std/sys/process/unix/
unix.rs

1#[cfg(target_os = "vxworks")]
2use libc::RTP_ID as pid_t;
3#[cfg(not(target_os = "vxworks"))]
4use libc::{c_int, pid_t};
5#[cfg(not(any(
6    target_os = "vxworks",
7    target_os = "l4re",
8    target_os = "tvos",
9    target_os = "watchos",
10)))]
11use libc::{gid_t, uid_t};
12
13use super::common::*;
14use crate::io::{self, Error, ErrorKind};
15use crate::num::NonZero;
16use crate::process::StdioPipes;
17use crate::sys::cvt;
18#[cfg(target_os = "linux")]
19use crate::sys::pal::linux::pidfd::PidFd;
20use crate::{fmt, mem, sys};
21
22cfg_select! {
23    target_os = "nto" => {
24        use crate::thread;
25        use libc::{c_char, posix_spawn_file_actions_t, posix_spawnattr_t};
26        use crate::time::Duration;
27        use crate::sync::LazyLock;
28        // Get smallest amount of time we can sleep.
29        // Return a common value if it cannot be determined.
30        fn get_clock_resolution() -> Duration {
31            static MIN_DELAY: LazyLock<Duration, fn() -> Duration> = LazyLock::new(|| {
32                let mut mindelay = libc::timespec { tv_sec: 0, tv_nsec: 0 };
33                if unsafe { libc::clock_getres(libc::CLOCK_MONOTONIC, &mut mindelay) } == 0
34                {
35                    Duration::from_nanos(mindelay.tv_nsec as u64)
36                } else {
37                    Duration::from_millis(1)
38                }
39            });
40            *MIN_DELAY
41        }
42        // Arbitrary minimum sleep duration for retrying fork/spawn
43        const MIN_FORKSPAWN_SLEEP: Duration = Duration::from_nanos(1);
44        // Maximum duration of sleeping before giving up and returning an error
45        const MAX_FORKSPAWN_SLEEP: Duration = Duration::from_millis(1000);
46    }
47    _ => {}
48}
49
50////////////////////////////////////////////////////////////////////////////////
51// Command
52////////////////////////////////////////////////////////////////////////////////
53
54impl Command {
55    pub fn spawn(
56        &mut self,
57        default: Stdio,
58        needs_stdin: bool,
59    ) -> io::Result<(Process, StdioPipes)> {
60        const CLOEXEC_MSG_FOOTER: [u8; 4] = *b"NOEX";
61
62        let envp = self.capture_env();
63
64        if self.saw_nul() {
65            return Err(io::const_error!(
66                ErrorKind::InvalidInput,
67                "nul byte found in provided data",
68            ));
69        }
70
71        let (ours, theirs) = self.setup_io(default, needs_stdin)?;
72
73        if let Some(ret) = self.posix_spawn(&theirs, envp.as_ref())? {
74            return Ok((ret, ours));
75        }
76
77        #[cfg(target_os = "linux")]
78        let (input, output) = sys::net::Socket::new_pair(libc::AF_UNIX, libc::SOCK_SEQPACKET)?;
79
80        #[cfg(not(target_os = "linux"))]
81        let (input, output) = sys::pipe::anon_pipe()?;
82
83        // Whatever happens after the fork is almost for sure going to touch or
84        // look at the environment in one way or another (PATH in `execvp` or
85        // accessing the `environ` pointer ourselves). Make sure no other thread
86        // is accessing the environment when we do the fork itself.
87        //
88        // Note that as soon as we're done with the fork there's no need to hold
89        // a lock any more because the parent won't do anything and the child is
90        // in its own process. Thus the parent drops the lock guard immediately.
91        // The child calls `mem::forget` to leak the lock, which is crucial because
92        // releasing a lock is not async-signal-safe.
93        let env_lock = sys::env::env_read_lock();
94        let pid = unsafe { self.do_fork()? };
95
96        if pid == 0 {
97            crate::panic::always_abort();
98            mem::forget(env_lock); // avoid non-async-signal-safe unlocking
99            drop(input);
100            #[cfg(target_os = "linux")]
101            if self.get_create_pidfd() {
102                self.send_pidfd(&output);
103            }
104            let Err(err) = unsafe { self.do_exec(theirs, envp.as_ref()) };
105            let errno = err.raw_os_error().unwrap_or(libc::EINVAL) as u32;
106            let errno = errno.to_be_bytes();
107            let bytes = [
108                errno[0],
109                errno[1],
110                errno[2],
111                errno[3],
112                CLOEXEC_MSG_FOOTER[0],
113                CLOEXEC_MSG_FOOTER[1],
114                CLOEXEC_MSG_FOOTER[2],
115                CLOEXEC_MSG_FOOTER[3],
116            ];
117            // pipe I/O up to PIPE_BUF bytes should be atomic, and then
118            // we want to be sure we *don't* run at_exit destructors as
119            // we're being torn down regardless
120            rtassert!(output.write(&bytes).is_ok());
121            unsafe { libc::_exit(1) }
122        }
123
124        drop(env_lock);
125        drop(output);
126
127        #[cfg(target_os = "linux")]
128        let pidfd = if self.get_create_pidfd() { self.recv_pidfd(&input) } else { -1 };
129
130        #[cfg(not(target_os = "linux"))]
131        let pidfd = -1;
132
133        // Safety: We obtained the pidfd (on Linux) using SOCK_SEQPACKET, so it's valid.
134        let mut p = unsafe { Process::new(pid, pidfd) };
135        let mut bytes = [0; 8];
136
137        // loop to handle EINTR
138        loop {
139            match input.read(&mut bytes) {
140                Ok(0) => return Ok((p, ours)),
141                Ok(8) => {
142                    let (errno, footer) = bytes.split_at(4);
143                    assert_eq!(
144                        CLOEXEC_MSG_FOOTER, footer,
145                        "Validation on the CLOEXEC pipe failed: {:?}",
146                        bytes
147                    );
148                    let errno = i32::from_be_bytes(errno.try_into().unwrap());
149                    assert!(p.wait().is_ok(), "wait() should either return Ok or panic");
150                    return Err(Error::from_raw_os_error(errno));
151                }
152                Err(ref e) if e.is_interrupted() => {}
153                Err(e) => {
154                    assert!(p.wait().is_ok(), "wait() should either return Ok or panic");
155                    panic!("the CLOEXEC pipe failed: {e:?}")
156                }
157                Ok(..) => {
158                    // pipe I/O up to PIPE_BUF bytes should be atomic
159                    // similarly SOCK_SEQPACKET messages should arrive whole
160                    assert!(p.wait().is_ok(), "wait() should either return Ok or panic");
161                    panic!("short read on the CLOEXEC pipe")
162                }
163            }
164        }
165    }
166
167    // WatchOS and TVOS headers mark the `fork`/`exec*` functions with
168    // `__WATCHOS_PROHIBITED __TVOS_PROHIBITED`, and indicate that the
169    // `posix_spawn*` functions should be used instead. It isn't entirely clear
170    // what `PROHIBITED` means here (e.g. if calls to these functions are
171    // allowed to exist in dead code), but it sounds bad, so we go out of our
172    // way to avoid that all-together.
