Handling SIGINT (ctrl-c) with child processes is tricky, but a more pervasive problem for Rust CLI programs is handling SIGPIPE. For historical reasons the compiler adds a signal handler before calling main() which ignores SIGPIPE. It means when you pipe your Rust CLI program's output to something like head, instead of being killed by the signal sent when head closes the pipe, you get a write error and usually print an error message instead of silently dying. You can match on the type of write error and skip printing a message when it's from a broken pipe, but a more subtle problem is that the shell sets the exit status of a program killed by a signal to 128 + the signal number, so 141 in the case of a broken pipe. You can emulate this behaviour by checking for a broken pipe and explicitly exiting with a 141 status code, but it's not possible to fully reproduce being killed by a signal. There's been an issue to make this configurable (the latest proposal is via a compiler flag) for years.
That's good to know; ysh[1] will treat pipelines with a SIGPIPE indicative exit code as successful to allow e.g.
foo |head -n2
In other shells, the status of the pipeline is the exit status of the last process, so in this case that would be head which exits with 0.
Not in e.g. bash with "pipefail" set. However the pipefail option in bash will choke on my previous example, hence treating a SIGPIPE the same as success in ysh.
Yes well, the pipefail option configures bash to do the opposite of its usual behaviour.
The graceful shutdown stuff is good, but always piping the output of child processes is not necessarily the right thing to do. Some processes need stdin (what if it's a shell?) and some processes will be checking if stdout is a tty. What you should do (and Rust doesn't make this easy) is allocate a new pty for your child processes if your own stdout is a tty. Some programs default to this (eg: ssh), others make it configurable (eg: docker).
You're also missing the standard techniques for managing and reaping your children, which I don't see mentioned. You don't need to maintain a registry of child processes for example, at least on Linux there are a few things you can do for this without any global state (PR_SET_PDEATHSIG, PR_SET_CHILD_SUBREAPER, PID namespaces). On MacOS you can write a routine to reap children like a linux init() process would. The registry approach is also fragile: what if library code spawns children?
Also, if the terminal is in raw mode then you'll never get ctrl+C. This is really about signal handling. You also can't gracefully shutdown if you get a SIGKILL, which is why PR_SET_PDEATHSIG and PID namespaces are very nice - they guarantee descendants get killed.
>Also, if the terminal is in raw mode then you'll never get ctrl+C.
The process/thread/task won't receive SIGINT, true. But I believe it will see the character ETX (ASCII 3). Programs that use raw mode input need to do their own keystroke processing.
If you're in raw mode, whether ^C is SIGINT is open for interpretation
Don't use PR_SET_PDEATHSIG. That way lies pain.
I’ve definitely seen all of these problems in Rust programs but they certainly aren’t limited to Rust programs. I do think it would be nice if Rust libraries were a bit more misuse-resistant when it came to preserving a coherent terminal.
I also long for a more misuse-resistant terminal but that seems like a bigger problem.
Nothing here is specific to Rust and applies to any terminal app in any language that spawns a child process.
So none of this should be fixed in Rust just because others have the same problems?
Nothing, that is, except for the examples, the source code, the libraries, and the linked references. But nothing else.
Are you suggesting that the examples, source, libraries, and references for Rust make these mistakes, but other languages don't?
the title: "fixing ... in rust". The problems aren't necessarily rust only problems, the solutions are rust solutions.
I don't think any of the solutions are specific to Rust though? Just like the mistakes you can make hosting child processes can be made in many languages, the solution of e.g. "don't give the child processes your stdout, give it a pipe that you read from" isn't a Rust solution.
I believe @stonogo is saying Rust code is specific to Rust.
I believe the real fun is when doing this on Windows, because it doesn't use Unix signals (and generally speaking you only get the equivalent of SIGKILL but not SIGTERM, but you can opt into ~SIGINT). I was hoping this would actually deal with that…
Are you saying that after the main process has exited, child processes can still run and write to stdout/stderr?
Child processes are created using, generally, 2 syscalls: fork, then exec. When you fork, all file descriptors the main process has open are copied, and are now open in two places. Then, when the child calls exec (to transform itself into the target program), all file descriptors stay open in the new process (unless a specific fd is explicitly configured otherwise, FD_CLOEXEC).
Standard output are just file descriptors with the number 0, 1, and 2, and you can use the dup2 syscall to assign those numbers to some pipes that you originally created before you fork. Now the standard output of your child process is going to those pipes in your parent process. Or you can close those file descriptors, which will prevent the child process from reading/writing them at all. Or you can do nothing, and the copied file descriptors from the parent still apply.
Conceptually, you think of "spawning a child" as something that is in some kind of container (the parent process), but the underlying mechanics are not like this at all, and processes don't actually exist in a "tree", they just happen to keep a record of their "parent process ID" so the OS knows who to notify when the process dies.
> Conceptually, you think of "spawning a child" as something that is in some kind of container (the parent process), but the underlying mechanics are not like this at all,
That is not quite right either, the newly created child processes generally go to the same process group as the parent, the process groups (and sessions) forming those "containers".
