std/sys/process/unix/
unix.rs

1#[cfg(target_os = "vxworks")]
2use libc::RTP_ID as pid_t;
3#[cfg(not(target_os = "vxworks"))]
4use libc::{c_int, pid_t};
5#[cfg(not(any(
6    target_os = "vxworks",
7    target_os = "l4re",
8    target_os = "tvos",
9    target_os = "watchos",
10)))]
11use libc::{gid_t, uid_t};
12
13use super::common::*;
14use crate::io::{self, Error, ErrorKind};
15use crate::num::NonZero;
16use crate::sys::cvt;
17#[cfg(target_os = "linux")]
18use crate::sys::pal::linux::pidfd::PidFd;
19use crate::{fmt, mem, sys};
20
21cfg_if::cfg_if! {
22    if #[cfg(target_os = "nto")] {
23        use crate::thread;
24        use libc::{c_char, posix_spawn_file_actions_t, posix_spawnattr_t};
25        use crate::time::Duration;
26        use crate::sync::LazyLock;
27        // Get smallest amount of time we can sleep.
28        // Return a common value if it cannot be determined.
29        fn get_clock_resolution() -> Duration {
30            static MIN_DELAY: LazyLock<Duration, fn() -> Duration> = LazyLock::new(|| {
31                let mut mindelay = libc::timespec { tv_sec: 0, tv_nsec: 0 };
32                if unsafe { libc::clock_getres(libc::CLOCK_MONOTONIC, &mut mindelay) } == 0
33                {
34                    Duration::from_nanos(mindelay.tv_nsec as u64)
35                } else {
36                    Duration::from_millis(1)
37                }
38            });
39            *MIN_DELAY
40        }
41        // Arbitrary minimum sleep duration for retrying fork/spawn
42        const MIN_FORKSPAWN_SLEEP: Duration = Duration::from_nanos(1);
43        // Maximum duration of sleeping before giving up and returning an error
44        const MAX_FORKSPAWN_SLEEP: Duration = Duration::from_millis(1000);
45    }
46}
47
48////////////////////////////////////////////////////////////////////////////////
49// Command
50////////////////////////////////////////////////////////////////////////////////
51
52impl Command {
53    pub fn spawn(
54        &mut self,
55        default: Stdio,
56        needs_stdin: bool,
57    ) -> io::Result<(Process, StdioPipes)> {
58        const CLOEXEC_MSG_FOOTER: [u8; 4] = *b"NOEX";
59
60        let envp = self.capture_env();
61
62        if self.saw_nul() {
63            return Err(io::const_error!(
64                ErrorKind::InvalidInput,
65                "nul byte found in provided data",
66            ));
67        }
68
69        let (ours, theirs) = self.setup_io(default, needs_stdin)?;
70
71        if let Some(ret) = self.posix_spawn(&theirs, envp.as_ref())? {
72            return Ok((ret, ours));
73        }
74
75        #[cfg(target_os = "linux")]
76        let (input, output) = sys::net::Socket::new_pair(libc::AF_UNIX, libc::SOCK_SEQPACKET)?;
77
78        #[cfg(not(target_os = "linux"))]
79        let (input, output) = sys::pipe::anon_pipe()?;
80
81        // Whatever happens after the fork is almost for sure going to touch or
82        // look at the environment in one way or another (PATH in `execvp` or
83        // accessing the `environ` pointer ourselves). Make sure no other thread
84        // is accessing the environment when we do the fork itself.
85        //
86        // Note that as soon as we're done with the fork there's no need to hold
87        // a lock any more because the parent won't do anything and the child is
88        // in its own process. Thus the parent drops the lock guard immediately.
89        // The child calls `mem::forget` to leak the lock, which is crucial because
90        // releasing a lock is not async-signal-safe.
91        let env_lock = sys::os::env_read_lock();
92        let pid = unsafe { self.do_fork()? };
93
94        if pid == 0 {
95            crate::panic::always_abort();
96            mem::forget(env_lock); // avoid non-async-signal-safe unlocking
97            drop(input);
98            #[cfg(target_os = "linux")]
99            if self.get_create_pidfd() {
100                self.send_pidfd(&output);
101            }
102            let Err(err) = unsafe { self.do_exec(theirs, envp.as_ref()) };
103            let errno = err.raw_os_error().unwrap_or(libc::EINVAL) as u32;
104            let errno = errno.to_be_bytes();
105            let bytes = [
106                errno[0],
107                errno[1],
108                errno[2],
109                errno[3],
110                CLOEXEC_MSG_FOOTER[0],
111                CLOEXEC_MSG_FOOTER[1],
112                CLOEXEC_MSG_FOOTER[2],
113                CLOEXEC_MSG_FOOTER[3],
114            ];
115            // pipe I/O up to PIPE_BUF bytes should be atomic, and then
116            // we want to be sure we *don't* run at_exit destructors as
117            // we're being torn down regardless
118            rtassert!(output.write(&bytes).is_ok());
119            unsafe { libc::_exit(1) }
120        }
121
122        drop(env_lock);
123        drop(output);
124
125        #[cfg(target_os = "linux")]
126        let pidfd = if self.get_create_pidfd() { self.recv_pidfd(&input) } else { -1 };
127
128        #[cfg(not(target_os = "linux"))]
129        let pidfd = -1;
130
131        // Safety: We obtained the pidfd (on Linux) using SOCK_SEQPACKET, so it's valid.
132        let mut p = unsafe { Process::new(pid, pidfd) };
133        let mut bytes = [0; 8];
134
135        // loop to handle EINTR
136        loop {
137            match input.read(&mut bytes) {
138                Ok(0) => return Ok((p, ours)),
139                Ok(8) => {
140                    let (errno, footer) = bytes.split_at(4);
141                    assert_eq!(
142                        CLOEXEC_MSG_FOOTER, footer,
143                        "Validation on the CLOEXEC pipe failed: {:?}",
144                        bytes
145                    );
146                    let errno = i32::from_be_bytes(errno.try_into().unwrap());
147                    assert!(p.wait().is_ok(), "wait() should either return Ok or panic");
148                    return Err(Error::from_raw_os_error(errno));
149                }
150                Err(ref e) if e.is_interrupted() => {}
151                Err(e) => {
152                    assert!(p.wait().is_ok(), "wait() should either return Ok or panic");
153                    panic!("the CLOEXEC pipe failed: {e:?}")
154                }
155                Ok(..) => {
156                    // pipe I/O up to PIPE_BUF bytes should be atomic
157                    // similarly SOCK_SEQPACKET messages should arrive whole
158                    assert!(p.wait().is_ok(), "wait() should either return Ok or panic");
159                    panic!("short read on the CLOEXEC pipe")
160                }
161            }
162        }
163    }
164
165    pub fn output(&mut self) -> io::Result<(ExitStatus, Vec<u8>, Vec<u8>)> {
166        let (proc, pipes) = self.spawn(Stdio::MakePipe, false)?;
167        crate::sys_common::process::wait_with_output(proc, pipes)
168    }
169
170    // WatchOS and TVOS headers mark the `fork`/`exec*` functions with
171    // `__WATCHOS_PROHIBITED __TVOS_PROHIBITED`, and indicate that the
172    // `posix_spawn*` functions should be used instead. It isn't entirely clear
173    // what `PROHIBITED` means here (e.g. if calls to these functions are
174    // allowed to exist in dead code), but it sounds bad, so we go out of our
175    // way to avoid that all-together.