173    #[cfg(any(target_os = "tvos", target_os = "watchos"))]
174    const ERR_APPLE_TV_WATCH_NO_FORK_EXEC: Error = io::const_error!(
175        ErrorKind::Unsupported,
176        "`fork`+`exec`-based process spawning is not supported on this target",
177    );
178
179    #[cfg(any(target_os = "tvos", target_os = "watchos"))]
180    unsafe fn do_fork(&mut self) -> Result<pid_t, io::Error> {
181        return Err(Self::ERR_APPLE_TV_WATCH_NO_FORK_EXEC);
182    }
183
184    // Attempts to fork the process. If successful, returns Ok((0, -1))
185    // in the child, and Ok((child_pid, -1)) in the parent.
186    #[cfg(not(any(target_os = "watchos", target_os = "tvos", target_os = "nto")))]
187    unsafe fn do_fork(&mut self) -> Result<pid_t, io::Error> {
188        cvt(libc::fork())
189    }
190
191    // On QNX Neutrino, fork can fail with EBADF in case "another thread might have opened
192    // or closed a file descriptor while the fork() was occurring".
193    // Documentation says "... or try calling fork() again". This is what we do here.
194    // See also https://www.qnx.com/developers/docs/7.1/#com.qnx.doc.neutrino.lib_ref/topic/f/fork.html
195    #[cfg(target_os = "nto")]
196    unsafe fn do_fork(&mut self) -> Result<pid_t, io::Error> {
197        use crate::sys::os::errno;
198
199        let mut delay = MIN_FORKSPAWN_SLEEP;
200
201        loop {
202            let r = libc::fork();
203            if r == -1 as libc::pid_t && errno() as libc::c_int == libc::EBADF {
204                if delay < get_clock_resolution() {
205                    // We cannot sleep this short (it would be longer).
206                    // Yield instead.
207                    thread::yield_now();
208                } else if delay < MAX_FORKSPAWN_SLEEP {
209                    thread::sleep(delay);
210                } else {
211                    return Err(io::const_error!(
212                        ErrorKind::WouldBlock,
213                        "forking returned EBADF too often",
214                    ));
215                }
216                delay *= 2;
217                continue;
218            } else {
219                return cvt(r);
220            }
221        }
222    }
223
224    pub fn exec(&mut self, default: Stdio) -> io::Error {
225        let envp = self.capture_env();
226
227        if self.saw_nul() {
228            return io::const_error!(ErrorKind::InvalidInput, "nul byte found in provided data");
229        }
230
231        match self.setup_io(default, true) {
232            Ok((_, theirs)) => {
233                unsafe {
234                    // Similar to when forking, we want to ensure that access to
235                    // the environment is synchronized, so make sure to grab the
236                    // environment lock before we try to exec.
237                    let _lock = sys::env::env_read_lock();
238
239                    let Err(e) = self.do_exec(theirs, envp.as_ref());
240                    e
241                }
242            }
243            Err(e) => e,
244        }
245    }
246
247    // And at this point we've reached a special time in the life of the
248    // child. The child must now be considered hamstrung and unable to
249    // do anything other than syscalls really. Consider the following
250    // scenario:
251    //
252    //      1. Thread A of process 1 grabs the malloc() mutex
253    //      2. Thread B of process 1 forks(), creating thread C
254    //      3. Thread C of process 2 then attempts to malloc()
255    //      4. The memory of process 2 is the same as the memory of
256    //         process 1, so the mutex is locked.
257    //
258    // This situation looks a lot like deadlock, right? It turns out
259    // that this is what pthread_atfork() takes care of, which is
260    // presumably implemented across platforms. The first thing that
261    // threads to *before* forking is to do things like grab the malloc
262    // mutex, and then after the fork they unlock it.
263    //
264    // Despite this information, libnative's spawn has been witnessed to
265    // deadlock on both macOS and FreeBSD. I'm not entirely sure why, but
266    // all collected backtraces point at malloc/free traffic in the
267    // child spawned process.
268    //
269    // For this reason, the block of code below should contain 0
270    // invocations of either malloc of free (or their related friends).
271    //
272    // As an example of not having malloc/free traffic, we don't close
273    // this file descriptor by dropping the FileDesc (which contains an
274    // allocation). Instead we just close it manually. This will never
275    // have the drop glue anyway because this code never returns (the
276    // child will either exec() or invoke libc::exit)
277    #[cfg(not(any(target_os = "tvos", target_os = "watchos")))]
278    unsafe fn do_exec(
279        &mut self,
280        stdio: ChildPipes,
281        maybe_envp: Option<&CStringArray>,
282    ) -> Result<!, io::Error> {
283        use crate::sys::{self, cvt_r};
284
285        if let Some(fd) = stdio.stdin.fd() {
286            cvt_r(|| libc::dup2(fd, libc::STDIN_FILENO))?;
287        }
288        if let Some(fd) = stdio.stdout.fd() {
289            cvt_r(|| libc::dup2(fd, libc::STDOUT_FILENO))?;
290        }
291        if let Some(fd) = stdio.stderr.fd() {
292            cvt_r(|| libc::dup2(fd, libc::STDERR_FILENO))?;
293        }
294
295        #[cfg(not(target_os = "l4re"))]
296        {
297            if let Some(_g) = self.get_groups() {
298                //FIXME: Redox kernel does not support setgroups yet
299                #[cfg(not(target_os = "redox"))]
300                cvt(libc::setgroups(_g.len().try_into().unwrap(), _g.as_ptr()))?;
301            }
302            if let Some(u) = self.get_gid() {
303                cvt(libc::setgid(u as gid_t))?;
304            }
305            if let Some(u) = self.get_uid() {
306                // When dropping privileges from root, the `setgroups` call
307                // will remove any extraneous groups. We only drop groups
308                // if we have CAP_SETGID and we weren't given an explicit
309                // set of groups. If we don't call this, then even though our
310                // uid has dropped, we may still have groups that enable us to
311                // do super-user things.
312                //FIXME: Redox kernel does not support setgroups yet
313                #[cfg(not(target_os = "redox"))]
314                if self.get_groups().is_none() {
315                    let res = cvt(libc::setgroups(0, crate::ptr::null()));
316                    if let Err(e) = res {
317                        // Here we ignore the case of not having CAP_SETGID.