Tbh this is one of the many murky areas of UNIX.
My explanation definitely glosses over some details, but a process group isn't really a "container" in any meaningful sense, either. It can be left by any member (who can form a new process group completely unrelated to its old one, setsid), which resets the "controlling terminal" but isn't related to the standard output channels at all.
fork() when followed by exec*() is generally inefficient. That's why vfork(), clone(), and clone3() exist. There's no point in duplicating (even CoW) the entire kernel side and libc internal state of a process if it's going to be replaced with exec*() by a new, unrelated process.
Yes, this is easy to test too:
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
int main() {
pid_t pid = fork();
if (pid == 0) {
sleep(1);
printf("after parent died!\n");
return 0;
}
return 0;
}
I believe I am saying child processes can write to stdout as the main process is shutting down. Also, if the child processes are not shut down properly and are left dangling, and the child processes were set up as 'inherit' to be able to write directly to stdout/stderr then yes.
It seems wrong that the app would be responsible for cleanup... Shouldn't this be solved in the shell / terminal ? What if kill -9?
When you use ctrl+c, you are not killing the program, you are sending it a SIGTERM signal which essentially means « could you please stop yourself ? » so the program have a chance to clean things before exiting.
kill -9 is sending a SIGKILL signal which, well, kills the program immediately.
SIGINT, not SIGTERM.
ctrl-c sends SIGINT.
I hate to be the guy, but I could barely see the code snippets. Is contrast an issue for anyone else? Reader mode improves thins slightly but at the cost of code being unhighlighted and wrapping like crazy.
The highlighting is clearly designed for a dark background but has been given a light background in light mode. Change the bg-neutral-100 to bg-neutral-900 and it’s fine—still not magnificent, but fine.
(But as for barely… if you don’t run JS, then you just don’t see the code snippets, because for some inscrutable reason, unlike the rest of the document, they’re only rendered client-side.)
Yes, the contrast of the code examples is not great. Grey on grey, light pastels and orange does not combine into an easy-to-read color palette for me.
LGTM on a MBP + Brave browser.
This title was close to being a garden path sentence, but ultimately avoided it.
Yes, daemonized children must always be killed; preferably by the parent, but any reaper would also work.
Is that a forking path sentence? If so, whoosh.
I have never undestood why garden path sentences are interesting. They can always be rewritten to make more obvious sense. Its like saying theres a way to take any sentence and remove some words to make its intended meaning confusing. I dont personally find this interesting, just frustrating that the author didnt take more time to use punctuation or more words to convey explicit meaning.
Tell more about garden paths in this context, I'm curious!
I had no idea what a garden path sentence was, too, but wiki to the rescue:
The old man the boat
Time flies like an arrow,
fruit flies like a banana.
The horse raced past the barn fell
I still have never managed to understand that one properly
I think it shall be interpreted like this: The creature who fell was the horse (that was previously raced past the barn). I.e. it was not the barn that fell.
Thankyou that makes sense!
So in reality this is just an incorrect sentence. It should be written as
"The horse that raced past the barn fell"
It should be.
But it’s not incorrect to say
The tree grown tall is the one I planted
The horse raced past had somewhere to go
It’s easier to read
The tree grown tall last year withered
You can artificially push out the point at which the sentence disambiguates between whether the word is past tense or past particle, and make it seem that it’s probably past tense until it can’t be.
You could say that the sentence is LL(k) for an unintuitively high k.
It’s ambigous, but is it incorrect?
If language is constantly changing due to how people use it rather than sticking to a strict set of rules, then in my opinion gramatically correct sentences should always be explicit and never ambiguous.
[dead]
Fearless concurrency with Rust unless you are worried about lifecycle management, threads/co-operation and general ergonomics. Even modern c++ might be better at this (gasp!) with std::jthread
Are there any languages that provide for or care about lifecycle management across address space boundaries? After fork() you're usually fucked and need explicit controls.
Pythons multiprocessing comes to mind
I believe Rust's std::thread::scope is an equivalent.
> Unlike non-scoped threads, scoped threads can borrow non-'static data, as the scope guarantees all threads will be joined at the end of the scope.
> All threads spawned within the scope that haven’t been manually joined will be automatically joined before this function returns.
So, std::jthread is basically fixing std::thread. In C++ it's difficult to fix broken standard library features so they just make a new thing and discard the old busted one. Landfill programming.
The fact Rust actually has scoped threads is unrelated, in Rust they can do this because they have working lifetime checking and in C++ such a feature would be meaningless, you're always assumed to have manually ensured the correct lifetimes and they aren't checked.
Generously you could say they're gesturing at the fact C++ decided to bolt the stop flag mechanic to jthreads, so you can have the old broken threads or this newer non-broken threads which also has built-in stop flags. But that's less choice, it's not as though you can't have a stop flag in Rust.
Ok, but I am literally getting filtered by installing C++ libraries. I haven't accomplished anything in the last 5 days other than determine that the previous libraries are not usable.
Heretic!
Yes, and if you update to a version of LLVM that was released literally a week ago, jthread exists.