If this initializer fails, it means that posix_spawn_file_actions_addup2 returned a value that isn't an error code, which is documented to not be possible (aside from the success case). Should we force unwrap here instead of silently swapping out .ENODEV? Or if not, is ENODEV the right choice here? (this applies to all of the similar nil coalescing below)

Should we do something in the else case to indicate a developer error by providing anything else as the qualityOfService so that we don't silently drop the value?

Currently SwiftSystem's withPlatformString behaves differently than Foundation's withFileRepresentation (namely that it doesn't perform normalization/decomposition on Darwin). Do we want to use System's implementation here, or do we want to be consistent with code like Task/FileManager and use Foundation's here? (this goes for all uses of withPlatformString)

I'm not sure fileNoSuchFile is appropriate here since the directory may exist but, for example, might not be permitted for the current user. Should we instead use the CocoaError static functions that create a cocoa error based on chdirError?

I suspect that this withCString should really be withFileSystemRepresentation because it is a path

Is there a meaningful difference between optString.withOptionalCString and optString?.withCString at the call sites?

Should this be inside of a #if !FOUNDATION_FRAMEWORK block?

This buffer is never deallocated - is there a way to do this a bit safer without allocating the buffer ourself? Also, should this return a Data instead of a [UInt8]

Is this not already defined elsewhere in the package?

Is it ok for our test to rely on this external address, or should we use something like apple.com?

Can we separate this out into its own PR?

This is already in Foundation today. I'm simply moving it to SwiftFoundation.

This seems dangerous since we might be sharing the readFD with multiple AsyncBytes here. We should ensure that we are only ever returning one AsyncBytes here and either return nil or better fatalError on subsequent access to standardOutput or standardInput

This and the method below need to be async since the read might be blocking.

I don't think we should use an actor for this here. Moreover, the write and and finish methods below are potentially blocking so we need to make them run on an appropriate executor.

NIT:

Also it doesn't seem clear to me here that T must be Sendable. It seems more to me that this should be a conditional Sendable conformance

Do we really want to enforce Int32 here or just make that an implementation detail? For most of our public APIs we prefer Int over specific IntX types.

The body really shouldn't require to be @Sendable nor @escaping. This will limit the way how this is used and make it very hard to use from within an actor.

IMO this is not the right way to do task cancellation here. I personally think we should check for cancellation only when we do a read or write syscall. This makes sure that user code in the body still continues to execute and only when they try to make a sys call we check for it.

This method appears to be blocking so must not call this from a concurrency thread. We need to use a custom task executor here to watch the child task.

Could you elaborate on this? Are you saying all blocking methods need to be in a separate executor? That would make Swift's concurrency system really hard to use...

I know we discussed an alternative solution for this offline and we should use kqueue,epoll,io_uring to monitor to process instead. However, to answer your general question for anyone that's reading along: Yes you can never make a blocking sys call in neither a sync nor async method really since those might be called from one of the Concurrency threads which will get blocked. Any blocking call must run on its own thread and the canonical spelling starting is going to be withTaskExecutor once that feature has landed in a released Swift version.

We really should aim to not execute this in a child task but keep it in the parent task. Otherwise this becomes very hard to use in some places. The only reason that I can see why we run this in a child task is because we want to cancel the body if the child process terminates. I think that we shouldn't do that but rather let the error that the child process terminates bubble up from the read/next and write APIs. From our experience cancelling user code that might do arbitrary things is not good and can lead to hard to implement patterns.

Imagine the following, a user spawns a subprocess and inside the body closure they do an outbound network request where they stream the data that the subprocess produces over the network. If we cancel their body closure once the process terminates it becomes impossible for them to send any more data over the network since their task is now cancelled. What they rather want to have is get notified of the termination of the process via the next() call on the iterator and then be able to handle this by e.g. sending something over the network to indicate the termination.

If we cancel their body closure

We are not currently canceling the body closure when the subprocess finishes. They run on separate tasks and run waits for both to finish.

You are right this is very subtle since the monitor task is not throwing. My other point still stands that we should avoid running the users body closure in a child task here since it forces the closure to become @Sendable and @escaping which makes it hard to use in some context e.g. inside an actor.

We should run the closure in the calling task and the monitoring of the child process can happen in a child task but in the end it must surface through the read/write operations of the Subprocess. From what I can tell this is already happening and you can just move the call to body to the body of the withTaskGroup here.

I'd write let _LF = UInt8(ascii: "\n") or even remove these constants all together, there's no perf benefit of doing this.

This is racy and can block

if this fails with POSIX_SPAWN_SETEXEC, how's the error communicated to the parent?

Indeed, how's the error code communicated back to the parent? I'd expect a pipe between parent and child here that has O_CLOEXEC. So if the parent reads something there, then that's the child's exit code. If the parent reads EOF, then everything's okay.

Here's code I've written in a previous life taking care of this: https://github.com/BromiumInc/BromiumCoreUtils/blob/2ec1c52a09831893618b9620383015e4362f7aa5/BromiumCoreUtils/BRUTask.m#L338-L341

this fails to

• close the other file descriptors
• reset the signal masks

example: https://github.com/BromiumInc/BromiumCoreUtils/blob/2ec1c52a09831893618b9620383015e4362f7aa5/BromiumCoreUtils/BRUTask.m#L320-L334

While posix_spawn is fine in some circumstances, it is not always ideal. In some cases one needs to replace the current process instead of launching a new one, with execv on Linux/macOS and other means on Windows. For example, the swift run command in SwiftPM works exactly this way. Is there anything in the current Subprocess API that would allow that? If not, is there anything in the API that would prevent us from adding it in the future?

@MaxDesiatov I think POSIX_SPAWN_SETEXEC makes posix_spawn essentially execve on steroids.

Should this be using NUL on Windows? Repeats throughout.