176    #[cfg(any(target_os = "tvos", target_os = "watchos"))]
177    const ERR_APPLE_TV_WATCH_NO_FORK_EXEC: Error = io::const_error!(
178        ErrorKind::Unsupported,
179        "`fork`+`exec`-based process spawning is not supported on this target",
180    );
181
182    #[cfg(any(target_os = "tvos", target_os = "watchos"))]
183    unsafe fn do_fork(&mut self) -> Result<pid_t, io::Error> {
184        return Err(Self::ERR_APPLE_TV_WATCH_NO_FORK_EXEC);
185    }
186
187    // Attempts to fork the process. If successful, returns Ok((0, -1))
188    // in the child, and Ok((child_pid, -1)) in the parent.
189    #[cfg(not(any(target_os = "watchos", target_os = "tvos", target_os = "nto")))]
190    unsafe fn do_fork(&mut self) -> Result<pid_t, io::Error> {
191        cvt(libc::fork())
192    }
193
194    // On QNX Neutrino, fork can fail with EBADF in case "another thread might have opened
195    // or closed a file descriptor while the fork() was occurring".
196    // Documentation says "... or try calling fork() again". This is what we do here.
197    // See also https://www.qnx.com/developers/docs/7.1/#com.qnx.doc.neutrino.lib_ref/topic/f/fork.html
198    #[cfg(target_os = "nto")]
199    unsafe fn do_fork(&mut self) -> Result<pid_t, io::Error> {
200        use crate::sys::os::errno;
201
202        let mut delay = MIN_FORKSPAWN_SLEEP;
203
204        loop {
205            let r = libc::fork();
206            if r == -1 as libc::pid_t && errno() as libc::c_int == libc::EBADF {
207                if delay < get_clock_resolution() {
208                    // We cannot sleep this short (it would be longer).
209                    // Yield instead.
210                    thread::yield_now();
211                } else if delay < MAX_FORKSPAWN_SLEEP {
212                    thread::sleep(delay);
213                } else {
214                    return Err(io::const_error!(
215                        ErrorKind::WouldBlock,
216                        "forking returned EBADF too often",
217                    ));
218                }
219                delay *= 2;
220                continue;
221            } else {
222                return cvt(r);
223            }
224        }
225    }
226
227    pub fn exec(&mut self, default: Stdio) -> io::Error {
228        let envp = self.capture_env();
229
230        if self.saw_nul() {
231            return io::const_error!(ErrorKind::InvalidInput, "nul byte found in provided data");
232        }
233
234        match self.setup_io(default, true) {
235            Ok((_, theirs)) => {
236                unsafe {
237                    // Similar to when forking, we want to ensure that access to
238                    // the environment is synchronized, so make sure to grab the
239                    // environment lock before we try to exec.
240                    let _lock = sys::os::env_read_lock();
241
242                    let Err(e) = self.do_exec(theirs, envp.as_ref());
243                    e
244                }
245            }
246            Err(e) => e,
247        }
248    }
249
250    // And at this point we've reached a special time in the life of the
251    // child. The child must now be considered hamstrung and unable to
252    // do anything other than syscalls really. Consider the following
253    // scenario:
254    //
255    //      1. Thread A of process 1 grabs the malloc() mutex
256    //      2. Thread B of process 1 forks(), creating thread C
257    //      3. Thread C of process 2 then attempts to malloc()
258    //      4. The memory of process 2 is the same as the memory of
259    //         process 1, so the mutex is locked.
260    //
261    // This situation looks a lot like deadlock, right? It turns out
262    // that this is what pthread_atfork() takes care of, which is
263    // presumably implemented across platforms. The first thing that
264    // threads to *before* forking is to do things like grab the malloc
265    // mutex, and then after the fork they unlock it.
266    //
267    // Despite this information, libnative's spawn has been witnessed to
268    // deadlock on both macOS and FreeBSD. I'm not entirely sure why, but
269    // all collected backtraces point at malloc/free traffic in the
270    // child spawned process.
271    //
272    // For this reason, the block of code below should contain 0
273    // invocations of either malloc of free (or their related friends).
274    //
275    // As an example of not having malloc/free traffic, we don't close
276    // this file descriptor by dropping the FileDesc (which contains an
277    // allocation). Instead we just close it manually. This will never
278    // have the drop glue anyway because this code never returns (the
279    // child will either exec() or invoke libc::exit)
280    #[cfg(not(any(target_os = "tvos", target_os = "watchos")))]
281    unsafe fn do_exec(
282        &mut self,
283        stdio: ChildPipes,
284        maybe_envp: Option<&CStringArray>,
285    ) -> Result<!, io::Error> {
286        use crate::sys::{self, cvt_r};
287
288        if let Some(fd) = stdio.stdin.fd() {
289            cvt_r(|| libc::dup2(fd, libc::STDIN_FILENO))?;
290        }
291        if let Some(fd) = stdio.stdout.fd() {
292            cvt_r(|| libc::dup2(fd, libc::STDOUT_FILENO))?;
293        }
294        if let Some(fd) = stdio.stderr.fd() {
295            cvt_r(|| libc::dup2(fd, libc::STDERR_FILENO))?;
296        }
297
298        #[cfg(not(target_os = "l4re"))]
299        {
300            if let Some(_g) = self.get_groups() {
301                //FIXME: Redox kernel does not support setgroups yet
302                #[cfg(not(target_os = "redox"))]
303                cvt(libc::setgroups(_g.len().try_into().unwrap(), _g.as_ptr()))?;
304            }
305            if let Some(u) = self.get_gid() {
306                cvt(libc::setgid(u as gid_t))?;
307            }
308            if let Some(u) = self.get_uid() {
309                // When dropping privileges from root, the `setgroups` call
310                // will remove any extraneous groups. We only drop groups
311                // if we have CAP_SETGID and we weren't given an explicit
312                // set of groups. If we don't call this, then even though our
313                // uid has dropped, we may still have groups that enable us to
314                // do super-user things.
