std/sys/process/unix/
unix.rs

1#[cfg(target_os = "vxworks")]
2use libc::RTP_ID as pid_t;
3#[cfg(not(target_os = "vxworks"))]
4use libc::{c_int, pid_t};
5#[cfg(not(any(
6    target_os = "vxworks",
7    target_os = "l4re",
8    target_os = "tvos",
9    target_os = "watchos",
10)))]
11use libc::{gid_t, uid_t};
12
13use super::common::*;
14use crate::io::{self, Error, ErrorKind};
15use crate::num::NonZero;
16use crate::sys::cvt;
17#[cfg(target_os = "linux")]
18use crate::sys::pal::linux::pidfd::PidFd;
19use crate::{fmt, mem, sys};
20
21cfg_select! {
22    target_os = "nto" => {
23        use crate::thread;
24        use libc::{c_char, posix_spawn_file_actions_t, posix_spawnattr_t};
25        use crate::time::Duration;
26        use crate::sync::LazyLock;
27        // Get smallest amount of time we can sleep.
28        // Return a common value if it cannot be determined.
29        fn get_clock_resolution() -> Duration {
30            static MIN_DELAY: LazyLock<Duration, fn() -> Duration> = LazyLock::new(|| {
31                let mut mindelay = libc::timespec { tv_sec: 0, tv_nsec: 0 };
32                if unsafe { libc::clock_getres(libc::CLOCK_MONOTONIC, &mut mindelay) } == 0
33                {
34                    Duration::from_nanos(mindelay.tv_nsec as u64)
35                } else {
36                    Duration::from_millis(1)
37                }
38            });
39            *MIN_DELAY
40        }
41        // Arbitrary minimum sleep duration for retrying fork/spawn
42        const MIN_FORKSPAWN_SLEEP: Duration = Duration::from_nanos(1);
43        // Maximum duration of sleeping before giving up and returning an error
44        const MAX_FORKSPAWN_SLEEP: Duration = Duration::from_millis(1000);
45    }
46    _ => {}
47}
48
49////////////////////////////////////////////////////////////////////////////////
50// Command
51////////////////////////////////////////////////////////////////////////////////
52
53impl Command {
54    pub fn spawn(
55        &mut self,
56        default: Stdio,
57        needs_stdin: bool,
58    ) -> io::Result<(Process, StdioPipes)> {
59        const CLOEXEC_MSG_FOOTER: [u8; 4] = *b"NOEX";
60
61        let envp = self.capture_env();
62
63        if self.saw_nul() {
64            return Err(io::const_error!(
65                ErrorKind::InvalidInput,
66                "nul byte found in provided data",
67            ));
68        }
69
70        let (ours, theirs) = self.setup_io(default, needs_stdin)?;
71
72        if let Some(ret) = self.posix_spawn(&theirs, envp.as_ref())? {
73            return Ok((ret, ours));
74        }
75
76        #[cfg(target_os = "linux")]
77        let (input, output) = sys::net::Socket::new_pair(libc::AF_UNIX, libc::SOCK_SEQPACKET)?;
78
79        #[cfg(not(target_os = "linux"))]
80        let (input, output) = sys::pipe::anon_pipe()?;
81
82        // Whatever happens after the fork is almost for sure going to touch or
83        // look at the environment in one way or another (PATH in `execvp` or
84        // accessing the `environ` pointer ourselves). Make sure no other thread
85        // is accessing the environment when we do the fork itself.
86        //
87        // Note that as soon as we're done with the fork there's no need to hold
88        // a lock any more because the parent won't do anything and the child is
89        // in its own process. Thus the parent drops the lock guard immediately.
90        // The child calls `mem::forget` to leak the lock, which is crucial because
91        // releasing a lock is not async-signal-safe.
92        let env_lock = sys::env::env_read_lock();
93        let pid = unsafe { self.do_fork()? };
94
95        if pid == 0 {
96            crate::panic::always_abort();
97            mem::forget(env_lock); // avoid non-async-signal-safe unlocking
98            drop(input);
99            #[cfg(target_os = "linux")]
100            if self.get_create_pidfd() {
101                self.send_pidfd(&output);
102            }
103            let Err(err) = unsafe { self.do_exec(theirs, envp.as_ref()) };
104            let errno = err.raw_os_error().unwrap_or(libc::EINVAL) as u32;
105            let errno = errno.to_be_bytes();
106            let bytes = [
107                errno[0],
108                errno[1],
109                errno[2],
110                errno[3],
111                CLOEXEC_MSG_FOOTER[0],
112                CLOEXEC_MSG_FOOTER[1],
113                CLOEXEC_MSG_FOOTER[2],
114                CLOEXEC_MSG_FOOTER[3],
115            ];
116            // pipe I/O up to PIPE_BUF bytes should be atomic, and then
117            // we want to be sure we *don't* run at_exit destructors as
118            // we're being torn down regardless
119            rtassert!(output.write(&bytes).is_ok());
120            unsafe { libc::_exit(1) }
121        }
122
123        drop(env_lock);
124        drop(output);
125
126        #[cfg(target_os = "linux")]
127        let pidfd = if self.get_create_pidfd() { self.recv_pidfd(&input) } else { -1 };
128
129        #[cfg(not(target_os = "linux"))]
130        let pidfd = -1;
131
132        // Safety: We obtained the pidfd (on Linux) using SOCK_SEQPACKET, so it's valid.
133        let mut p = unsafe { Process::new(pid, pidfd) };
134        let mut bytes = [0; 8];
135
136        // loop to handle EINTR
137        loop {
138            match input.read(&mut bytes) {
139                Ok(0) => return Ok((p, ours)),
140                Ok(8) => {
141                    let (errno, footer) = bytes.split_at(4);
142                    assert_eq!(
143                        CLOEXEC_MSG_FOOTER, footer,
144                        "Validation on the CLOEXEC pipe failed: {:?}",
145                        bytes
146                    );
147                    let errno = i32::from_be_bytes(errno.try_into().unwrap());
148                    assert!(p.wait().is_ok(), "wait() should either return Ok or panic");
149                    return Err(Error::from_raw_os_error(errno));
150                }
151                Err(ref e) if e.is_interrupted() => {}
152                Err(e) => {
153                    assert!(p.wait().is_ok(), "wait() should either return Ok or panic");
154                    panic!("the CLOEXEC pipe failed: {e:?}")
155                }
156                Ok(..) => {
157                    // pipe I/O up to PIPE_BUF bytes should be atomic
158                    // similarly SOCK_SEQPACKET messages should arrive whole
159                    assert!(p.wait().is_ok(), "wait() should either return Ok or panic");
160                    panic!("short read on the CLOEXEC pipe")
161                }
162            }
163        }
164    }
165
166    // WatchOS and TVOS headers mark the `fork`/`exec*` functions with
167    // `__WATCHOS_PROHIBITED __TVOS_PROHIBITED`, and indicate that the
168    // `posix_spawn*` functions should be used instead. It isn't entirely clear
169    // what `PROHIBITED` means here (e.g. if calls to these functions are
170    // allowed to exist in dead code), but it sounds bad, so we go out of our
171    // way to avoid that all-together.