318                        // An alternative would be to require CAP_SETGID (in
319                        // addition to CAP_SETUID) for setting the UID.
320                        if e.raw_os_error() != Some(libc::EPERM) {
321                            return Err(e.into());
322                        }
323                    }
324                }
325                cvt(libc::setuid(u as uid_t))?;
326            }
327        }
328        if let Some(chroot) = self.get_chroot() {
329            #[cfg(not(target_os = "fuchsia"))]
330            cvt(libc::chroot(chroot.as_ptr()))?;
331            #[cfg(target_os = "fuchsia")]
332            return Err(io::const_error!(
333                io::ErrorKind::Unsupported,
334                "chroot not supported by fuchsia"
335            ));
336        }
337        if let Some(cwd) = self.get_cwd() {
338            cvt(libc::chdir(cwd.as_ptr()))?;
339        }
340
341        if let Some(pgroup) = self.get_pgroup() {
342            cvt(libc::setpgid(0, pgroup))?;
343        }
344
345        if self.get_setsid() {
346            cvt(libc::setsid())?;
347        }
348
349        // emscripten has no signal support.
350        #[cfg(not(target_os = "emscripten"))]
351        {
352            // Inherit the signal mask from the parent rather than resetting it (i.e. do not call
353            // pthread_sigmask).
354
355            // If -Zon-broken-pipe is used, don't reset SIGPIPE to SIG_DFL.
356            // If -Zon-broken-pipe is not used, reset SIGPIPE to SIG_DFL for backward compatibility.
357            //
358            // -Zon-broken-pipe is an opportunity to change the default here.
359            if !crate::sys::pal::on_broken_pipe_flag_used() {
360                #[cfg(target_os = "android")] // see issue #88585
361                {
362                    let mut action: libc::sigaction = mem::zeroed();
363                    action.sa_sigaction = libc::SIG_DFL;
364                    cvt(libc::sigaction(libc::SIGPIPE, &action, crate::ptr::null_mut()))?;
365                }
366                #[cfg(not(target_os = "android"))]
367                {
368                    let ret = sys::signal(libc::SIGPIPE, libc::SIG_DFL);
369                    if ret == libc::SIG_ERR {
370                        return Err(io::Error::last_os_error());
371                    }
372                }
373                #[cfg(target_os = "hurd")]
374                {
375                    let ret = sys::signal(libc::SIGLOST, libc::SIG_DFL);
376                    if ret == libc::SIG_ERR {
377                        return Err(io::Error::last_os_error());
378                    }
379                }
380            }
381        }
382
383        for callback in self.get_closures().iter_mut() {
384            callback()?;
385        }
386
387        // Although we're performing an exec here we may also return with an
388        // error from this function (without actually exec'ing) in which case we
389        // want to be sure to restore the global environment back to what it
390        // once was, ensuring that our temporary override, when free'd, doesn't
391        // corrupt our process's environment.
392        let mut _reset = None;
393        if let Some(envp) = maybe_envp {
394            struct Reset(*const *const libc::c_char);
395
396            impl Drop for Reset {
397                fn drop(&mut self) {
398                    unsafe {
399                        *sys::env::environ() = self.0;
400                    }
401                }
402            }
403
404            _reset = Some(Reset(*sys::env::environ()));
405            *sys::env::environ() = envp.as_ptr();
406        }
407
408        libc::execvp(self.get_program_cstr().as_ptr(), self.get_argv().as_ptr());
409        Err(io::Error::last_os_error())
410    }
411
412    #[cfg(any(target_os = "tvos", target_os = "watchos"))]
413    unsafe fn do_exec(
414        &mut self,
415        _stdio: ChildPipes,
416        _maybe_envp: Option<&CStringArray>,
417    ) -> Result<!, io::Error> {
418        return Err(Self::ERR_APPLE_TV_WATCH_NO_FORK_EXEC);
419    }
420
421    #[cfg(not(any(
422        target_os = "freebsd",
423        target_os = "illumos",
424        all(target_os = "linux", target_env = "gnu"),
425        all(target_os = "linux", target_env = "musl"),
426        target_os = "nto",
427        target_vendor = "apple",
428        target_os = "cygwin",
429    )))]
430    fn posix_spawn(
431        &mut self,
432        _: &ChildPipes,
433        _: Option<&CStringArray>,
434    ) -> io::Result<Option<Process>> {
435        Ok(None)
436    }
437
438    // Only support platforms for which posix_spawn() can return ENOENT
439    // directly.
440    #[cfg(any(
441        target_os = "freebsd",
442        target_os = "illumos",
443        all(target_os = "linux", target_env = "gnu"),
444        all(target_os = "linux", target_env = "musl"),
445        target_os = "nto",
446        target_vendor = "apple",
447        target_os = "cygwin",
448    ))]
449    fn posix_spawn(
450        &mut self,
451        stdio: &ChildPipes,
452        envp: Option<&CStringArray>,
453    ) -> io::Result<Option<Process>> {
454        #[cfg(target_os = "linux")]
455        use core::sync::atomic::{Atomic, AtomicU8, Ordering};
456
457        use crate::mem::MaybeUninit;
458        use crate::sys::{self, cvt_nz, on_broken_pipe_flag_used};
459
460        if self.get_gid().is_some()
461            || self.get_uid().is_some()
462            || (self.env_saw_path() && !self.program_is_path())
463            || !self.get_closures().is_empty()
464            || self.get_groups().is_some()
465            || self.get_chroot().is_some()
466        {
467            return Ok(None);
468        }
469
470        cfg_select! {
471            target_os = "linux" => {
472                use crate::sys::weak::weak;
473
474                weak!(
475                    fn pidfd_spawnp(
476                        pidfd: *mut libc::c_int,
477                        path: *const libc::c_char,
478                        file_actions: *const libc::posix_spawn_file_actions_t,
479                        attrp: *const libc::posix_spawnattr_t,
480                        argv: *const *mut libc::c_char,
481                        envp: *const *mut libc::c_char,
482                    ) -> libc::c_int;
483                );
484
485                weak!(
486                    fn pidfd_getpid(pidfd: libc::c_int) -> libc::c_int;
487                );
488
489                static PIDFD_SUPPORTED: Atomic<u8> = AtomicU8::new(0);
490                const UNKNOWN: u8 = 0;
491                const SPAWN: u8 = 1;
492                // Obtaining a pidfd via the fork+exec path might work
493                const FORK_EXEC: u8 = 2;
494                // Neither pidfd_spawn nor fork/exec will get us a pidfd.
495                // Instead we'll just posix_spawn if the other preconditions are met.