315                //FIXME: Redox kernel does not support setgroups yet
316                #[cfg(not(target_os = "redox"))]
317                if self.get_groups().is_none() {
318                    let res = cvt(libc::setgroups(0, crate::ptr::null()));
319                    if let Err(e) = res {
320                        // Here we ignore the case of not having CAP_SETGID.
321                        // An alternative would be to require CAP_SETGID (in
322                        // addition to CAP_SETUID) for setting the UID.
323                        if e.raw_os_error() != Some(libc::EPERM) {
324                            return Err(e.into());
325                        }
326                    }
327                }
328                cvt(libc::setuid(u as uid_t))?;
329            }
330        }
331        if let Some(cwd) = self.get_cwd() {
332            cvt(libc::chdir(cwd.as_ptr()))?;
333        }
334
335        if let Some(pgroup) = self.get_pgroup() {
336            cvt(libc::setpgid(0, pgroup))?;
337        }
338
339        // emscripten has no signal support.
340        #[cfg(not(target_os = "emscripten"))]
341        {
342            // Inherit the signal mask from the parent rather than resetting it (i.e. do not call
343            // pthread_sigmask).
344
345            // If -Zon-broken-pipe is used, don't reset SIGPIPE to SIG_DFL.
346            // If -Zon-broken-pipe is not used, reset SIGPIPE to SIG_DFL for backward compatibility.
347            //
348            // -Zon-broken-pipe is an opportunity to change the default here.
349            if !crate::sys::pal::on_broken_pipe_flag_used() {
350                #[cfg(target_os = "android")] // see issue #88585
351                {
352                    let mut action: libc::sigaction = mem::zeroed();
353                    action.sa_sigaction = libc::SIG_DFL;
354                    cvt(libc::sigaction(libc::SIGPIPE, &action, crate::ptr::null_mut()))?;
355                }
356                #[cfg(not(target_os = "android"))]
357                {
358                    let ret = sys::signal(libc::SIGPIPE, libc::SIG_DFL);
359                    if ret == libc::SIG_ERR {
360                        return Err(io::Error::last_os_error());
361                    }
362                }
363                #[cfg(target_os = "hurd")]
364                {
365                    let ret = sys::signal(libc::SIGLOST, libc::SIG_DFL);
366                    if ret == libc::SIG_ERR {
367                        return Err(io::Error::last_os_error());
368                    }
369                }
370            }
371        }
372
373        for callback in self.get_closures().iter_mut() {
374            callback()?;
375        }
376
377        // Although we're performing an exec here we may also return with an
378        // error from this function (without actually exec'ing) in which case we
379        // want to be sure to restore the global environment back to what it
380        // once was, ensuring that our temporary override, when free'd, doesn't
381        // corrupt our process's environment.
382        let mut _reset = None;
383        if let Some(envp) = maybe_envp {
384            struct Reset(*const *const libc::c_char);
385
386            impl Drop for Reset {
387                fn drop(&mut self) {
388                    unsafe {
389                        *sys::os::environ() = self.0;
390                    }
391                }
392            }
393
394            _reset = Some(Reset(*sys::os::environ()));
395            *sys::os::environ() = envp.as_ptr();
396        }
397
398        libc::execvp(self.get_program_cstr().as_ptr(), self.get_argv().as_ptr());
399        Err(io::Error::last_os_error())
400    }
401
402    #[cfg(any(target_os = "tvos", target_os = "watchos"))]
403    unsafe fn do_exec(
404        &mut self,
405        _stdio: ChildPipes,
406        _maybe_envp: Option<&CStringArray>,
407    ) -> Result<!, io::Error> {
408        return Err(Self::ERR_APPLE_TV_WATCH_NO_FORK_EXEC);
409    }
410
411    #[cfg(not(any(
412        target_os = "freebsd",
413        target_os = "illumos",
414        all(target_os = "linux", target_env = "gnu"),
415        all(target_os = "linux", target_env = "musl"),
416        target_os = "nto",
417        target_vendor = "apple",
418    )))]
419    fn posix_spawn(
420        &mut self,
421        _: &ChildPipes,
422        _: Option<&CStringArray>,
423    ) -> io::Result<Option<Process>> {
424        Ok(None)
425    }
426
427    // Only support platforms for which posix_spawn() can return ENOENT
428    // directly.
429    #[cfg(any(
430        target_os = "freebsd",
431        target_os = "illumos",
432        all(target_os = "linux", target_env = "gnu"),
433        all(target_os = "linux", target_env = "musl"),
434        target_os = "nto",
435        target_vendor = "apple",
436    ))]
437    fn posix_spawn(
438        &mut self,
439        stdio: &ChildPipes,
440        envp: Option<&CStringArray>,
441    ) -> io::Result<Option<Process>> {
442        #[cfg(target_os = "linux")]
443        use core::sync::atomic::{AtomicU8, Ordering};
444
445        use crate::mem::MaybeUninit;
446        use crate::sys::{self, cvt_nz, on_broken_pipe_flag_used};
447
448        if self.get_gid().is_some()
449            || self.get_uid().is_some()
450            || (self.env_saw_path() && !self.program_is_path())
451            || !self.get_closures().is_empty()
452            || self.get_groups().is_some()
453        {
454            return Ok(None);
455        }
456
457        cfg_if::cfg_if! {
458            if #[cfg(target_os = "linux")] {
459                use crate::sys::weak::weak;
460
461                weak!(
462                    fn pidfd_spawnp(
463                        pidfd: *mut libc::c_int,
464                        path: *const libc::c_char,
465                        file_actions: *const libc::posix_spawn_file_actions_t,
466                        attrp: *const libc::posix_spawnattr_t,
467                        argv: *const *mut libc::c_char,
468                        envp: *const *mut libc::c_char,
469                    ) -> libc::c_int;
470                );
471
472                weak!(
473                    fn pidfd_getpid(pidfd: libc::c_int) -> libc::c_int;
474                );
475
476                static PIDFD_SUPPORTED: AtomicU8 = AtomicU8::new(0);
477                const UNKNOWN: u8 = 0;
478                const SPAWN: u8 = 1;
479                // Obtaining a pidfd via the fork+exec path might work
480                const FORK_EXEC: u8 = 2;
481                // Neither pidfd_spawn nor fork/exec will get us a pidfd.
482                // Instead we'll just posix_spawn if the other preconditions are met.