172    #[cfg(any(target_os = "tvos", target_os = "watchos"))]
173    const ERR_APPLE_TV_WATCH_NO_FORK_EXEC: Error = io::const_error!(
174        ErrorKind::Unsupported,
175        "`fork`+`exec`-based process spawning is not supported on this target",
176    );
177
178    #[cfg(any(target_os = "tvos", target_os = "watchos"))]
179    unsafe fn do_fork(&mut self) -> Result<pid_t, io::Error> {
180        return Err(Self::ERR_APPLE_TV_WATCH_NO_FORK_EXEC);
181    }
182
183    // Attempts to fork the process. If successful, returns Ok((0, -1))
184    // in the child, and Ok((child_pid, -1)) in the parent.
185    #[cfg(not(any(target_os = "watchos", target_os = "tvos", target_os = "nto")))]
186    unsafe fn do_fork(&mut self) -> Result<pid_t, io::Error> {
187        cvt(libc::fork())
188    }
189
190    // On QNX Neutrino, fork can fail with EBADF in case "another thread might have opened
191    // or closed a file descriptor while the fork() was occurring".
192    // Documentation says "... or try calling fork() again". This is what we do here.
193    // See also https://www.qnx.com/developers/docs/7.1/#com.qnx.doc.neutrino.lib_ref/topic/f/fork.html
194    #[cfg(target_os = "nto")]
195    unsafe fn do_fork(&mut self) -> Result<pid_t, io::Error> {
196        use crate::sys::os::errno;
197
198        let mut delay = MIN_FORKSPAWN_SLEEP;
199
200        loop {
201            let r = libc::fork();
202            if r == -1 as libc::pid_t && errno() as libc::c_int == libc::EBADF {
203                if delay < get_clock_resolution() {
204                    // We cannot sleep this short (it would be longer).
205                    // Yield instead.
206                    thread::yield_now();
207                } else if delay < MAX_FORKSPAWN_SLEEP {
208                    thread::sleep(delay);
209                } else {
210                    return Err(io::const_error!(
211                        ErrorKind::WouldBlock,
212                        "forking returned EBADF too often",
213                    ));
214                }
215                delay *= 2;
216                continue;
217            } else {
218                return cvt(r);
219            }
220        }
221    }
222
223    pub fn exec(&mut self, default: Stdio) -> io::Error {
224        let envp = self.capture_env();
225
226        if self.saw_nul() {
227            return io::const_error!(ErrorKind::InvalidInput, "nul byte found in provided data");
228        }
229
230        match self.setup_io(default, true) {
231            Ok((_, theirs)) => {
232                unsafe {
233                    // Similar to when forking, we want to ensure that access to
234                    // the environment is synchronized, so make sure to grab the
235                    // environment lock before we try to exec.
236                    let _lock = sys::env::env_read_lock();
237
238                    let Err(e) = self.do_exec(theirs, envp.as_ref());
239                    e
240                }
241            }
242            Err(e) => e,
243        }
244    }
245
246    // And at this point we've reached a special time in the life of the
247    // child. The child must now be considered hamstrung and unable to
248    // do anything other than syscalls really. Consider the following
249    // scenario:
250    //
251    //      1. Thread A of process 1 grabs the malloc() mutex
252    //      2. Thread B of process 1 forks(), creating thread C
253    //      3. Thread C of process 2 then attempts to malloc()
254    //      4. The memory of process 2 is the same as the memory of
255    //         process 1, so the mutex is locked.
256    //
257    // This situation looks a lot like deadlock, right? It turns out
258    // that this is what pthread_atfork() takes care of, which is
259    // presumably implemented across platforms. The first thing that
260    // threads to *before* forking is to do things like grab the malloc
261    // mutex, and then after the fork they unlock it.
262    //
263    // Despite this information, libnative's spawn has been witnessed to
264    // deadlock on both macOS and FreeBSD. I'm not entirely sure why, but
265    // all collected backtraces point at malloc/free traffic in the
266    // child spawned process.
267    //
268    // For this reason, the block of code below should contain 0
269    // invocations of either malloc of free (or their related friends).
270    //
271    // As an example of not having malloc/free traffic, we don't close
272    // this file descriptor by dropping the FileDesc (which contains an
273    // allocation). Instead we just close it manually. This will never
274    // have the drop glue anyway because this code never returns (the
275    // child will either exec() or invoke libc::exit)
276    #[cfg(not(any(target_os = "tvos", target_os = "watchos")))]
277    unsafe fn do_exec(
278        &mut self,
279        stdio: ChildPipes,
280        maybe_envp: Option<&CStringArray>,
281    ) -> Result<!, io::Error> {
282        use crate::sys::{self, cvt_r};
283
284        if let Some(fd) = stdio.stdin.fd() {
285            cvt_r(|| libc::dup2(fd, libc::STDIN_FILENO))?;
286        }
287        if let Some(fd) = stdio.stdout.fd() {
288            cvt_r(|| libc::dup2(fd, libc::STDOUT_FILENO))?;
289        }
290        if let Some(fd) = stdio.stderr.fd() {
291            cvt_r(|| libc::dup2(fd, libc::STDERR_FILENO))?;
292        }
293
294        #[cfg(not(target_os = "l4re"))]
295        {
296            if let Some(_g) = self.get_groups() {
297                //FIXME: Redox kernel does not support setgroups yet
298                #[cfg(not(target_os = "redox"))]
299                cvt(libc::setgroups(_g.len().try_into().unwrap(), _g.as_ptr()))?;
300            }
301            if let Some(u) = self.get_gid() {
302                cvt(libc::setgid(u as gid_t))?;
303            }
304            if let Some(u) = self.get_uid() {
305                // When dropping privileges from root, the `setgroups` call
306                // will remove any extraneous groups. We only drop groups
307                // if we have CAP_SETGID and we weren't given an explicit
308                // set of groups. If we don't call this, then even though our
309                // uid has dropped, we may still have groups that enable us to
310                // do super-user things.
311                //FIXME: Redox kernel does not support setgroups yet
312                #[cfg(not(target_os = "redox"))]
313                if self.get_groups().is_none() {
314                    let res = cvt(libc::setgroups(0, crate::ptr::null()));
315                    if let Err(e) = res {
316                        // Here we ignore the case of not having CAP_SETGID.
317                        // An alternative would be to require CAP_SETGID (in
318                        // addition to CAP_SETUID) for setting the UID.