496                const NO: u8 = 3;
497
498                if self.get_create_pidfd() {
499                    let mut support = PIDFD_SUPPORTED.load(Ordering::Relaxed);
500                    if support == FORK_EXEC {
501                        return Ok(None);
502                    }
503                    if support == UNKNOWN {
504                        support = NO;
505                        let our_pid = crate::process::id();
506                        let pidfd = cvt(unsafe { libc::syscall(libc::SYS_pidfd_open, our_pid, 0) } as c_int);
507                        match pidfd {
508                            Ok(pidfd) => {
509                                support = FORK_EXEC;
510                                if let Some(Ok(pid)) = pidfd_getpid.get().map(|f| cvt(unsafe { f(pidfd) } as i32)) {
511                                    if pidfd_spawnp.get().is_some() && pid as u32 == our_pid {
512                                        support = SPAWN
513                                    }
514                                }
515                                unsafe { libc::close(pidfd) };
516                            }
517                            Err(e) if e.raw_os_error() == Some(libc::EMFILE) => {
518                                // We're temporarily(?) out of file descriptors.  In this case obtaining a pidfd would also fail
519                                // Don't update the support flag so we can probe again later.
520                                return Err(e)
521                            }
522                            _ => {}
523                        }
524                        PIDFD_SUPPORTED.store(support, Ordering::Relaxed);
525                        if support == FORK_EXEC {
526                            return Ok(None);
527                        }
528                    }
529                    core::assert_matches::debug_assert_matches!(support, SPAWN | NO);
530                }
531            }
532            _ => {
533                if self.get_create_pidfd() {
534                    unreachable!("only implemented on linux")
535                }
536            }
537        }
538
539        // Only glibc 2.24+ posix_spawn() supports returning ENOENT directly.
540        #[cfg(all(target_os = "linux", target_env = "gnu"))]
541        {
542            if let Some(version) = sys::os::glibc_version() {
543                if version < (2, 24) {
544                    return Ok(None);
545                }
546            } else {
547                return Ok(None);
548            }
549        }
550
551        // On QNX Neutrino, posix_spawnp can fail with EBADF in case "another thread might have opened
552        // or closed a file descriptor while the posix_spawn() was occurring".
553        // Documentation says "... or try calling posix_spawn() again". This is what we do here.
554        // See also http://www.qnx.com/developers/docs/7.1/#com.qnx.doc.neutrino.lib_ref/topic/p/posix_spawn.html
555        #[cfg(target_os = "nto")]
556        unsafe fn retrying_libc_posix_spawnp(
557            pid: *mut pid_t,
558            file: *const c_char,
559            file_actions: *const posix_spawn_file_actions_t,
560            attrp: *const posix_spawnattr_t,
561            argv: *const *mut c_char,
562            envp: *const *mut c_char,
563        ) -> io::Result<i32> {
564            let mut delay = MIN_FORKSPAWN_SLEEP;
565            loop {
566                match libc::posix_spawnp(pid, file, file_actions, attrp, argv, envp) {
567                    libc::EBADF => {
568                        if delay < get_clock_resolution() {
569                            // We cannot sleep this short (it would be longer).
570                            // Yield instead.
571                            thread::yield_now();
572                        } else if delay < MAX_FORKSPAWN_SLEEP {
573                            thread::sleep(delay);
574                        } else {
575                            return Err(io::const_error!(
576                                ErrorKind::WouldBlock,
577                                "posix_spawnp returned EBADF too often",
578                            ));
579                        }
580                        delay *= 2;
581                        continue;
582                    }
583                    r => {
584                        return Ok(r);
585                    }
586                }
587            }
588        }
589
590        type PosixSpawnAddChdirFn = unsafe extern "C" fn(
591            *mut libc::posix_spawn_file_actions_t,
592            *const libc::c_char,
593        ) -> libc::c_int;
594
595        /// Get the function pointer for adding a chdir action to a
596        /// `posix_spawn_file_actions_t`, if available, assuming a dynamic libc.
597        ///
598        /// Some platforms can set a new working directory for a spawned process in the
599        /// `posix_spawn` path. This function looks up the function pointer for adding
600        /// such an action to a `posix_spawn_file_actions_t` struct.
601        #[cfg(not(any(all(target_os = "linux", target_env = "musl"), target_os = "cygwin")))]
602        fn get_posix_spawn_addchdir() -> Option<PosixSpawnAddChdirFn> {
603            use crate::sys::weak::weak;
604
605            // POSIX.1-2024 standardizes this function:
606            // https://pubs.opengroup.org/onlinepubs/9799919799/functions/posix_spawn_file_actions_addchdir.html.
607            // The _np version is more widely available, though, so try that first.
608
609            weak!(
610                fn posix_spawn_file_actions_addchdir_np(
611                    file_actions: *mut libc::posix_spawn_file_actions_t,
612                    path: *const libc::c_char,
613                ) -> libc::c_int;
614            );
615
616            weak!(
617                fn posix_spawn_file_actions_addchdir(
618                    file_actions: *mut libc::posix_spawn_file_actions_t,
619                    path: *const libc::c_char,
620                ) -> libc::c_int;
621            );
622
623            posix_spawn_file_actions_addchdir_np
624                .get()
625                .or_else(|| posix_spawn_file_actions_addchdir.get())
626        }
627
628        /// Get the function pointer for adding a chdir action to a
629        /// `posix_spawn_file_actions_t`, if available, on platforms where the function
630        /// is known to exist.
631        ///
632        /// Weak symbol lookup doesn't work with statically linked libcs, so in cases
633        /// where static linking is possible we need to either check for the presence
634        /// of the symbol at compile time or know about it upfront.
635        ///
636        /// Cygwin doesn't support weak symbol, so just link it.
637        #[cfg(any(all(target_os = "linux", target_env = "musl"), target_os = "cygwin"))]
638        fn get_posix_spawn_addchdir() -> Option<PosixSpawnAddChdirFn> {
639            // Our minimum required musl supports this function, so we can just use it.
640            Some(libc::posix_spawn_file_actions_addchdir_np)
641        }
642
643        let addchdir = match self.get_cwd() {
644            Some(cwd) => {
645                if cfg!(target_vendor = "apple") {
646                    // There is a bug in macOS where a relative executable
647                    // path like "../myprogram" will cause `posix_spawn` to
648                    // successfully launch the program, but erroneously return
649                    // ENOENT when used with posix_spawn_file_actions_addchdir_np
650                    // which was introduced in macOS 10.15.
651                    if self.get_program_kind() == ProgramKind::Relative {
652                        return Ok(None);
653                    }
654                }
655                // Check for the availability of the posix_spawn addchdir
656                // function now. If it isn't available, bail and use the
657                // fork/exec path.