483                const NO: u8 = 3;
484
485                if self.get_create_pidfd() {
486                    let mut support = PIDFD_SUPPORTED.load(Ordering::Relaxed);
487                    if support == FORK_EXEC {
488                        return Ok(None);
489                    }
490                    if support == UNKNOWN {
491                        support = NO;
492                        let our_pid = crate::process::id();
493                        let pidfd = cvt(unsafe { libc::syscall(libc::SYS_pidfd_open, our_pid, 0) } as c_int);
494                        match pidfd {
495                            Ok(pidfd) => {
496                                support = FORK_EXEC;
497                                if let Some(Ok(pid)) = pidfd_getpid.get().map(|f| cvt(unsafe { f(pidfd) } as i32)) {
498                                    if pidfd_spawnp.get().is_some() && pid as u32 == our_pid {
499                                        support = SPAWN
500                                    }
501                                }
502                                unsafe { libc::close(pidfd) };
503                            }
504                            Err(e) if e.raw_os_error() == Some(libc::EMFILE) => {
505                                // We're temporarily(?) out of file descriptors.  In this case obtaining a pidfd would also fail
506                                // Don't update the support flag so we can probe again later.
507                                return Err(e)
508                            }
509                            _ => {}
510                        }
511                        PIDFD_SUPPORTED.store(support, Ordering::Relaxed);
512                        if support == FORK_EXEC {
513                            return Ok(None);
514                        }
515                    }
516                    core::assert_matches::debug_assert_matches!(support, SPAWN | NO);
517                }
518            } else {
519                if self.get_create_pidfd() {
520                    unreachable!("only implemented on linux")
521                }
522            }
523        }
524
525        // Only glibc 2.24+ posix_spawn() supports returning ENOENT directly.
526        #[cfg(all(target_os = "linux", target_env = "gnu"))]
527        {
528            if let Some(version) = sys::os::glibc_version() {
529                if version < (2, 24) {
530                    return Ok(None);
531                }
532            } else {
533                return Ok(None);
534            }
535        }
536
537        // On QNX Neutrino, posix_spawnp can fail with EBADF in case "another thread might have opened
538        // or closed a file descriptor while the posix_spawn() was occurring".
539        // Documentation says "... or try calling posix_spawn() again". This is what we do here.
540        // See also http://www.qnx.com/developers/docs/7.1/#com.qnx.doc.neutrino.lib_ref/topic/p/posix_spawn.html
541        #[cfg(target_os = "nto")]
542        unsafe fn retrying_libc_posix_spawnp(
543            pid: *mut pid_t,
544            file: *const c_char,
545            file_actions: *const posix_spawn_file_actions_t,
546            attrp: *const posix_spawnattr_t,
547            argv: *const *mut c_char,
548            envp: *const *mut c_char,
549        ) -> io::Result<i32> {
550            let mut delay = MIN_FORKSPAWN_SLEEP;
551            loop {
552                match libc::posix_spawnp(pid, file, file_actions, attrp, argv, envp) {
553                    libc::EBADF => {
554                        if delay < get_clock_resolution() {
555                            // We cannot sleep this short (it would be longer).
556                            // Yield instead.
557                            thread::yield_now();
558                        } else if delay < MAX_FORKSPAWN_SLEEP {
559                            thread::sleep(delay);
560                        } else {
561                            return Err(io::const_error!(
562                                ErrorKind::WouldBlock,
563                                "posix_spawnp returned EBADF too often",
564                            ));
565                        }
566                        delay *= 2;
567                        continue;
568                    }
569                    r => {
570                        return Ok(r);
571                    }
572                }
573            }
574        }
575
576        type PosixSpawnAddChdirFn = unsafe extern "C" fn(
577            *mut libc::posix_spawn_file_actions_t,
578            *const libc::c_char,
579        ) -> libc::c_int;
580
581        /// Get the function pointer for adding a chdir action to a
582        /// `posix_spawn_file_actions_t`, if available, assuming a dynamic libc.
583        ///
584        /// Some platforms can set a new working directory for a spawned process in the
585        /// `posix_spawn` path. This function looks up the function pointer for adding
586        /// such an action to a `posix_spawn_file_actions_t` struct.
587        #[cfg(not(all(target_os = "linux", target_env = "musl")))]
588        fn get_posix_spawn_addchdir() -> Option<PosixSpawnAddChdirFn> {
589            use crate::sys::weak::weak;
590
591            // POSIX.1-2024 standardizes this function:
592            // https://pubs.opengroup.org/onlinepubs/9799919799/functions/posix_spawn_file_actions_addchdir.html.
593            // The _np version is more widely available, though, so try that first.
594
595            weak!(
596                fn posix_spawn_file_actions_addchdir_np(
597                    file_actions: *mut libc::posix_spawn_file_actions_t,
598                    path: *const libc::c_char,
599                ) -> libc::c_int;
600            );
601
602            weak!(
603                fn posix_spawn_file_actions_addchdir(
604                    file_actions: *mut libc::posix_spawn_file_actions_t,
605                    path: *const libc::c_char,
606                ) -> libc::c_int;
607            );
608
609            posix_spawn_file_actions_addchdir_np
610                .get()
611                .or_else(|| posix_spawn_file_actions_addchdir.get())
612        }
613
614        /// Get the function pointer for adding a chdir action to a
615        /// `posix_spawn_file_actions_t`, if available, on platforms where the function
616        /// is known to exist.
617        ///
618        /// Weak symbol lookup doesn't work with statically linked libcs, so in cases
619        /// where static linking is possible we need to either check for the presence
620        /// of the symbol at compile time or know about it upfront.
621        #[cfg(all(target_os = "linux", target_env = "musl"))]
622        fn get_posix_spawn_addchdir() -> Option<PosixSpawnAddChdirFn> {
623            // Our minimum required musl supports this function, so we can just use it.
624            Some(libc::posix_spawn_file_actions_addchdir_np)
625        }
626
627        let addchdir = match self.get_cwd() {
628            Some(cwd) => {
629                if cfg!(target_vendor = "apple") {
630                    // There is a bug in macOS where a relative executable
631                    // path like "../myprogram" will cause `posix_spawn` to
632                    // successfully launch the program, but erroneously return
633                    // ENOENT when used with posix_spawn_file_actions_addchdir_np
634                    // which was introduced in macOS 10.15.
635                    if self.get_program_kind() == ProgramKind::Relative {
636                        return Ok(None);
637                    }
638                }
639                // Check for the availability of the posix_spawn addchdir
640                // function now. If it isn't available, bail and use the
641                // fork/exec path.