319                        if e.raw_os_error() != Some(libc::EPERM) {
320                            return Err(e.into());
321                        }
322                    }
323                }
324                cvt(libc::setuid(u as uid_t))?;
325            }
326        }
327        if let Some(chroot) = self.get_chroot() {
328            #[cfg(not(target_os = "fuchsia"))]
329            cvt(libc::chroot(chroot.as_ptr()))?;
330            #[cfg(target_os = "fuchsia")]
331            return Err(io::const_error!(
332                io::ErrorKind::Unsupported,
333                "chroot not supported by fuchsia"
334            ));
335        }
336        if let Some(cwd) = self.get_cwd() {
337            cvt(libc::chdir(cwd.as_ptr()))?;
338        }
339
340        if let Some(pgroup) = self.get_pgroup() {
341            cvt(libc::setpgid(0, pgroup))?;
342        }
343
344        if self.get_setsid() {
345            cvt(libc::setsid())?;
346        }
347
348        // emscripten has no signal support.
349        #[cfg(not(target_os = "emscripten"))]
350        {
351            // Inherit the signal mask from the parent rather than resetting it (i.e. do not call
352            // pthread_sigmask).
353
354            // If -Zon-broken-pipe is used, don't reset SIGPIPE to SIG_DFL.
355            // If -Zon-broken-pipe is not used, reset SIGPIPE to SIG_DFL for backward compatibility.
356            //
357            // -Zon-broken-pipe is an opportunity to change the default here.
358            if !crate::sys::pal::on_broken_pipe_flag_used() {
359                #[cfg(target_os = "android")] // see issue #88585
360                {
361                    let mut action: libc::sigaction = mem::zeroed();
362                    action.sa_sigaction = libc::SIG_DFL;
363                    cvt(libc::sigaction(libc::SIGPIPE, &action, crate::ptr::null_mut()))?;
364                }
365                #[cfg(not(target_os = "android"))]
366                {
367                    let ret = sys::signal(libc::SIGPIPE, libc::SIG_DFL);
368                    if ret == libc::SIG_ERR {
369                        return Err(io::Error::last_os_error());
370                    }
371                }
372                #[cfg(target_os = "hurd")]
373                {
374                    let ret = sys::signal(libc::SIGLOST, libc::SIG_DFL);
375                    if ret == libc::SIG_ERR {
376                        return Err(io::Error::last_os_error());
377                    }
378                }
379            }
380        }
381
382        for callback in self.get_closures().iter_mut() {
383            callback()?;
384        }
385
386        // Although we're performing an exec here we may also return with an
387        // error from this function (without actually exec'ing) in which case we
388        // want to be sure to restore the global environment back to what it
389        // once was, ensuring that our temporary override, when free'd, doesn't
390        // corrupt our process's environment.
391        let mut _reset = None;
392        if let Some(envp) = maybe_envp {
393            struct Reset(*const *const libc::c_char);
394
395            impl Drop for Reset {
396                fn drop(&mut self) {
397                    unsafe {
398                        *sys::env::environ() = self.0;
399                    }
400                }
401            }
402
403            _reset = Some(Reset(*sys::env::environ()));
404            *sys::env::environ() = envp.as_ptr();
405        }
406
407        libc::execvp(self.get_program_cstr().as_ptr(), self.get_argv().as_ptr());
408        Err(io::Error::last_os_error())
409    }
410
411    #[cfg(any(target_os = "tvos", target_os = "watchos"))]
412    unsafe fn do_exec(
413        &mut self,
414        _stdio: ChildPipes,
415        _maybe_envp: Option<&CStringArray>,
416    ) -> Result<!, io::Error> {
417        return Err(Self::ERR_APPLE_TV_WATCH_NO_FORK_EXEC);
418    }
419
420    #[cfg(not(any(
421        target_os = "freebsd",
422        target_os = "illumos",
423        all(target_os = "linux", target_env = "gnu"),
424        all(target_os = "linux", target_env = "musl"),
425        target_os = "nto",
426        target_vendor = "apple",
427        target_os = "cygwin",
428    )))]
429    fn posix_spawn(
430        &mut self,
431        _: &ChildPipes,
432        _: Option<&CStringArray>,
433    ) -> io::Result<Option<Process>> {
434        Ok(None)
435    }
436
437    // Only support platforms for which posix_spawn() can return ENOENT
438    // directly.
439    #[cfg(any(
440        target_os = "freebsd",
441        target_os = "illumos",
442        all(target_os = "linux", target_env = "gnu"),
443        all(target_os = "linux", target_env = "musl"),
444        target_os = "nto",
445        target_vendor = "apple",
446        target_os = "cygwin",
447    ))]
448    fn posix_spawn(
449        &mut self,
450        stdio: &ChildPipes,
451        envp: Option<&CStringArray>,
452    ) -> io::Result<Option<Process>> {
453        #[cfg(target_os = "linux")]
454        use core::sync::atomic::{Atomic, AtomicU8, Ordering};
455
456        use crate::mem::MaybeUninit;
457        use crate::sys::{self, cvt_nz, on_broken_pipe_flag_used};
458
459        if self.get_gid().is_some()
460            || self.get_uid().is_some()
461            || (self.env_saw_path() && !self.program_is_path())
462            || !self.get_closures().is_empty()
463            || self.get_groups().is_some()
464            || self.get_chroot().is_some()
465        {
466            return Ok(None);
467        }
468
469        cfg_select! {
470            target_os = "linux" => {
471                use crate::sys::weak::weak;
472
473                weak!(
474                    fn pidfd_spawnp(
475                        pidfd: *mut libc::c_int,
476                        path: *const libc::c_char,
477                        file_actions: *const libc::posix_spawn_file_actions_t,
478                        attrp: *const libc::posix_spawnattr_t,
479                        argv: *const *mut libc::c_char,
480                        envp: *const *mut libc::c_char,
481                    ) -> libc::c_int;
482                );
483
484                weak!(
485                    fn pidfd_getpid(pidfd: libc::c_int) -> libc::c_int;
486                );
487
488                static PIDFD_SUPPORTED: Atomic<u8> = AtomicU8::new(0);
489                const UNKNOWN: u8 = 0;
490                const SPAWN: u8 = 1;
491                // Obtaining a pidfd via the fork+exec path might work
492                const FORK_EXEC: u8 = 2;
493                // Neither pidfd_spawn nor fork/exec will get us a pidfd.
494                // Instead we'll just posix_spawn if the other preconditions are met.