658                match get_posix_spawn_addchdir() {
659                    Some(f) => Some((f, cwd)),
660                    None => return Ok(None),
661                }
662            }
663            None => None,
664        };
665
666        let pgroup = self.get_pgroup();
667
668        struct PosixSpawnFileActions<'a>(&'a mut MaybeUninit<libc::posix_spawn_file_actions_t>);
669
670        impl Drop for PosixSpawnFileActions<'_> {
671            fn drop(&mut self) {
672                unsafe {
673                    libc::posix_spawn_file_actions_destroy(self.0.as_mut_ptr());
674                }
675            }
676        }
677
678        struct PosixSpawnattr<'a>(&'a mut MaybeUninit<libc::posix_spawnattr_t>);
679
680        impl Drop for PosixSpawnattr<'_> {
681            fn drop(&mut self) {
682                unsafe {
683                    libc::posix_spawnattr_destroy(self.0.as_mut_ptr());
684                }
685            }
686        }
687
688        unsafe {
689            let mut attrs = MaybeUninit::uninit();
690            cvt_nz(libc::posix_spawnattr_init(attrs.as_mut_ptr()))?;
691            let attrs = PosixSpawnattr(&mut attrs);
692
693            let mut flags = 0;
694
695            let mut file_actions = MaybeUninit::uninit();
696            cvt_nz(libc::posix_spawn_file_actions_init(file_actions.as_mut_ptr()))?;
697            let file_actions = PosixSpawnFileActions(&mut file_actions);
698
699            if let Some(fd) = stdio.stdin.fd() {
700                cvt_nz(libc::posix_spawn_file_actions_adddup2(
701                    file_actions.0.as_mut_ptr(),
702                    fd,
703                    libc::STDIN_FILENO,
704                ))?;
705            }
706            if let Some(fd) = stdio.stdout.fd() {
707                cvt_nz(libc::posix_spawn_file_actions_adddup2(
708                    file_actions.0.as_mut_ptr(),
709                    fd,
710                    libc::STDOUT_FILENO,
711                ))?;
712            }
713            if let Some(fd) = stdio.stderr.fd() {
714                cvt_nz(libc::posix_spawn_file_actions_adddup2(
715                    file_actions.0.as_mut_ptr(),
716                    fd,
717                    libc::STDERR_FILENO,
718                ))?;
719            }
720            if let Some((f, cwd)) = addchdir {
721                cvt_nz(f(file_actions.0.as_mut_ptr(), cwd.as_ptr()))?;
722            }
723
724            if let Some(pgroup) = pgroup {
725                flags |= libc::POSIX_SPAWN_SETPGROUP;
726                cvt_nz(libc::posix_spawnattr_setpgroup(attrs.0.as_mut_ptr(), pgroup))?;
727            }
728
729            // Inherit the signal mask from this process rather than resetting it (i.e. do not call
730            // posix_spawnattr_setsigmask).
731
732            // If -Zon-broken-pipe is used, don't reset SIGPIPE to SIG_DFL.
733            // If -Zon-broken-pipe is not used, reset SIGPIPE to SIG_DFL for backward compatibility.
734            //
735            // -Zon-broken-pipe is an opportunity to change the default here.
736            if !on_broken_pipe_flag_used() {
737                let mut default_set = MaybeUninit::<libc::sigset_t>::uninit();
738                cvt(sigemptyset(default_set.as_mut_ptr()))?;
739                cvt(sigaddset(default_set.as_mut_ptr(), libc::SIGPIPE))?;
740                #[cfg(target_os = "hurd")]
741                {
742                    cvt(sigaddset(default_set.as_mut_ptr(), libc::SIGLOST))?;
743                }
744                cvt_nz(libc::posix_spawnattr_setsigdefault(
745                    attrs.0.as_mut_ptr(),
746                    default_set.as_ptr(),
747                ))?;
748                flags |= libc::POSIX_SPAWN_SETSIGDEF;
749            }
750
751            if self.get_setsid() {
752                cfg_select! {
753                    all(target_os = "linux", target_env = "gnu") => {
754                        flags |= libc::POSIX_SPAWN_SETSID;
755                    }
756                    _ => {
757                        return Ok(None);
758                    }
759                }
760            }
761
762            cvt_nz(libc::posix_spawnattr_setflags(attrs.0.as_mut_ptr(), flags as _))?;
763
764            // Make sure we synchronize access to the global `environ` resource
765            let _env_lock = sys::env::env_read_lock();
766            let envp = envp.map(|c| c.as_ptr()).unwrap_or_else(|| *sys::env::environ() as *const _);
767
768            #[cfg(not(target_os = "nto"))]
769            let spawn_fn = libc::posix_spawnp;
770            #[cfg(target_os = "nto")]
771            let spawn_fn = retrying_libc_posix_spawnp;
772
773            #[cfg(target_os = "linux")]
774            if self.get_create_pidfd() && PIDFD_SUPPORTED.load(Ordering::Relaxed) == SPAWN {
775                let mut pidfd: libc::c_int = -1;
776                let spawn_res = pidfd_spawnp.get().unwrap()(
777                    &mut pidfd,
778                    self.get_program_cstr().as_ptr(),
779                    file_actions.0.as_ptr(),
780                    attrs.0.as_ptr(),
781                    self.get_argv().as_ptr() as *const _,
782                    envp as *const _,
783                );
784
785                let spawn_res = cvt_nz(spawn_res);
786                if let Err(ref e) = spawn_res
787                    && e.raw_os_error() == Some(libc::ENOSYS)
788                {
789                    PIDFD_SUPPORTED.store(FORK_EXEC, Ordering::Relaxed);
790                    return Ok(None);
791                }
792                spawn_res?;
793
794                let pid = match cvt(pidfd_getpid.get().unwrap()(pidfd)) {
795                    Ok(pid) => pid,
796                    Err(e) => {
797                        // The child has been spawned and we are holding its pidfd.
798                        // But we cannot obtain its pid even though pidfd_getpid support was verified earlier.
799                        // This might happen if libc can't open procfs because the file descriptor limit has been reached.
800                        libc::close(pidfd);
801                        return Err(Error::new(
802                            e.kind(),
803                            "pidfd_spawnp succeeded but the child's PID could not be obtained",
804                        ));
805                    }
806                };
807
808                return Ok(Some(Process::new(pid, pidfd)));
809            }
810
811            // Safety: -1 indicates we don't have a pidfd.
