[RFC PATCH] sed/grep noexec support for performance optimization

Denys Vlasenko vda.linux at googlemail.com
Tue Jan 27 06:27:21 UTC 2026 

On Thu, Jan 22, 2026 at 2:43 PM chunhui ren via busybox
<busybox at busybox.net> wrote:
> I’m working on a performance optimization and would like to explore adding
> noexec support for sed and grep.

Please see docs/nofork_noexec.txt

The problem here is that sed and grep can be inserted into a long-running pipe.
Therefore, whatever extra memory allocated by the parent applet
before fork() will be permanently used by them while they are running.

Can we measure how much is that?
Looks like ~16kb if the parent is a shell.

Another complication is that the parent program must not set up nontrivial
signals handlers which do not expect that NOEXEC applet has started running
after fork().


> The motivation is to reduce fork/exec overhead in constrained environments

In this case, you are eliminating just exec overhead. Not fork

> I have an initial implementation attached below, where:
> • sed and grep are marked as noexec-capable applets
> • the change is intended purely as a performance optimization

The problem here is that we don't know what's the parent applet is.
If it has a potential of having large allocated memory, then NOEXECing
is undesirable; if it does _NOT_, then it is okay.


> Before refining or splitting this further, I’d like to confirm whether this
> direction is acceptable, and whether there are known concerns in sed/grep
> internals that would make noexec unsuitable.
>
> Thanks for your time and feedback.
>
> Signed-off-by: Ren Chunhui <renchunhui2025 at outlook.com>
>
>
...
> --- a/shell/ash.c
> +++ b/shell/ash.c
> @@ -8336,7 +8336,7 @@ static void shellexec(char *prog, char **argv, const char *path, int idx)
>  envp = listvars(VEXPORT, VUNSET, /*strlist:*/ NULL, /*end:*/ NULL);
>  if (strchr(prog, '/') != NULL
>  #if ENABLE_FEATURE_SH_STANDALONE
> -      || (applet_no = find_applet_by_name(prog)) >= 0
> +      || (((applet_no = find_applet_by_name(prog)) >= 0)
> +          && !is_applet_forbidden_noexec(applet_no)
> +          && is_applet_force_noexec(applet_no))


Unclear why you are doing this: tryexec() already has the code to NOEXEC
the applets.
All should work if you just patch sed and grep to be NOEXEC.
It does not work? What exactly is the problem?

More information about the busybox mailing list