495                const NO: u8 = 3;
496
497                if self.get_create_pidfd() {
498                    let mut support = PIDFD_SUPPORTED.load(Ordering::Relaxed);
499                    if support == FORK_EXEC {
500                        return Ok(None);
501                    }
502                    if support == UNKNOWN {
503                        support = NO;
504                        let our_pid = crate::process::id();
505                        let pidfd = cvt(unsafe { libc::syscall(libc::SYS_pidfd_open, our_pid, 0) } as c_int);
506                        match pidfd {
507                            Ok(pidfd) => {
508                                support = FORK_EXEC;
509                                if let Some(Ok(pid)) = pidfd_getpid.get().map(|f| cvt(unsafe { f(pidfd) } as i32)) {
510                                    if pidfd_spawnp.get().is_some() && pid as u32 == our_pid {
511                                        support = SPAWN
512                                    }
513                                }
514                                unsafe { libc::close(pidfd) };
515                            }
516                            Err(e) if e.raw_os_error() == Some(libc::EMFILE) => {
517                                // We're temporarily(?) out of file descriptors.  In this case obtaining a pidfd would also fail
518                                // Don't update the support flag so we can probe again later.
519                                return Err(e)
520                            }
521                            _ => {}
522                        }
523                        PIDFD_SUPPORTED.store(support, Ordering::Relaxed);
524                        if support == FORK_EXEC {
525                            return Ok(None);
526                        }
527                    }
528                    core::assert_matches::debug_assert_matches!(support, SPAWN | NO);
529                }
530            }
531            _ => {
532                if self.get_create_pidfd() {
533                    unreachable!("only implemented on linux")
534                }
535            }
536        }
537
538        // Only glibc 2.24+ posix_spawn() supports returning ENOENT directly.
539        #[cfg(all(target_os = "linux", target_env = "gnu"))]
540        {
541            if let Some(version) = sys::os::glibc_version() {
542                if version < (2, 24) {
543                    return Ok(None);
544                }
545            } else {
546                return Ok(None);
547            }
548        }
549
550        // On QNX Neutrino, posix_spawnp can fail with EBADF in case "another thread might have opened
551        // or closed a file descriptor while the posix_spawn() was occurring".
552        // Documentation says "... or try calling posix_spawn() again". This is what we do here.
553        // See also http://www.qnx.com/developers/docs/7.1/#com.qnx.doc.neutrino.lib_ref/topic/p/posix_spawn.html
554        #[cfg(target_os = "nto")]
555        unsafe fn retrying_libc_posix_spawnp(
556            pid: *mut pid_t,
557            file: *const c_char,
558            file_actions: *const posix_spawn_file_actions_t,
559            attrp: *const posix_spawnattr_t,
560            argv: *const *mut c_char,
561            envp: *const *mut c_char,
562        ) -> io::Result<i32> {
563            let mut delay = MIN_FORKSPAWN_SLEEP;
564            loop {
565                match libc::posix_spawnp(pid, file, file_actions, attrp, argv, envp) {
566                    libc::EBADF => {
567                        if delay < get_clock_resolution() {
568                            // We cannot sleep this short (it would be longer).
569                            // Yield instead.
570                            thread::yield_now();
571                        } else if delay < MAX_FORKSPAWN_SLEEP {
572                            thread::sleep(delay);
573                        } else {
574                            return Err(io::const_error!(
575                                ErrorKind::WouldBlock,
576                                "posix_spawnp returned EBADF too often",
577                            ));
578                        }
579                        delay *= 2;
580                        continue;
581                    }
582                    r => {
583                        return Ok(r);
584                    }
585                }
586            }
587        }
588
589        type PosixSpawnAddChdirFn = unsafe extern "C" fn(
590            *mut libc::posix_spawn_file_actions_t,
591            *const libc::c_char,
592        ) -> libc::c_int;
593
594        /// Get the function pointer for adding a chdir action to a
595        /// `posix_spawn_file_actions_t`, if available, assuming a dynamic libc.
596        ///
597        /// Some platforms can set a new working directory for a spawned process in the
598        /// `posix_spawn` path. This function looks up the function pointer for adding
599        /// such an action to a `posix_spawn_file_actions_t` struct.
600        #[cfg(not(any(all(target_os = "linux", target_env = "musl"), target_os = "cygwin")))]
601        fn get_posix_spawn_addchdir() -> Option<PosixSpawnAddChdirFn> {
602            use crate::sys::weak::weak;
603
604            // POSIX.1-2024 standardizes this function:
605            // https://pubs.opengroup.org/onlinepubs/9799919799/functions/posix_spawn_file_actions_addchdir.html.
606            // The _np version is more widely available, though, so try that first.
607
608            weak!(
609                fn posix_spawn_file_actions_addchdir_np(
610                    file_actions: *mut libc::posix_spawn_file_actions_t,
611                    path: *const libc::c_char,
612                ) -> libc::c_int;
613            );
614
615            weak!(
616                fn posix_spawn_file_actions_addchdir(
617                    file_actions: *mut libc::posix_spawn_file_actions_t,
618                    path: *const libc::c_char,
619                ) -> libc::c_int;
620            );
621
622            posix_spawn_file_actions_addchdir_np
623                .get()
624                .or_else(|| posix_spawn_file_actions_addchdir.get())
625        }
626
627        /// Get the function pointer for adding a chdir action to a
628        /// `posix_spawn_file_actions_t`, if available, on platforms where the function
629        /// is known to exist.
630        ///
631        /// Weak symbol lookup doesn't work with statically linked libcs, so in cases
632        /// where static linking is possible we need to either check for the presence
633        /// of the symbol at compile time or know about it upfront.
634        ///
635        /// Cygwin doesn't support weak symbol, so just link it.
636        #[cfg(any(all(target_os = "linux", target_env = "musl"), target_os = "cygwin"))]
637        fn get_posix_spawn_addchdir() -> Option<PosixSpawnAddChdirFn> {
638            // Our minimum required musl supports this function, so we can just use it.
639            Some(libc::posix_spawn_file_actions_addchdir_np)
640        }
641
642        let addchdir = match self.get_cwd() {
643            Some(cwd) => {
644                if cfg!(target_vendor = "apple") {
645                    // There is a bug in macOS where a relative executable
646                    // path like "../myprogram" will cause `posix_spawn` to
647                    // successfully launch the program, but erroneously return
648                    // ENOENT when used with posix_spawn_file_actions_addchdir_np
649                    // which was introduced in macOS 10.15.
650                    if self.get_program_kind() == ProgramKind::Relative {
651                        return Ok(None);
652                    }
653                }
654                // Check for the availability of the posix_spawn addchdir
655                // function now. If it isn't available, bail and use the
656                // fork/exec path.