812            let mut p = Process::new(0, -1);
813
814            let spawn_res = spawn_fn(
815                &mut p.pid,
816                self.get_program_cstr().as_ptr(),
817                file_actions.0.as_ptr(),
818                attrs.0.as_ptr(),
819                self.get_argv().as_ptr() as *const _,
820                envp as *const _,
821            );
822
823            #[cfg(target_os = "nto")]
824            let spawn_res = spawn_res?;
825
826            cvt_nz(spawn_res)?;
827            Ok(Some(p))
828        }
829    }
830
831    #[cfg(target_os = "linux")]
832    fn send_pidfd(&self, sock: &crate::sys::net::Socket) {
833        use libc::{CMSG_DATA, CMSG_FIRSTHDR, CMSG_LEN, CMSG_SPACE, SCM_RIGHTS, SOL_SOCKET};
834
835        use crate::io::IoSlice;
836        use crate::os::fd::RawFd;
837        use crate::sys::cvt_r;
838
839        unsafe {
840            let child_pid = libc::getpid();
841            // pidfd_open sets CLOEXEC by default
842            let pidfd = libc::syscall(libc::SYS_pidfd_open, child_pid, 0);
843
844            let fds: [c_int; 1] = [pidfd as RawFd];
845
846            const SCM_MSG_LEN: usize = size_of::<[c_int; 1]>();
847
848            #[repr(C)]
849            union Cmsg {
850                buf: [u8; unsafe { CMSG_SPACE(SCM_MSG_LEN as u32) as usize }],
851                _align: libc::cmsghdr,
852            }
853
854            let mut cmsg: Cmsg = mem::zeroed();
855
856            // 0-length message to send through the socket so we can pass along the fd
857            let mut iov = [IoSlice::new(b"")];
858            let mut msg: libc::msghdr = mem::zeroed();
859
860            msg.msg_iov = (&raw mut iov) as *mut _;
861            msg.msg_iovlen = 1;
862
863            // only attach cmsg if we successfully acquired the pidfd
864            if pidfd >= 0 {
865                msg.msg_controllen = size_of_val(&cmsg.buf) as _;
866                msg.msg_control = (&raw mut cmsg.buf) as *mut _;
867
868                let hdr = CMSG_FIRSTHDR((&raw mut msg) as *mut _);
869                (*hdr).cmsg_level = SOL_SOCKET;
870                (*hdr).cmsg_type = SCM_RIGHTS;
871                (*hdr).cmsg_len = CMSG_LEN(SCM_MSG_LEN as _) as _;
872                let data = CMSG_DATA(hdr);
873                crate::ptr::copy_nonoverlapping(
874                    fds.as_ptr().cast::<u8>(),
875                    data as *mut _,
876                    SCM_MSG_LEN,
877                );
878            }
879
880            // we send the 0-length message even if we failed to acquire the pidfd
881            // so we get a consistent SEQPACKET order
882            match cvt_r(|| libc::sendmsg(sock.as_raw(), &msg, 0)) {
883                Ok(0) => {}
884                other => rtabort!("failed to communicate with parent process. {:?}", other),
885            }
886        }
887    }
888
889    #[cfg(target_os = "linux")]
890    fn recv_pidfd(&self, sock: &crate::sys::net::Socket) -> pid_t {
891        use libc::{CMSG_DATA, CMSG_FIRSTHDR, CMSG_LEN, CMSG_SPACE, SCM_RIGHTS, SOL_SOCKET};
892
893        use crate::io::IoSliceMut;
894        use crate::sys::cvt_r;
895
896        unsafe {
897            const SCM_MSG_LEN: usize = size_of::<[c_int; 1]>();
898
899            #[repr(C)]
900            union Cmsg {
901                _buf: [u8; unsafe { CMSG_SPACE(SCM_MSG_LEN as u32) as usize }],
902                _align: libc::cmsghdr,
903            }
904            let mut cmsg: Cmsg = mem::zeroed();
905            // 0-length read to get the fd
906            let mut iov = [IoSliceMut::new(&mut [])];
907
908            let mut msg: libc::msghdr = mem::zeroed();
909
910            msg.msg_iov = (&raw mut iov) as *mut _;
911            msg.msg_iovlen = 1;
912            msg.msg_controllen = size_of::<Cmsg>() as _;
913            msg.msg_control = (&raw mut cmsg) as *mut _;
914
915            match cvt_r(|| libc::recvmsg(sock.as_raw(), &mut msg, libc::MSG_CMSG_CLOEXEC)) {
916                Err(_) => return -1,
917                Ok(_) => {}
918            }
919
920            let hdr = CMSG_FIRSTHDR((&raw mut msg) as *mut _);
921            if hdr.is_null()
922                || (*hdr).cmsg_level != SOL_SOCKET
923                || (*hdr).cmsg_type != SCM_RIGHTS
924                || (*hdr).cmsg_len != CMSG_LEN(SCM_MSG_LEN as _) as _
925            {
926                return -1;
927            }
928            let data = CMSG_DATA(hdr);
929
930            let mut fds = [-1 as c_int];
931
932            crate::ptr::copy_nonoverlapping(
933                data as *const _,
934                fds.as_mut_ptr().cast::<u8>(),
935                SCM_MSG_LEN,
936            );
937
938            fds[0]
939        }
940    }
941}
942
943////////////////////////////////////////////////////////////////////////////////
944// Processes
945////////////////////////////////////////////////////////////////////////////////
946
947/// The unique ID of the process (this should never be negative).
948pub struct Process {
949    pid: pid_t,
950    status: Option<ExitStatus>,
951    // On Linux, stores the pidfd created for this child.
952    // This is None if the user did not request pidfd creation,
953    // or if the pidfd could not be created for some reason
954    // (e.g. the `pidfd_open` syscall was not available).
955    #[cfg(target_os = "linux")]
956    pidfd: Option<PidFd>,
957}
958
959impl Process {
960    #[cfg(target_os = "linux")]
961    /// # Safety
962    ///
963    /// `pidfd` must either be -1 (representing no file descriptor) or a valid, exclusively owned file
964    /// descriptor (See [I/O Safety]).
965    ///
966    /// [I/O Safety]: crate::io#io-safety
967    unsafe fn new(pid: pid_t, pidfd: pid_t) -> Self {
968        use crate::os::unix::io::FromRawFd;
969        use crate::sys_common::FromInner;
970        // Safety: If `pidfd` is nonnegative, we assume it's valid and otherwise unowned.
971        let pidfd = (pidfd >= 0).then(|| PidFd::from_inner(sys::fd::FileDesc::from_raw_fd(pidfd)));
972        Process { pid, status: None, pidfd }
973    }
974
975    #[cfg(not(target_os = "linux"))]
976    unsafe fn new(pid: pid_t, _pidfd: pid_t) -> Self {
977        Process { pid, status: None }
978    }
979
980    pub fn id(&self) -> u32 {
981        self.pid as u32
982    }
983
984    pub fn kill(&self) -> io::Result<()> {
985        self.send_signal(libc::SIGKILL)
986    }
987
988    pub(crate) fn send_signal(&self, signal: i32) -> io::Result<()> {
989        // If we've already waited on this process then the pid can be recycled and
990        // used for another process, and we probably shouldn't be sending signals to
991        // random processes, so return Ok because the process has exited already.