642                match get_posix_spawn_addchdir() {
643                    Some(f) => Some((f, cwd)),
644                    None => return Ok(None),
645                }
646            }
647            None => None,
648        };
649
650        let pgroup = self.get_pgroup();
651
652        struct PosixSpawnFileActions<'a>(&'a mut MaybeUninit<libc::posix_spawn_file_actions_t>);
653
654        impl Drop for PosixSpawnFileActions<'_> {
655            fn drop(&mut self) {
656                unsafe {
657                    libc::posix_spawn_file_actions_destroy(self.0.as_mut_ptr());
658                }
659            }
660        }
661
662        struct PosixSpawnattr<'a>(&'a mut MaybeUninit<libc::posix_spawnattr_t>);
663
664        impl Drop for PosixSpawnattr<'_> {
665            fn drop(&mut self) {
666                unsafe {
667                    libc::posix_spawnattr_destroy(self.0.as_mut_ptr());
668                }
669            }
670        }
671
672        unsafe {
673            let mut attrs = MaybeUninit::uninit();
674            cvt_nz(libc::posix_spawnattr_init(attrs.as_mut_ptr()))?;
675            let attrs = PosixSpawnattr(&mut attrs);
676
677            let mut flags = 0;
678
679            let mut file_actions = MaybeUninit::uninit();
680            cvt_nz(libc::posix_spawn_file_actions_init(file_actions.as_mut_ptr()))?;
681            let file_actions = PosixSpawnFileActions(&mut file_actions);
682
683            if let Some(fd) = stdio.stdin.fd() {
684                cvt_nz(libc::posix_spawn_file_actions_adddup2(
685                    file_actions.0.as_mut_ptr(),
686                    fd,
687                    libc::STDIN_FILENO,
688                ))?;
689            }
690            if let Some(fd) = stdio.stdout.fd() {
691                cvt_nz(libc::posix_spawn_file_actions_adddup2(
692                    file_actions.0.as_mut_ptr(),
693                    fd,
694                    libc::STDOUT_FILENO,
695                ))?;
696            }
697            if let Some(fd) = stdio.stderr.fd() {
698                cvt_nz(libc::posix_spawn_file_actions_adddup2(
699                    file_actions.0.as_mut_ptr(),
700                    fd,
701                    libc::STDERR_FILENO,
702                ))?;
703            }
704            if let Some((f, cwd)) = addchdir {
705                cvt_nz(f(file_actions.0.as_mut_ptr(), cwd.as_ptr()))?;
706            }
707
708            if let Some(pgroup) = pgroup {
709                flags |= libc::POSIX_SPAWN_SETPGROUP;
710                cvt_nz(libc::posix_spawnattr_setpgroup(attrs.0.as_mut_ptr(), pgroup))?;
711            }
712
713            // Inherit the signal mask from this process rather than resetting it (i.e. do not call
714            // posix_spawnattr_setsigmask).
715
716            // If -Zon-broken-pipe is used, don't reset SIGPIPE to SIG_DFL.
717            // If -Zon-broken-pipe is not used, reset SIGPIPE to SIG_DFL for backward compatibility.
718            //
719            // -Zon-broken-pipe is an opportunity to change the default here.
720            if !on_broken_pipe_flag_used() {
721                let mut default_set = MaybeUninit::<libc::sigset_t>::uninit();
722                cvt(sigemptyset(default_set.as_mut_ptr()))?;
723                cvt(sigaddset(default_set.as_mut_ptr(), libc::SIGPIPE))?;
724                #[cfg(target_os = "hurd")]
725                {
726                    cvt(sigaddset(default_set.as_mut_ptr(), libc::SIGLOST))?;
727                }
728                cvt_nz(libc::posix_spawnattr_setsigdefault(
729                    attrs.0.as_mut_ptr(),
730                    default_set.as_ptr(),
731                ))?;
732                flags |= libc::POSIX_SPAWN_SETSIGDEF;
733            }
734
735            cvt_nz(libc::posix_spawnattr_setflags(attrs.0.as_mut_ptr(), flags as _))?;
736
737            // Make sure we synchronize access to the global `environ` resource
738            let _env_lock = sys::os::env_read_lock();
739            let envp = envp.map(|c| c.as_ptr()).unwrap_or_else(|| *sys::os::environ() as *const _);
740
741            #[cfg(not(target_os = "nto"))]
742            let spawn_fn = libc::posix_spawnp;
743            #[cfg(target_os = "nto")]
744            let spawn_fn = retrying_libc_posix_spawnp;
745
746            #[cfg(target_os = "linux")]
747            if self.get_create_pidfd() && PIDFD_SUPPORTED.load(Ordering::Relaxed) == SPAWN {
748                let mut pidfd: libc::c_int = -1;
749                let spawn_res = pidfd_spawnp.get().unwrap()(
750                    &mut pidfd,
751                    self.get_program_cstr().as_ptr(),
752                    file_actions.0.as_ptr(),
753                    attrs.0.as_ptr(),
754                    self.get_argv().as_ptr() as *const _,
755                    envp as *const _,
756                );
757
758                let spawn_res = cvt_nz(spawn_res);
759                if let Err(ref e) = spawn_res
760                    && e.raw_os_error() == Some(libc::ENOSYS)
761                {
762                    PIDFD_SUPPORTED.store(FORK_EXEC, Ordering::Relaxed);
763                    return Ok(None);
764                }
765                spawn_res?;
766
767                let pid = match cvt(pidfd_getpid.get().unwrap()(pidfd)) {
768                    Ok(pid) => pid,
769                    Err(e) => {
770                        // The child has been spawned and we are holding its pidfd.
771                        // But we cannot obtain its pid even though pidfd_getpid support was verified earlier.
772                        // This might happen if libc can't open procfs because the file descriptor limit has been reached.
773                        libc::close(pidfd);
774                        return Err(Error::new(
775                            e.kind(),
776                            "pidfd_spawnp succeeded but the child's PID could not be obtained",
777                        ));
778                    }
779                };
780
781                return Ok(Some(Process::new(pid, pidfd)));
782            }
783
784            // Safety: -1 indicates we don't have a pidfd.