657                match get_posix_spawn_addchdir() {
658                    Some(f) => Some((f, cwd)),
659                    None => return Ok(None),
660                }
661            }
662            None => None,
663        };
664
665        let pgroup = self.get_pgroup();
666
667        struct PosixSpawnFileActions<'a>(&'a mut MaybeUninit<libc::posix_spawn_file_actions_t>);
668
669        impl Drop for PosixSpawnFileActions<'_> {
670            fn drop(&mut self) {
671                unsafe {
672                    libc::posix_spawn_file_actions_destroy(self.0.as_mut_ptr());
673                }
674            }
675        }
676
677        struct PosixSpawnattr<'a>(&'a mut MaybeUninit<libc::posix_spawnattr_t>);
678
679        impl Drop for PosixSpawnattr<'_> {
680            fn drop(&mut self) {
681                unsafe {
682                    libc::posix_spawnattr_destroy(self.0.as_mut_ptr());
683                }
684            }
685        }
686
687        unsafe {
688            let mut attrs = MaybeUninit::uninit();
689            cvt_nz(libc::posix_spawnattr_init(attrs.as_mut_ptr()))?;
690            let attrs = PosixSpawnattr(&mut attrs);
691
692            let mut flags = 0;
693
694            let mut file_actions = MaybeUninit::uninit();
695            cvt_nz(libc::posix_spawn_file_actions_init(file_actions.as_mut_ptr()))?;
696            let file_actions = PosixSpawnFileActions(&mut file_actions);
697
698            if let Some(fd) = stdio.stdin.fd() {
699                cvt_nz(libc::posix_spawn_file_actions_adddup2(
700                    file_actions.0.as_mut_ptr(),
701                    fd,
702                    libc::STDIN_FILENO,
703                ))?;
704            }
705            if let Some(fd) = stdio.stdout.fd() {
706                cvt_nz(libc::posix_spawn_file_actions_adddup2(
707                    file_actions.0.as_mut_ptr(),
708                    fd,
709                    libc::STDOUT_FILENO,
710                ))?;
711            }
712            if let Some(fd) = stdio.stderr.fd() {
713                cvt_nz(libc::posix_spawn_file_actions_adddup2(
714                    file_actions.0.as_mut_ptr(),
715                    fd,
716                    libc::STDERR_FILENO,
717                ))?;
718            }
719            if let Some((f, cwd)) = addchdir {
720                cvt_nz(f(file_actions.0.as_mut_ptr(), cwd.as_ptr()))?;
721            }
722
723            if let Some(pgroup) = pgroup {
724                flags |= libc::POSIX_SPAWN_SETPGROUP;
725                cvt_nz(libc::posix_spawnattr_setpgroup(attrs.0.as_mut_ptr(), pgroup))?;
726            }
727
728            // Inherit the signal mask from this process rather than resetting it (i.e. do not call
729            // posix_spawnattr_setsigmask).
730
731            // If -Zon-broken-pipe is used, don't reset SIGPIPE to SIG_DFL.
732            // If -Zon-broken-pipe is not used, reset SIGPIPE to SIG_DFL for backward compatibility.
733            //
734            // -Zon-broken-pipe is an opportunity to change the default here.
735            if !on_broken_pipe_flag_used() {
736                let mut default_set = MaybeUninit::<libc::sigset_t>::uninit();
737                cvt(sigemptyset(default_set.as_mut_ptr()))?;
738                cvt(sigaddset(default_set.as_mut_ptr(), libc::SIGPIPE))?;
739                #[cfg(target_os = "hurd")]
740                {
741                    cvt(sigaddset(default_set.as_mut_ptr(), libc::SIGLOST))?;
742                }
743                cvt_nz(libc::posix_spawnattr_setsigdefault(
744                    attrs.0.as_mut_ptr(),
745                    default_set.as_ptr(),
746                ))?;
747                flags |= libc::POSIX_SPAWN_SETSIGDEF;
748            }
749
750            if self.get_setsid() {
751                cfg_select! {
752                    all(target_os = "linux", target_env = "gnu") => {
753                        flags |= libc::POSIX_SPAWN_SETSID;
754                    }
755                    _ => {
756                        return Ok(None);
757                    }
758                }
759            }
760
761            cvt_nz(libc::posix_spawnattr_setflags(attrs.0.as_mut_ptr(), flags as _))?;
762
763            // Make sure we synchronize access to the global `environ` resource
764            let _env_lock = sys::env::env_read_lock();
765            let envp = envp.map(|c| c.as_ptr()).unwrap_or_else(|| *sys::env::environ() as *const _);
766
767            #[cfg(not(target_os = "nto"))]
768            let spawn_fn = libc::posix_spawnp;
769            #[cfg(target_os = "nto")]
770            let spawn_fn = retrying_libc_posix_spawnp;
771
772            #[cfg(target_os = "linux")]
773            if self.get_create_pidfd() && PIDFD_SUPPORTED.load(Ordering::Relaxed) == SPAWN {
774                let mut pidfd: libc::c_int = -1;
775                let spawn_res = pidfd_spawnp.get().unwrap()(
776                    &mut pidfd,
777                    self.get_program_cstr().as_ptr(),
778                    file_actions.0.as_ptr(),
779                    attrs.0.as_ptr(),
780                    self.get_argv().as_ptr() as *const _,
781                    envp as *const _,
782                );
783
784                let spawn_res = cvt_nz(spawn_res);
785                if let Err(ref e) = spawn_res
786                    && e.raw_os_error() == Some(libc::ENOSYS)
787                {
788                    PIDFD_SUPPORTED.store(FORK_EXEC, Ordering::Relaxed);
789                    return Ok(None);
790                }
791                spawn_res?;
792
793                let pid = match cvt(pidfd_getpid.get().unwrap()(pidfd)) {
794                    Ok(pid) => pid,
795                    Err(e) => {
796                        // The child has been spawned and we are holding its pidfd.
797                        // But we cannot obtain its pid even though pidfd_getpid support was verified earlier.
798                        // This might happen if libc can't open procfs because the file descriptor limit has been reached.
799                        libc::close(pidfd);
800                        return Err(Error::new(
801                            e.kind(),
802                            "pidfd_spawnp succeeded but the child's PID could not be obtained",
803                        ));
804                    }
805                };
806
807                return Ok(Some(Process::new(pid, pidfd)));
808            }
809
810            // Safety: -1 indicates we don't have a pidfd.