992        if self.status.is_some() {
993            return Ok(());
994        }
995        #[cfg(target_os = "linux")]
996        if let Some(pid_fd) = self.pidfd.as_ref() {
997            // pidfd_send_signal predates pidfd_open. so if we were able to get an fd then sending signals will work too
998            return pid_fd.send_signal(signal);
999        }
1000        cvt(unsafe { libc::kill(self.pid, signal) }).map(drop)
1001    }
1002
1003    pub fn wait(&mut self) -> io::Result<ExitStatus> {
1004        use crate::sys::cvt_r;
1005        if let Some(status) = self.status {
1006            return Ok(status);
1007        }
1008        #[cfg(target_os = "linux")]
1009        if let Some(pid_fd) = self.pidfd.as_ref() {
1010            let status = pid_fd.wait()?;
1011            self.status = Some(status);
1012            return Ok(status);
1013        }
1014        let mut status = 0 as c_int;
1015        cvt_r(|| unsafe { libc::waitpid(self.pid, &mut status, 0) })?;
1016        self.status = Some(ExitStatus::new(status));
1017        Ok(ExitStatus::new(status))
1018    }
1019
1020    pub fn try_wait(&mut self) -> io::Result<Option<ExitStatus>> {
1021        if let Some(status) = self.status {
1022            return Ok(Some(status));
1023        }
1024        #[cfg(target_os = "linux")]
1025        if let Some(pid_fd) = self.pidfd.as_ref() {
1026            let status = pid_fd.try_wait()?;
1027            if let Some(status) = status {
1028                self.status = Some(status)
1029            }
1030            return Ok(status);
1031        }
1032        let mut status = 0 as c_int;
1033        let pid = cvt(unsafe { libc::waitpid(self.pid, &mut status, libc::WNOHANG) })?;
1034        if pid == 0 {
1035            Ok(None)
1036        } else {
1037            self.status = Some(ExitStatus::new(status));
1038            Ok(Some(ExitStatus::new(status)))
1039        }
1040    }
1041}
1042
1043/// Unix exit statuses
1044//
1045// This is not actually an "exit status" in Unix terminology.  Rather, it is a "wait status".
1046// See the discussion in comments and doc comments for `std::process::ExitStatus`.
1047#[derive(PartialEq, Eq, Clone, Copy, Default)]
1048pub struct ExitStatus(c_int);
1049
1050impl fmt::Debug for ExitStatus {
1051    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
1052        f.debug_tuple("unix_wait_status").field(&self.0).finish()
1053    }
1054}
1055
1056impl ExitStatus {
1057    pub fn new(status: c_int) -> ExitStatus {
1058        ExitStatus(status)
1059    }
1060
1061    #[cfg(target_os = "linux")]
1062    pub fn from_waitid_siginfo(siginfo: libc::siginfo_t) -> ExitStatus {
1063        let status = unsafe { siginfo.si_status() };
1064
1065        match siginfo.si_code {
1066            libc::CLD_EXITED => ExitStatus((status & 0xff) << 8),
1067            libc::CLD_KILLED => ExitStatus(status),
1068            libc::CLD_DUMPED => ExitStatus(status | 0x80),
1069            libc::CLD_CONTINUED => ExitStatus(0xffff),
1070            libc::CLD_STOPPED | libc::CLD_TRAPPED => ExitStatus(((status & 0xff) << 8) | 0x7f),
1071            _ => unreachable!("waitid() should only return the above codes"),
1072        }
1073    }
1074
1075    fn exited(&self) -> bool {
1076        libc::WIFEXITED(self.0)
1077    }
1078
1079    pub fn exit_ok(&self) -> Result<(), ExitStatusError> {
1080        // This assumes that WIFEXITED(status) && WEXITSTATUS==0 corresponds to status==0. This is
1081        // true on all actual versions of Unix, is widely assumed, and is specified in SuS
1082        // https://pubs.opengroup.org/onlinepubs/9699919799/functions/wait.html. If it is not
1083        // true for a platform pretending to be Unix, the tests (our doctests, and also
1084        // unix/tests.rs) will spot it. `ExitStatusError::code` assumes this too.
1085        match NonZero::try_from(self.0) {
1086            /* was nonzero */ Ok(failure) => Err(ExitStatusError(failure)),
1087            /* was zero, couldn't convert */ Err(_) => Ok(()),
1088        }
1089    }
1090
1091    pub fn code(&self) -> Option<i32> {
1092        self.exited().then(|| libc::WEXITSTATUS(self.0))
1093    }
1094
1095    pub fn signal(&self) -> Option<i32> {
1096        libc::WIFSIGNALED(self.0).then(|| libc::WTERMSIG(self.0))
1097    }
1098
1099    pub fn core_dumped(&self) -> bool {
1100        libc::WIFSIGNALED(self.0) && libc::WCOREDUMP(self.0)
1101    }
1102
1103    pub fn stopped_signal(&self) -> Option<i32> {
1104        libc::WIFSTOPPED(self.0).then(|| libc::WSTOPSIG(self.0))
1105    }
1106
1107    pub fn continued(&self) -> bool {
1108        libc::WIFCONTINUED(self.0)
1109    }
1110
1111    pub fn into_raw(&self) -> c_int {
1112        self.0
1113    }
1114}
1115
1116/// Converts a raw `c_int` to a type-safe `ExitStatus` by wrapping it without copying.
1117impl From<c_int> for ExitStatus {
1118    fn from(a: c_int) -> ExitStatus {
1119        ExitStatus(a)
1120    }
1121}
1122
1123/// Converts a signal number to a readable, searchable name.
1124///
1125/// This string should be displayed right after the signal number.
1126/// If a signal is unrecognized, it returns the empty string, so that
1127/// you just get the number like "0". If it is recognized, you'll get
1128/// something like "9 (SIGKILL)".