785            let mut p = Process::new(0, -1);
786
787            let spawn_res = spawn_fn(
788                &mut p.pid,
789                self.get_program_cstr().as_ptr(),
790                file_actions.0.as_ptr(),
791                attrs.0.as_ptr(),
792                self.get_argv().as_ptr() as *const _,
793                envp as *const _,
794            );
795
796            #[cfg(target_os = "nto")]
797            let spawn_res = spawn_res?;
798
799            cvt_nz(spawn_res)?;
800            Ok(Some(p))
801        }
802    }
803
804    #[cfg(target_os = "linux")]
805    fn send_pidfd(&self, sock: &crate::sys::net::Socket) {
806        use libc::{CMSG_DATA, CMSG_FIRSTHDR, CMSG_LEN, CMSG_SPACE, SCM_RIGHTS, SOL_SOCKET};
807
808        use crate::io::IoSlice;
809        use crate::os::fd::RawFd;
810        use crate::sys::cvt_r;
811
812        unsafe {
813            let child_pid = libc::getpid();
814            // pidfd_open sets CLOEXEC by default
815            let pidfd = libc::syscall(libc::SYS_pidfd_open, child_pid, 0);
816
817            let fds: [c_int; 1] = [pidfd as RawFd];
818
819            const SCM_MSG_LEN: usize = size_of::<[c_int; 1]>();
820
821            #[repr(C)]
822            union Cmsg {
823                buf: [u8; unsafe { CMSG_SPACE(SCM_MSG_LEN as u32) as usize }],
824                _align: libc::cmsghdr,
825            }
826
827            let mut cmsg: Cmsg = mem::zeroed();
828
829            // 0-length message to send through the socket so we can pass along the fd
830            let mut iov = [IoSlice::new(b"")];
831            let mut msg: libc::msghdr = mem::zeroed();
832
833            msg.msg_iov = (&raw mut iov) as *mut _;
834            msg.msg_iovlen = 1;
835
836            // only attach cmsg if we successfully acquired the pidfd
837            if pidfd >= 0 {
838                msg.msg_controllen = size_of_val(&cmsg.buf) as _;
839                msg.msg_control = (&raw mut cmsg.buf) as *mut _;
840
841                let hdr = CMSG_FIRSTHDR((&raw mut msg) as *mut _);
842                (*hdr).cmsg_level = SOL_SOCKET;
843                (*hdr).cmsg_type = SCM_RIGHTS;
844                (*hdr).cmsg_len = CMSG_LEN(SCM_MSG_LEN as _) as _;
845                let data = CMSG_DATA(hdr);
846                crate::ptr::copy_nonoverlapping(
847                    fds.as_ptr().cast::<u8>(),
848                    data as *mut _,
849                    SCM_MSG_LEN,
850                );
851            }
852
853            // we send the 0-length message even if we failed to acquire the pidfd
854            // so we get a consistent SEQPACKET order
855            match cvt_r(|| libc::sendmsg(sock.as_raw(), &msg, 0)) {
856                Ok(0) => {}
857                other => rtabort!("failed to communicate with parent process. {:?}", other),
858            }
859        }
860    }
861
862    #[cfg(target_os = "linux")]
863    fn recv_pidfd(&self, sock: &crate::sys::net::Socket) -> pid_t {
864        use libc::{CMSG_DATA, CMSG_FIRSTHDR, CMSG_LEN, CMSG_SPACE, SCM_RIGHTS, SOL_SOCKET};
865
866        use crate::io::IoSliceMut;
867        use crate::sys::cvt_r;
868
869        unsafe {
870            const SCM_MSG_LEN: usize = size_of::<[c_int; 1]>();
871
872            #[repr(C)]
873            union Cmsg {
874                _buf: [u8; unsafe { CMSG_SPACE(SCM_MSG_LEN as u32) as usize }],
875                _align: libc::cmsghdr,
876            }
877            let mut cmsg: Cmsg = mem::zeroed();
878            // 0-length read to get the fd
879            let mut iov = [IoSliceMut::new(&mut [])];
880
881            let mut msg: libc::msghdr = mem::zeroed();
882
883            msg.msg_iov = (&raw mut iov) as *mut _;
884            msg.msg_iovlen = 1;
885            msg.msg_controllen = size_of::<Cmsg>() as _;
886            msg.msg_control = (&raw mut cmsg) as *mut _;
887
888            match cvt_r(|| libc::recvmsg(sock.as_raw(), &mut msg, libc::MSG_CMSG_CLOEXEC)) {
889                Err(_) => return -1,
890                Ok(_) => {}
891            }
892
893            let hdr = CMSG_FIRSTHDR((&raw mut msg) as *mut _);
894            if hdr.is_null()
895                || (*hdr).cmsg_level != SOL_SOCKET
896                || (*hdr).cmsg_type != SCM_RIGHTS
897                || (*hdr).cmsg_len != CMSG_LEN(SCM_MSG_LEN as _) as _
898            {
899                return -1;
900            }
901            let data = CMSG_DATA(hdr);
902
903            let mut fds = [-1 as c_int];
904
905            crate::ptr::copy_nonoverlapping(
906                data as *const _,
907                fds.as_mut_ptr().cast::<u8>(),
908                SCM_MSG_LEN,
909            );
910
911            fds[0]
912        }
913    }
914}
915
916////////////////////////////////////////////////////////////////////////////////
917// Processes
918////////////////////////////////////////////////////////////////////////////////
919
920/// The unique ID of the process (this should never be negative).
921pub struct Process {
922    pid: pid_t,
923    status: Option<ExitStatus>,
924    // On Linux, stores the pidfd created for this child.
925    // This is None if the user did not request pidfd creation,
926    // or if the pidfd could not be created for some reason
927    // (e.g. the `pidfd_open` syscall was not available).
928    #[cfg(target_os = "linux")]
929    pidfd: Option<PidFd>,
930}
931
932impl Process {
933    #[cfg(target_os = "linux")]
934    /// # Safety
935    ///
936    /// `pidfd` must either be -1 (representing no file descriptor) or a valid, exclusively owned file
937    /// descriptor (See [I/O Safety]).
938    ///
939    /// [I/O Safety]: crate::io#io-safety
940    unsafe fn new(pid: pid_t, pidfd: pid_t) -> Self {
941        use crate::os::unix::io::FromRawFd;
942        use crate::sys_common::FromInner;
943        // Safety: If `pidfd` is nonnegative, we assume it's valid and otherwise unowned.
944        let pidfd = (pidfd >= 0).then(|| PidFd::from_inner(sys::fd::FileDesc::from_raw_fd(pidfd)));
945        Process { pid, status: None, pidfd }
946    }
947
948    #[cfg(not(target_os = "linux"))]
949    unsafe fn new(pid: pid_t, _pidfd: pid_t) -> Self {
950        Process { pid, status: None }
951    }
952
953    pub fn id(&self) -> u32 {
954        self.pid as u32
955    }
956
957    pub fn kill(&mut self) -> io::Result<()> {
958        // If we've already waited on this process then the pid can be recycled
959        // and used for another process, and we probably shouldn't be killing
960        // random processes, so return Ok because the process has exited already.