811            let mut p = Process::new(0, -1);
812
813            let spawn_res = spawn_fn(
814                &mut p.pid,
815                self.get_program_cstr().as_ptr(),
816                file_actions.0.as_ptr(),
817                attrs.0.as_ptr(),
818                self.get_argv().as_ptr() as *const _,
819                envp as *const _,
820            );
821
822            #[cfg(target_os = "nto")]
823            let spawn_res = spawn_res?;
824
825            cvt_nz(spawn_res)?;
826            Ok(Some(p))
827        }
828    }
829
830    #[cfg(target_os = "linux")]
831    fn send_pidfd(&self, sock: &crate::sys::net::Socket) {
832        use libc::{CMSG_DATA, CMSG_FIRSTHDR, CMSG_LEN, CMSG_SPACE, SCM_RIGHTS, SOL_SOCKET};
833
834        use crate::io::IoSlice;
835        use crate::os::fd::RawFd;
836        use crate::sys::cvt_r;
837
838        unsafe {
839            let child_pid = libc::getpid();
840            // pidfd_open sets CLOEXEC by default
841            let pidfd = libc::syscall(libc::SYS_pidfd_open, child_pid, 0);
842
843            let fds: [c_int; 1] = [pidfd as RawFd];
844
845            const SCM_MSG_LEN: usize = size_of::<[c_int; 1]>();
846
847            #[repr(C)]
848            union Cmsg {
849                buf: [u8; unsafe { CMSG_SPACE(SCM_MSG_LEN as u32) as usize }],
850                _align: libc::cmsghdr,
851            }
852
853            let mut cmsg: Cmsg = mem::zeroed();
854
855            // 0-length message to send through the socket so we can pass along the fd
856            let mut iov = [IoSlice::new(b"")];
857            let mut msg: libc::msghdr = mem::zeroed();
858
859            msg.msg_iov = (&raw mut iov) as *mut _;
860            msg.msg_iovlen = 1;
861
862            // only attach cmsg if we successfully acquired the pidfd
863            if pidfd >= 0 {
864                msg.msg_controllen = size_of_val(&cmsg.buf) as _;
865                msg.msg_control = (&raw mut cmsg.buf) as *mut _;
866
867                let hdr = CMSG_FIRSTHDR((&raw mut msg) as *mut _);
868                (*hdr).cmsg_level = SOL_SOCKET;
869                (*hdr).cmsg_type = SCM_RIGHTS;
870                (*hdr).cmsg_len = CMSG_LEN(SCM_MSG_LEN as _) as _;
871                let data = CMSG_DATA(hdr);
872                crate::ptr::copy_nonoverlapping(
873                    fds.as_ptr().cast::<u8>(),
874                    data as *mut _,
875                    SCM_MSG_LEN,
876                );
877            }
878
879            // we send the 0-length message even if we failed to acquire the pidfd
880            // so we get a consistent SEQPACKET order
881            match cvt_r(|| libc::sendmsg(sock.as_raw(), &msg, 0)) {
882                Ok(0) => {}
883                other => rtabort!("failed to communicate with parent process. {:?}", other),
884            }
885        }
886    }
887
888    #[cfg(target_os = "linux")]
889    fn recv_pidfd(&self, sock: &crate::sys::net::Socket) -> pid_t {
890        use libc::{CMSG_DATA, CMSG_FIRSTHDR, CMSG_LEN, CMSG_SPACE, SCM_RIGHTS, SOL_SOCKET};
891
892        use crate::io::IoSliceMut;
893        use crate::sys::cvt_r;
894
895        unsafe {
896            const SCM_MSG_LEN: usize = size_of::<[c_int; 1]>();
897
898            #[repr(C)]
899            union Cmsg {
900                _buf: [u8; unsafe { CMSG_SPACE(SCM_MSG_LEN as u32) as usize }],
901                _align: libc::cmsghdr,
902            }
903            let mut cmsg: Cmsg = mem::zeroed();
904            // 0-length read to get the fd
905            let mut iov = [IoSliceMut::new(&mut [])];
906
907            let mut msg: libc::msghdr = mem::zeroed();
908
909            msg.msg_iov = (&raw mut iov) as *mut _;
910            msg.msg_iovlen = 1;
911            msg.msg_controllen = size_of::<Cmsg>() as _;
912            msg.msg_control = (&raw mut cmsg) as *mut _;
913
914            match cvt_r(|| libc::recvmsg(sock.as_raw(), &mut msg, libc::MSG_CMSG_CLOEXEC)) {
915                Err(_) => return -1,
916                Ok(_) => {}
917            }
918
919            let hdr = CMSG_FIRSTHDR((&raw mut msg) as *mut _);
920            if hdr.is_null()
921                || (*hdr).cmsg_level != SOL_SOCKET
922                || (*hdr).cmsg_type != SCM_RIGHTS
923                || (*hdr).cmsg_len != CMSG_LEN(SCM_MSG_LEN as _) as _
924            {
925                return -1;
926            }
927            let data = CMSG_DATA(hdr);
928
929            let mut fds = [-1 as c_int];
930
931            crate::ptr::copy_nonoverlapping(
932                data as *const _,
933                fds.as_mut_ptr().cast::<u8>(),
934                SCM_MSG_LEN,
935            );
936
937            fds[0]
938        }
939    }
940}
941
942////////////////////////////////////////////////////////////////////////////////
943// Processes
944////////////////////////////////////////////////////////////////////////////////
945
946/// The unique ID of the process (this should never be negative).
947pub struct Process {
948    pid: pid_t,
949    status: Option<ExitStatus>,
950    // On Linux, stores the pidfd created for this child.
951    // This is None if the user did not request pidfd creation,
952    // or if the pidfd could not be created for some reason
953    // (e.g. the `pidfd_open` syscall was not available).
954    #[cfg(target_os = "linux")]
955    pidfd: Option<PidFd>,
956}
957
958impl Process {
959    #[cfg(target_os = "linux")]
960    /// # Safety
961    ///
962    /// `pidfd` must either be -1 (representing no file descriptor) or a valid, exclusively owned file
963    /// descriptor (See [I/O Safety]).
964    ///
965    /// [I/O Safety]: crate::io#io-safety
966    unsafe fn new(pid: pid_t, pidfd: pid_t) -> Self {
967        use crate::os::unix::io::FromRawFd;
968        use crate::sys_common::FromInner;
969        // Safety: If `pidfd` is nonnegative, we assume it's valid and otherwise unowned.
970        let pidfd = (pidfd >= 0).then(|| PidFd::from_inner(sys::fd::FileDesc::from_raw_fd(pidfd)));
971        Process { pid, status: None, pidfd }
972    }
973
974    #[cfg(not(target_os = "linux"))]
975    unsafe fn new(pid: pid_t, _pidfd: pid_t) -> Self {
976        Process { pid, status: None }
977    }
978
979    pub fn id(&self) -> u32 {
980        self.pid as u32
981    }
982
983    pub fn kill(&self) -> io::Result<()> {
984        self.send_signal(libc::SIGKILL)
985    }
986
987    pub(crate) fn send_signal(&self, signal: i32) -> io::Result<()> {
988        // If we've already waited on this process then the pid can be recycled and
989        // used for another process, and we probably shouldn't be sending signals to
990        // random processes, so return Ok because the process has exited already.