1129fn signal_string(signal: i32) -> &'static str {
1130    match signal {
1131        libc::SIGHUP => " (SIGHUP)",
1132        libc::SIGINT => " (SIGINT)",
1133        libc::SIGQUIT => " (SIGQUIT)",
1134        libc::SIGILL => " (SIGILL)",
1135        libc::SIGTRAP => " (SIGTRAP)",
1136        libc::SIGABRT => " (SIGABRT)",
1137        #[cfg(not(target_os = "l4re"))]
1138        libc::SIGBUS => " (SIGBUS)",
1139        libc::SIGFPE => " (SIGFPE)",
1140        libc::SIGKILL => " (SIGKILL)",
1141        #[cfg(not(target_os = "l4re"))]
1142        libc::SIGUSR1 => " (SIGUSR1)",
1143        libc::SIGSEGV => " (SIGSEGV)",
1144        #[cfg(not(target_os = "l4re"))]
1145        libc::SIGUSR2 => " (SIGUSR2)",
1146        libc::SIGPIPE => " (SIGPIPE)",
1147        libc::SIGALRM => " (SIGALRM)",
1148        libc::SIGTERM => " (SIGTERM)",
1149        #[cfg(not(target_os = "l4re"))]
1150        libc::SIGCHLD => " (SIGCHLD)",
1151        #[cfg(not(target_os = "l4re"))]
1152        libc::SIGCONT => " (SIGCONT)",
1153        #[cfg(not(target_os = "l4re"))]
1154        libc::SIGSTOP => " (SIGSTOP)",
1155        #[cfg(not(target_os = "l4re"))]
1156        libc::SIGTSTP => " (SIGTSTP)",
1157        #[cfg(not(target_os = "l4re"))]
1158        libc::SIGTTIN => " (SIGTTIN)",
1159        #[cfg(not(target_os = "l4re"))]
1160        libc::SIGTTOU => " (SIGTTOU)",
1161        #[cfg(not(target_os = "l4re"))]
1162        libc::SIGURG => " (SIGURG)",
1163        #[cfg(not(target_os = "l4re"))]
1164        libc::SIGXCPU => " (SIGXCPU)",
1165        #[cfg(not(any(target_os = "l4re", target_os = "rtems")))]
1166        libc::SIGXFSZ => " (SIGXFSZ)",
1167        #[cfg(not(any(target_os = "l4re", target_os = "rtems")))]
1168        libc::SIGVTALRM => " (SIGVTALRM)",
1169        #[cfg(not(target_os = "l4re"))]
1170        libc::SIGPROF => " (SIGPROF)",
1171        #[cfg(not(any(target_os = "l4re", target_os = "rtems")))]
1172        libc::SIGWINCH => " (SIGWINCH)",
1173        #[cfg(not(any(target_os = "haiku", target_os = "l4re")))]
1174        libc::SIGIO => " (SIGIO)",
1175        #[cfg(target_os = "haiku")]
1176        libc::SIGPOLL => " (SIGPOLL)",
1177        #[cfg(not(target_os = "l4re"))]
1178        libc::SIGSYS => " (SIGSYS)",
1179        // For information on Linux signals, run `man 7 signal`
1180        #[cfg(all(
1181            target_os = "linux",
1182            any(
1183                target_arch = "x86_64",
1184                target_arch = "x86",
1185                target_arch = "arm",
1186                target_arch = "aarch64"
1187            )
1188        ))]
1189        libc::SIGSTKFLT => " (SIGSTKFLT)",
1190        #[cfg(any(target_os = "linux", target_os = "nto", target_os = "cygwin"))]
1191        libc::SIGPWR => " (SIGPWR)",
1192        #[cfg(any(
1193            target_os = "freebsd",
1194            target_os = "netbsd",
1195            target_os = "openbsd",
1196            target_os = "dragonfly",
1197            target_os = "nto",
1198            target_vendor = "apple",
1199            target_os = "cygwin",
1200        ))]
1201        libc::SIGEMT => " (SIGEMT)",
1202        #[cfg(any(
1203            target_os = "freebsd",
1204            target_os = "netbsd",
1205            target_os = "openbsd",
1206            target_os = "dragonfly",
1207            target_vendor = "apple",
1208        ))]
1209        libc::SIGINFO => " (SIGINFO)",
1210        #[cfg(target_os = "hurd")]
1211        libc::SIGLOST => " (SIGLOST)",
1212        #[cfg(target_os = "freebsd")]
1213        libc::SIGTHR => " (SIGTHR)",
1214        #[cfg(target_os = "freebsd")]
1215        libc::SIGLIBRT => " (SIGLIBRT)",
1216        _ => "",
1217    }
1218}
1219
1220impl fmt::Display for ExitStatus {
1221    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
1222        if let Some(code) = self.code() {
1223            write!(f, "exit status: {code}")
1224        } else if let Some(signal) = self.signal() {
1225            let signal_string = signal_string(signal);
1226            if self.core_dumped() {
1227                write!(f, "signal: {signal}{signal_string} (core dumped)")
1228            } else {
1229                write!(f, "signal: {signal}{signal_string}")
1230            }
1231        } else if let Some(signal) = self.stopped_signal() {
1232            let signal_string = signal_string(signal);
1233            write!(f, "stopped (not terminated) by signal: {signal}{signal_string}")
1234        } else if self.continued() {
1235            write!(f, "continued (WIFCONTINUED)")
1236        } else {
1237            write!(f, "unrecognised wait status: {} {:#x}", self.0, self.0)
1238        }
1239    }
1240}
1241
1242#[derive(PartialEq, Eq, Clone, Copy)]
1243pub struct ExitStatusError(NonZero<c_int>);
1244
1245impl Into<ExitStatus> for ExitStatusError {
1246    fn into(self) -> ExitStatus {
1247        ExitStatus(self.0.into())
1248    }
1249}
1250
1251impl fmt::Debug for ExitStatusError {
1252    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
1253        f.debug_tuple("unix_wait_status").field(&self.0).finish()
1254    }
1255}
1256
1257impl ExitStatusError {
1258    pub fn code(self) -> Option<NonZero<i32>> {
1259        ExitStatus(self.0.into()).code().map(|st| st.try_into().unwrap())
1260    }
1261}
1262
1263#[cfg(target_os = "linux")]
1264mod linux_child_ext {
1265    use crate::io::ErrorKind;
1266    use crate::os::linux::process as os;
1267    use crate::sys::pal::linux::pidfd as imp;
1268    use crate::sys_common::FromInner;
1269    use crate::{io, mem};
1270
1271    #[unstable(feature = "linux_pidfd", issue = "82971")]
1272    impl crate::os::linux::process::ChildExt for crate::process::Child {
1273        fn pidfd(&self) -> io::Result<&os::PidFd> {
1274            self.handle
1275                .pidfd
1276                .as_ref()
1277                // SAFETY: The os type is a transparent wrapper, therefore we can transmute references
1278                .map(|fd| unsafe { mem::transmute::<&imp::PidFd, &os::PidFd>(fd) })
1279                .ok_or_else(|| io::const_error!(ErrorKind::Uncategorized, "no pidfd was created."))
1280        }
1281
1282        fn into_pidfd(mut self) -> Result<os::PidFd, Self> {
1283            self.handle
1284                .pidfd
1285                .take()
1286                .map(|fd| <os::PidFd as FromInner<imp::PidFd>>::from_inner(fd))
1287                .ok_or_else(|| self)
1288        }
1289    }
1290}
1291
1292#[cfg(test)]
1293mod tests;
1294
1295// See [`unsupported_wait_status::compare_with_linux`];
1296#[cfg(all(test, target_os = "linux"))]
1297#[path = "unsupported/wait_status.rs"]
1298mod unsupported_wait_status;