961        if self.status.is_some() {
962            return Ok(());
963        }
964        #[cfg(target_os = "linux")]
965        if let Some(pid_fd) = self.pidfd.as_ref() {
966            // pidfd_send_signal predates pidfd_open. so if we were able to get an fd then sending signals will work too
967            return pid_fd.kill();
968        }
969        cvt(unsafe { libc::kill(self.pid, libc::SIGKILL) }).map(drop)
970    }
971
972    pub fn wait(&mut self) -> io::Result<ExitStatus> {
973        use crate::sys::cvt_r;
974        if let Some(status) = self.status {
975            return Ok(status);
976        }
977        #[cfg(target_os = "linux")]
978        if let Some(pid_fd) = self.pidfd.as_ref() {
979            let status = pid_fd.wait()?;
980            self.status = Some(status);
981            return Ok(status);
982        }
983        let mut status = 0 as c_int;
984        cvt_r(|| unsafe { libc::waitpid(self.pid, &mut status, 0) })?;
985        self.status = Some(ExitStatus::new(status));
986        Ok(ExitStatus::new(status))
987    }
988
989    pub fn try_wait(&mut self) -> io::Result<Option<ExitStatus>> {
990        if let Some(status) = self.status {
991            return Ok(Some(status));
992        }
993        #[cfg(target_os = "linux")]
994        if let Some(pid_fd) = self.pidfd.as_ref() {
995            let status = pid_fd.try_wait()?;
996            if let Some(status) = status {
997                self.status = Some(status)
998            }
999            return Ok(status);
1000        }
1001        let mut status = 0 as c_int;
1002        let pid = cvt(unsafe { libc::waitpid(self.pid, &mut status, libc::WNOHANG) })?;
1003        if pid == 0 {
1004            Ok(None)
1005        } else {
1006            self.status = Some(ExitStatus::new(status));
1007            Ok(Some(ExitStatus::new(status)))
1008        }
1009    }
1010}
1011
1012/// Unix exit statuses
1013//
1014// This is not actually an "exit status" in Unix terminology.  Rather, it is a "wait status".
1015// See the discussion in comments and doc comments for `std::process::ExitStatus`.
1016#[derive(PartialEq, Eq, Clone, Copy, Default)]
1017pub struct ExitStatus(c_int);
1018
1019impl fmt::Debug for ExitStatus {
1020    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
1021        f.debug_tuple("unix_wait_status").field(&self.0).finish()
1022    }
1023}
1024
1025impl ExitStatus {
1026    pub fn new(status: c_int) -> ExitStatus {
1027        ExitStatus(status)
1028    }
1029
1030    #[cfg(target_os = "linux")]
1031    pub fn from_waitid_siginfo(siginfo: libc::siginfo_t) -> ExitStatus {
1032        let status = unsafe { siginfo.si_status() };
1033
1034        match siginfo.si_code {
1035            libc::CLD_EXITED => ExitStatus((status & 0xff) << 8),
1036            libc::CLD_KILLED => ExitStatus(status),
1037            libc::CLD_DUMPED => ExitStatus(status | 0x80),
1038            libc::CLD_CONTINUED => ExitStatus(0xffff),
1039            libc::CLD_STOPPED | libc::CLD_TRAPPED => ExitStatus(((status & 0xff) << 8) | 0x7f),
1040            _ => unreachable!("waitid() should only return the above codes"),
1041        }
1042    }
1043
1044    fn exited(&self) -> bool {
1045        libc::WIFEXITED(self.0)
1046    }
1047
1048    pub fn exit_ok(&self) -> Result<(), ExitStatusError> {
1049        // This assumes that WIFEXITED(status) && WEXITSTATUS==0 corresponds to status==0. This is
1050        // true on all actual versions of Unix, is widely assumed, and is specified in SuS
1051        // https://pubs.opengroup.org/onlinepubs/9699919799/functions/wait.html. If it is not
1052        // true for a platform pretending to be Unix, the tests (our doctests, and also
1053        // unix/tests.rs) will spot it. `ExitStatusError::code` assumes this too.
1054        match NonZero::try_from(self.0) {
1055            /* was nonzero */ Ok(failure) => Err(ExitStatusError(failure)),
1056            /* was zero, couldn't convert */ Err(_) => Ok(()),
1057        }
1058    }
1059
1060    pub fn code(&self) -> Option<i32> {
1061        self.exited().then(|| libc::WEXITSTATUS(self.0))
1062    }
1063
1064    pub fn signal(&self) -> Option<i32> {
1065        libc::WIFSIGNALED(self.0).then(|| libc::WTERMSIG(self.0))
1066    }
1067
1068    pub fn core_dumped(&self) -> bool {
1069        libc::WIFSIGNALED(self.0) && libc::WCOREDUMP(self.0)
1070    }
1071
1072    pub fn stopped_signal(&self) -> Option<i32> {
1073        libc::WIFSTOPPED(self.0).then(|| libc::WSTOPSIG(self.0))
1074    }
1075
1076    pub fn continued(&self) -> bool {
1077        libc::WIFCONTINUED(self.0)
1078    }
1079
1080    pub fn into_raw(&self) -> c_int {
1081        self.0
1082    }
1083}
1084
1085/// Converts a raw `c_int` to a type-safe `ExitStatus` by wrapping it without copying.
1086impl From<c_int> for ExitStatus {
1087    fn from(a: c_int) -> ExitStatus {
1088        ExitStatus(a)
1089    }
1090}
1091
1092/// Converts a signal number to a readable, searchable name.
1093///
1094/// This string should be displayed right after the signal number.
1095/// If a signal is unrecognized, it returns the empty string, so that
1096/// you just get the number like "0". If it is recognized, you'll get
1097/// something like "9 (SIGKILL)".