991        if self.status.is_some() {
992            return Ok(());
993        }
994        #[cfg(target_os = "linux")]
995        if let Some(pid_fd) = self.pidfd.as_ref() {
996            // pidfd_send_signal predates pidfd_open. so if we were able to get an fd then sending signals will work too
997            return pid_fd.send_signal(signal);
998        }
999        cvt(unsafe { libc::kill(self.pid, signal) }).map(drop)
1000    }
1001
1002    pub fn wait(&mut self) -> io::Result<ExitStatus> {
1003        use crate::sys::cvt_r;
1004        if let Some(status) = self.status {
1005            return Ok(status);
1006        }
1007        #[cfg(target_os = "linux")]
1008        if let Some(pid_fd) = self.pidfd.as_ref() {
1009            let status = pid_fd.wait()?;
1010            self.status = Some(status);
1011            return Ok(status);
1012        }
1013        let mut status = 0 as c_int;
1014        cvt_r(|| unsafe { libc::waitpid(self.pid, &mut status, 0) })?;
1015        self.status = Some(ExitStatus::new(status));
1016        Ok(ExitStatus::new(status))
1017    }
1018
1019    pub fn try_wait(&mut self) -> io::Result<Option<ExitStatus>> {
1020        if let Some(status) = self.status {
1021            return Ok(Some(status));
1022        }
1023        #[cfg(target_os = "linux")]
1024        if let Some(pid_fd) = self.pidfd.as_ref() {
1025            let status = pid_fd.try_wait()?;
1026            if let Some(status) = status {
1027                self.status = Some(status)
1028            }
1029            return Ok(status);
1030        }
1031        let mut status = 0 as c_int;
1032        let pid = cvt(unsafe { libc::waitpid(self.pid, &mut status, libc::WNOHANG) })?;
1033        if pid == 0 {
1034            Ok(None)
1035        } else {
1036            self.status = Some(ExitStatus::new(status));
1037            Ok(Some(ExitStatus::new(status)))
1038        }
1039    }
1040}
1041
1042/// Unix exit statuses
1043//
1044// This is not actually an "exit status" in Unix terminology.  Rather, it is a "wait status".
1045// See the discussion in comments and doc comments for `std::process::ExitStatus`.
1046#[derive(PartialEq, Eq, Clone, Copy, Default)]
1047pub struct ExitStatus(c_int);
1048
1049impl fmt::Debug for ExitStatus {
1050    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
1051        f.debug_tuple("unix_wait_status").field(&self.0).finish()
1052    }
1053}
1054
1055impl ExitStatus {
1056    pub fn new(status: c_int) -> ExitStatus {
1057        ExitStatus(status)
1058    }
1059
1060    #[cfg(target_os = "linux")]
1061    pub fn from_waitid_siginfo(siginfo: libc::siginfo_t) -> ExitStatus {
1062        let status = unsafe { siginfo.si_status() };
1063
1064        match siginfo.si_code {
1065            libc::CLD_EXITED => ExitStatus((status & 0xff) << 8),
1066            libc::CLD_KILLED => ExitStatus(status),
1067            libc::CLD_DUMPED => ExitStatus(status | 0x80),
1068            libc::CLD_CONTINUED => ExitStatus(0xffff),
1069            libc::CLD_STOPPED | libc::CLD_TRAPPED => ExitStatus(((status & 0xff) << 8) | 0x7f),
1070            _ => unreachable!("waitid() should only return the above codes"),
1071        }
1072    }
1073
1074    fn exited(&self) -> bool {
1075        libc::WIFEXITED(self.0)
1076    }
1077
1078    pub fn exit_ok(&self) -> Result<(), ExitStatusError> {
1079        // This assumes that WIFEXITED(status) && WEXITSTATUS==0 corresponds to status==0. This is
1080        // true on all actual versions of Unix, is widely assumed, and is specified in SuS
1081        // https://pubs.opengroup.org/onlinepubs/9699919799/functions/wait.html. If it is not
1082        // true for a platform pretending to be Unix, the tests (our doctests, and also
1083        // unix/tests.rs) will spot it. `ExitStatusError::code` assumes this too.
1084        match NonZero::try_from(self.0) {
1085            /* was nonzero */ Ok(failure) => Err(ExitStatusError(failure)),
1086            /* was zero, couldn't convert */ Err(_) => Ok(()),
1087        }
1088    }
1089
1090    pub fn code(&self) -> Option<i32> {
1091        self.exited().then(|| libc::WEXITSTATUS(self.0))
1092    }
1093
1094    pub fn signal(&self) -> Option<i32> {
1095        libc::WIFSIGNALED(self.0).then(|| libc::WTERMSIG(self.0))
1096    }
1097
1098    pub fn core_dumped(&self) -> bool {
1099        libc::WIFSIGNALED(self.0) && libc::WCOREDUMP(self.0)
1100    }
1101
1102    pub fn stopped_signal(&self) -> Option<i32> {
1103        libc::WIFSTOPPED(self.0).then(|| libc::WSTOPSIG(self.0))
1104    }
1105
1106    pub fn continued(&self) -> bool {
1107        libc::WIFCONTINUED(self.0)
1108    }
1109
1110    pub fn into_raw(&self) -> c_int {
1111        self.0
1112    }
1113}
1114
1115/// Converts a raw `c_int` to a type-safe `ExitStatus` by wrapping it without copying.
1116impl From<c_int> for ExitStatus {
1117    fn from(a: c_int) -> ExitStatus {
1118        ExitStatus(a)
1119    }
1120}
1121
1122/// Converts a signal number to a readable, searchable name.
1123///
1124/// This string should be displayed right after the signal number.
1125/// If a signal is unrecognized, it returns the empty string, so that
1126/// you just get the number like "0". If it is recognized, you'll get
1127/// something like "9 (SIGKILL)".
