenStandard*Handle could return 0/1/2 and it would represent /dev/null if it was opened for given process. We could also just return File.OpenNullHandle (an API that was added very recently).

But my understanding is that as of today, we should just not provide any handles if none were specified.

Fork/exec is not allowed in most sandbox scenarios, so on iOS/TvOS, you can't run child process at all, StartCore will even throw PNS.

How about posix_spawn? I will need to use it on macOS to implement some other features like #13943. Based on my research it's allowed on iOS if the user has the right permissions. And based on my performance benchmarks, it gives HUGE perf boost for starting processes on macOS itself.

We should probably add something simple to verify the change on Android.

Could you please tell me a bit more of how this could be tested without RemoteExecutor? Are all our tests run via emulation and for example I could just run some simple sh script because it's most likely run on some Unix machine?

[adamsitnik]

To other reviewers: This test was checking exact flag value. Now we just check if the flag is applied, allowing other flags like STARTF_USESTDHANDLES

[adamsitnik]

To other reviewers: now this lock is taken in managed code, only for the time of creating the pipes.

[adamsitnik]

To other reviewers: each of these handles could point to a terminal. So we perform a detailed check.

[jkotas]

This and the other logic in this PR assume that stdin/stdout/stderr are distinct handles. The earlier versions had code to deal with the situation where these handle overlap. Do we need to worry about that?

[adamsitnik]

This and the other logic in this PR assume that stdin/stdout/stderr are distinct handles. The earlier versions had code to deal with the situation where these handle overlap. Do we need to worry about that?

That version was using an allow list which prohibits duplicates. It will be needed for #13943

In case of this PR, in the worst case (for example a process started with all handles redirected to NUL), we are going to perform 2 extra handle duplicates (it will be neglible when compared to the cost of starting a new process)

[jkotas]

It is the problem that Tom commented on. It is not clear what exact API shapes is this refactoring expected to support.

[jkotas]

I do not know what works on mobile wrt. Process.Start today. I agree with copilot that we should avoid regressing it.

[tmds]

The most recent conclusion from API Review is that we don't want a new option bag at all (#124334 (comment)).

I think ProcessStartOptions stranded while trying to figure out how to make it both a simple API that avoids the "pit of failure" of current Process API, and an API that enables advanced features which require some "process domain knowledge" which makes it more complex.

Deciding to no longer do ProcessStartOptions doesn't mean we know how to solve this problem with Process and ProcessStartInfo.

It will allow me to implement #123959 as set of Process methods (yes, no ChildProcess) without introducing a new public API. It's not like I don't want to introduce such APIs (I still want to introduce SafeChildProcessHandle), but I can simply do it later, after providing the high-level APIs.

The API this is refactoring for is not worked out. It depends on what the API is whether it is useful to refactor this.

[adamsitnik]

Deciding to no longer do ProcessStartOptions doesn't mean we know how to solve this problem with Process and ProcessStartInfo.

The conclusion was that having more than one option bag would cause too much confusion (which one to use? is the old one deprecated? etc). So even if we come up with a better ProcessStartOptions design (like 4 simple things in base class and all other things in AdvancedProcessStartOptions) it won't be allowed.

The API this is refactoring for is not worked out. It depends on what the API is whether it is useful to refactor this.

We have at least two options:

• extending ProcessStartInfo with 3 new SafeFileHandle properties
• extending Process with a new Start overload that takes ProcessStartInfo instance and 3 SafeFileHandle arguments

If everything goes right, I am going to propose this API next Tuesday. With this refactor, exposing it publicly will be trivial. Another simple refactor is going to make it possible to move the StartCore as is to SafeProcessHandle Start method.

Moreover, this refactor is going to make #13943 easier (and this API was already approved).

@tmds please let me know if you need any more details. Thanks!

[jkotas]

This looks odd. Should we make OpenStandardInputHandle work on Android instead of this?

[adamsitnik]

@copilot address this feedback, make Console.OpenStandard*Handle APIs work on android by returning 0/1/2 values. Update the implementation, ref and tests. And then remove the Android checks from this PR

[Copilot]

Done in bba0144. Changed ConsolePal.Android.cs to return new SafeFileHandle(0/1/2, ownsHandle: false) (matching Unix/Wasi pattern), removed [UnsupportedOSPlatform("android")] from all three methods in both Console.cs and the ref assembly, updated tests, and removed the Android workarounds from Process.cs. All builds pass (ref, src including Android target, and Process).

[jkotas]

extending Process with a new Start overload that takes ProcessStartInfo instance and 3 SafeFileHandle arguments

I am not sure this API shape is going to fly well - it is inconsistent with what's there today. I think the SafeFileHandles should be members on ProcessStartInfo and be mutually exclusive with the other ways to redirect input/output.

[jkotas]

Hmm, this is inconsistent with what OpenStandardInput/OpenStandardOutput/OpenStandardError does now.

Can we just leave the standard handles alone when there is nothing to redirect?

[tmds]

We should start from the use-cases/issues, propose the API and design (which may involve some prototyping/derisking) and then the actual implementation follows.

You may have a picture about the API and design. I don't think it is written down so others can understand what way we're heading and how it solves the user issues.

I can technically review if this refactoring isn't breaking anything, but currently I can't say why we need it, which is the more important thing.

Personally, I prefer we capture such information in an issue. PRs are already implementation centric and the coding agent workflows make it even more focused on code and code changes.