1098fn signal_string(signal: i32) -> &'static str {
1099    match signal {
1100        libc::SIGHUP => " (SIGHUP)",
1101        libc::SIGINT => " (SIGINT)",
1102        libc::SIGQUIT => " (SIGQUIT)",
1103        libc::SIGILL => " (SIGILL)",
1104        libc::SIGTRAP => " (SIGTRAP)",
1105        libc::SIGABRT => " (SIGABRT)",
1106        #[cfg(not(target_os = "l4re"))]
1107        libc::SIGBUS => " (SIGBUS)",
1108        libc::SIGFPE => " (SIGFPE)",
1109        libc::SIGKILL => " (SIGKILL)",
1110        #[cfg(not(target_os = "l4re"))]
1111        libc::SIGUSR1 => " (SIGUSR1)",
1112        libc::SIGSEGV => " (SIGSEGV)",
1113        #[cfg(not(target_os = "l4re"))]
1114        libc::SIGUSR2 => " (SIGUSR2)",
1115        libc::SIGPIPE => " (SIGPIPE)",
1116        libc::SIGALRM => " (SIGALRM)",
1117        libc::SIGTERM => " (SIGTERM)",
1118        #[cfg(not(target_os = "l4re"))]
1119        libc::SIGCHLD => " (SIGCHLD)",
1120        #[cfg(not(target_os = "l4re"))]
1121        libc::SIGCONT => " (SIGCONT)",
1122        #[cfg(not(target_os = "l4re"))]
1123        libc::SIGSTOP => " (SIGSTOP)",
1124        #[cfg(not(target_os = "l4re"))]
1125        libc::SIGTSTP => " (SIGTSTP)",
1126        #[cfg(not(target_os = "l4re"))]
1127        libc::SIGTTIN => " (SIGTTIN)",
1128        #[cfg(not(target_os = "l4re"))]
1129        libc::SIGTTOU => " (SIGTTOU)",
1130        #[cfg(not(target_os = "l4re"))]
1131        libc::SIGURG => " (SIGURG)",
1132        #[cfg(not(target_os = "l4re"))]
1133        libc::SIGXCPU => " (SIGXCPU)",
1134        #[cfg(not(any(target_os = "l4re", target_os = "rtems")))]
1135        libc::SIGXFSZ => " (SIGXFSZ)",
1136        #[cfg(not(any(target_os = "l4re", target_os = "rtems")))]
1137        libc::SIGVTALRM => " (SIGVTALRM)",
1138        #[cfg(not(target_os = "l4re"))]
1139        libc::SIGPROF => " (SIGPROF)",
1140        #[cfg(not(any(target_os = "l4re", target_os = "rtems")))]
1141        libc::SIGWINCH => " (SIGWINCH)",
1142        #[cfg(not(any(target_os = "haiku", target_os = "l4re")))]
1143        libc::SIGIO => " (SIGIO)",
1144        #[cfg(target_os = "haiku")]
1145        libc::SIGPOLL => " (SIGPOLL)",
1146        #[cfg(not(target_os = "l4re"))]
1147        libc::SIGSYS => " (SIGSYS)",
1148        // For information on Linux signals, run `man 7 signal`
1149        #[cfg(all(
1150            target_os = "linux",
1151            any(
1152                target_arch = "x86_64",
1153                target_arch = "x86",
1154                target_arch = "arm",
1155                target_arch = "aarch64"
1156            )
1157        ))]
1158        libc::SIGSTKFLT => " (SIGSTKFLT)",
1159        #[cfg(any(target_os = "linux", target_os = "nto", target_os = "cygwin"))]
1160        libc::SIGPWR => " (SIGPWR)",
1161        #[cfg(any(
1162            target_os = "freebsd",
1163            target_os = "netbsd",
1164            target_os = "openbsd",
1165            target_os = "dragonfly",
1166            target_os = "nto",
1167            target_vendor = "apple",
1168            target_os = "cygwin",
1169        ))]
1170        libc::SIGEMT => " (SIGEMT)",
1171        #[cfg(any(
1172            target_os = "freebsd",
1173            target_os = "netbsd",
1174            target_os = "openbsd",
1175            target_os = "dragonfly",
1176            target_vendor = "apple",
1177        ))]
1178        libc::SIGINFO => " (SIGINFO)",
1179        #[cfg(target_os = "hurd")]
1180        libc::SIGLOST => " (SIGLOST)",
1181        #[cfg(target_os = "freebsd")]
1182        libc::SIGTHR => " (SIGTHR)",
1183        #[cfg(target_os = "freebsd")]
1184        libc::SIGLIBRT => " (SIGLIBRT)",
1185        _ => "",
1186    }
1187}
1188
1189impl fmt::Display for ExitStatus {
1190    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
1191        if let Some(code) = self.code() {
1192            write!(f, "exit status: {code}")
1193        } else if let Some(signal) = self.signal() {
1194            let signal_string = signal_string(signal);
1195            if self.core_dumped() {
1196                write!(f, "signal: {signal}{signal_string} (core dumped)")
1197            } else {
1198                write!(f, "signal: {signal}{signal_string}")
1199            }
1200        } else if let Some(signal) = self.stopped_signal() {
1201            let signal_string = signal_string(signal);
1202            write!(f, "stopped (not terminated) by signal: {signal}{signal_string}")
1203        } else if self.continued() {
1204            write!(f, "continued (WIFCONTINUED)")
1205        } else {
1206            write!(f, "unrecognised wait status: {} {:#x}", self.0, self.0)
1207        }
1208    }
1209}
1210
1211#[derive(PartialEq, Eq, Clone, Copy)]
1212pub struct ExitStatusError(NonZero<c_int>);
1213
1214impl Into<ExitStatus> for ExitStatusError {
1215    fn into(self) -> ExitStatus {
1216        ExitStatus(self.0.into())
1217    }
1218}
1219
1220impl fmt::Debug for ExitStatusError {
1221    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
1222        f.debug_tuple("unix_wait_status").field(&self.0).finish()
1223    }
1224}
1225
1226impl ExitStatusError {
1227    pub fn code(self) -> Option<NonZero<i32>> {
1228        ExitStatus(self.0.into()).code().map(|st| st.try_into().unwrap())
1229    }
1230}
1231
1232#[cfg(target_os = "linux")]
1233mod linux_child_ext {
1234    use crate::io::ErrorKind;
1235    use crate::os::linux::process as os;
1236    use crate::sys::pal::linux::pidfd as imp;
1237    use crate::sys_common::FromInner;
1238    use crate::{io, mem};
1239
1240    #[unstable(feature = "linux_pidfd", issue = "82971")]
1241    impl crate::os::linux::process::ChildExt for crate::process::Child {
1242        fn pidfd(&self) -> io::Result<&os::PidFd> {
1243            self.handle
1244                .pidfd
1245                .as_ref()
1246                // SAFETY: The os type is a transparent wrapper, therefore we can transmute references
1247                .map(|fd| unsafe { mem::transmute::<&imp::PidFd, &os::PidFd>(fd) })
1248                .ok_or_else(|| io::const_error!(ErrorKind::Uncategorized, "no pidfd was created."))
1249        }
1250
1251        fn into_pidfd(mut self) -> Result<os::PidFd, Self> {
1252            self.handle
1253                .pidfd
1254                .take()
1255                .map(|fd| <os::PidFd as FromInner<imp::PidFd>>::from_inner(fd))
1256                .ok_or_else(|| self)
1257        }
1258    }
1259}
1260
1261#[cfg(test)]
1262mod tests;
1263
1264// See [`unsupported_wait_status::compare_with_linux`];
1265#[cfg(all(test, target_os = "linux"))]
1266#[path = "unsupported/wait_status.rs"]
1267mod unsupported_wait_status;