1128fn signal_string(signal: i32) -> &'static str {
1129    match signal {
1130        libc::SIGHUP => " (SIGHUP)",
1131        libc::SIGINT => " (SIGINT)",
1132        libc::SIGQUIT => " (SIGQUIT)",
1133        libc::SIGILL => " (SIGILL)",
1134        libc::SIGTRAP => " (SIGTRAP)",
1135        libc::SIGABRT => " (SIGABRT)",
1136        #[cfg(not(target_os = "l4re"))]
1137        libc::SIGBUS => " (SIGBUS)",
1138        libc::SIGFPE => " (SIGFPE)",
1139        libc::SIGKILL => " (SIGKILL)",
1140        #[cfg(not(target_os = "l4re"))]
1141        libc::SIGUSR1 => " (SIGUSR1)",
1142        libc::SIGSEGV => " (SIGSEGV)",
1143        #[cfg(not(target_os = "l4re"))]
1144        libc::SIGUSR2 => " (SIGUSR2)",
1145        libc::SIGPIPE => " (SIGPIPE)",
1146        libc::SIGALRM => " (SIGALRM)",
1147        libc::SIGTERM => " (SIGTERM)",
1148        #[cfg(not(target_os = "l4re"))]
1149        libc::SIGCHLD => " (SIGCHLD)",
1150        #[cfg(not(target_os = "l4re"))]
1151        libc::SIGCONT => " (SIGCONT)",
1152        #[cfg(not(target_os = "l4re"))]
1153        libc::SIGSTOP => " (SIGSTOP)",
1154        #[cfg(not(target_os = "l4re"))]
1155        libc::SIGTSTP => " (SIGTSTP)",
1156        #[cfg(not(target_os = "l4re"))]
1157        libc::SIGTTIN => " (SIGTTIN)",
1158        #[cfg(not(target_os = "l4re"))]
1159        libc::SIGTTOU => " (SIGTTOU)",
1160        #[cfg(not(target_os = "l4re"))]
1161        libc::SIGURG => " (SIGURG)",
1162        #[cfg(not(target_os = "l4re"))]
1163        libc::SIGXCPU => " (SIGXCPU)",
1164        #[cfg(not(any(target_os = "l4re", target_os = "rtems")))]
1165        libc::SIGXFSZ => " (SIGXFSZ)",
1166        #[cfg(not(any(target_os = "l4re", target_os = "rtems")))]
1167        libc::SIGVTALRM => " (SIGVTALRM)",
1168        #[cfg(not(target_os = "l4re"))]
1169        libc::SIGPROF => " (SIGPROF)",
1170        #[cfg(not(any(target_os = "l4re", target_os = "rtems")))]
1171        libc::SIGWINCH => " (SIGWINCH)",
1172        #[cfg(not(any(target_os = "haiku", target_os = "l4re")))]
1173        libc::SIGIO => " (SIGIO)",
1174        #[cfg(target_os = "haiku")]
1175        libc::SIGPOLL => " (SIGPOLL)",
1176        #[cfg(not(target_os = "l4re"))]
1177        libc::SIGSYS => " (SIGSYS)",
1178        // For information on Linux signals, run `man 7 signal`
1179        #[cfg(all(
1180            target_os = "linux",
1181            any(
1182                target_arch = "x86_64",
1183                target_arch = "x86",
1184                target_arch = "arm",
1185                target_arch = "aarch64"
1186            )
1187        ))]
1188        libc::SIGSTKFLT => " (SIGSTKFLT)",
1189        #[cfg(any(target_os = "linux", target_os = "nto", target_os = "cygwin"))]
1190        libc::SIGPWR => " (SIGPWR)",
1191        #[cfg(any(
1192            target_os = "freebsd",
1193            target_os = "netbsd",
1194            target_os = "openbsd",
1195            target_os = "dragonfly",
1196            target_os = "nto",
1197            target_vendor = "apple",
1198            target_os = "cygwin",
1199        ))]
1200        libc::SIGEMT => " (SIGEMT)",
1201        #[cfg(any(
1202            target_os = "freebsd",
1203            target_os = "netbsd",
1204            target_os = "openbsd",
1205            target_os = "dragonfly",
1206            target_vendor = "apple",
1207        ))]
1208        libc::SIGINFO => " (SIGINFO)",
1209        #[cfg(target_os = "hurd")]
1210        libc::SIGLOST => " (SIGLOST)",
1211        #[cfg(target_os = "freebsd")]
1212        libc::SIGTHR => " (SIGTHR)",
1213        #[cfg(target_os = "freebsd")]
1214        libc::SIGLIBRT => " (SIGLIBRT)",
1215        _ => "",
1216    }
1217}
1218
1219impl fmt::Display for ExitStatus {
1220    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
1221        if let Some(code) = self.code() {
1222            write!(f, "exit status: {code}")
1223        } else if let Some(signal) = self.signal() {
1224            let signal_string = signal_string(signal);
1225            if self.core_dumped() {
1226                write!(f, "signal: {signal}{signal_string} (core dumped)")
1227            } else {
1228                write!(f, "signal: {signal}{signal_string}")
1229            }
1230        } else if let Some(signal) = self.stopped_signal() {
1231            let signal_string = signal_string(signal);
1232            write!(f, "stopped (not terminated) by signal: {signal}{signal_string}")
1233        } else if self.continued() {
1234            write!(f, "continued (WIFCONTINUED)")
1235        } else {
1236            write!(f, "unrecognised wait status: {} {:#x}", self.0, self.0)
1237        }
1238    }
1239}
1240
1241#[derive(PartialEq, Eq, Clone, Copy)]
1242pub struct ExitStatusError(NonZero<c_int>);
1243
1244impl Into<ExitStatus> for ExitStatusError {
1245    fn into(self) -> ExitStatus {
1246        ExitStatus(self.0.into())
1247    }
1248}
1249
1250impl fmt::Debug for ExitStatusError {
1251    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
1252        f.debug_tuple("unix_wait_status").field(&self.0).finish()
1253    }
1254}
1255
1256impl ExitStatusError {
1257    pub fn code(self) -> Option<NonZero<i32>> {
1258        ExitStatus(self.0.into()).code().map(|st| st.try_into().unwrap())
1259    }
1260}
1261
1262#[cfg(target_os = "linux")]
1263mod linux_child_ext {
1264    use crate::io::ErrorKind;
1265    use crate::os::linux::process as os;
1266    use crate::sys::pal::linux::pidfd as imp;
1267    use crate::sys_common::FromInner;
1268    use crate::{io, mem};
1269
1270    #[unstable(feature = "linux_pidfd", issue = "82971")]
1271    impl crate::os::linux::process::ChildExt for crate::process::Child {
1272        fn pidfd(&self) -> io::Result<&os::PidFd> {
1273            self.handle
1274                .pidfd
1275                .as_ref()
1276                // SAFETY: The os type is a transparent wrapper, therefore we can transmute references
1277                .map(|fd| unsafe { mem::transmute::<&imp::PidFd, &os::PidFd>(fd) })
1278                .ok_or_else(|| io::const_error!(ErrorKind::Uncategorized, "no pidfd was created."))
1279        }
1280
1281        fn into_pidfd(mut self) -> Result<os::PidFd, Self> {
1282            self.handle
1283                .pidfd
1284                .take()
1285                .map(|fd| <os::PidFd as FromInner<imp::PidFd>>::from_inner(fd))
1286                .ok_or_else(|| self)
1287        }
1288    }
1289}
1290
1291#[cfg(test)]
1292mod tests;
1293
1294// See [`unsupported_wait_status::compare_with_linux`];
1295#[cfg(all(test, target_os = "linux"))]
1296#[path = "unsupported/wait_status.rs"]
1297mod unsupported_wait_status;