std/sys/
exit_guard.rs

1cfg_if::cfg_if! {
2    if #[cfg(target_os = "linux")] {
3        /// Mitigation for <https://github.com/rust-lang/rust/issues/126600>
4        ///
5        /// On glibc, `libc::exit` has been observed to not always be thread-safe.
6        /// It is currently unclear whether that is a glibc bug or allowed by the standard.
7        /// To mitigate this problem, we ensure that only one
8        /// Rust thread calls `libc::exit` (or returns from `main`) by calling this function before
9        /// calling `libc::exit` (or returning from `main`).
10        ///
11        /// Technically, this is not enough to ensure soundness, since other code directly calling
12        /// `libc::exit` will still race with this.
13        ///
14        /// *This function does not itself call `libc::exit`.* This is so it can also be used
15        /// to guard returning from `main`.
16        ///
17        /// This function will return only the first time it is called in a process.
18        ///
19        /// * If it is called again on the same thread as the first call, it will abort.
20        /// * If it is called again on a different thread, it will wait in a loop
21        ///   (waiting for the process to exit).
22        #[cfg_attr(any(test, doctest), allow(dead_code))]
23        pub(crate) fn unique_thread_exit() {
24            use crate::ffi::c_int;
25            use crate::ptr;
26            use crate::sync::atomic::AtomicPtr;
27            use crate::sync::atomic::Ordering::{Acquire, Relaxed};
28
29            static EXITING_THREAD_ID: AtomicPtr<c_int> = AtomicPtr::new(ptr::null_mut());
30
31            // We use the address of `errno` as a cheap and safe way to identify
32            // threads. As the C standard mandates that `errno` must have thread
33            // storage duration, we can rely on its address not changing over the
34            // lifetime of the thread. Additionally, accesses to `errno` are
35            // async-signal-safe, so this function is available in all imaginable
36            // circumstances.
37            let this_thread_id = crate::sys::os::errno_location();
38            match EXITING_THREAD_ID.compare_exchange(ptr::null_mut(), this_thread_id, Acquire, Relaxed) {
39                Ok(_) => {
40                    // This is the first thread to call `unique_thread_exit`,
41                    // and this is the first time it is called. Continue exiting.
42                }
43                Err(exiting_thread_id) if exiting_thread_id == this_thread_id => {
44                    // This is the first thread to call `unique_thread_exit`,
45                    // but this is the second time it is called.
46                    // Abort the process.
47                    core::panicking::panic_nounwind("std::process::exit called re-entrantly")
48                }
49                Err(_) => {
50                    // This is not the first thread to call `unique_thread_exit`.
51                    // Pause until the process exits.
52                    loop {
53                        // Safety: libc::pause is safe to call.
54                        unsafe { libc::pause(); }
55                    }
56                }
57            }
58        }
59    } else {
60        /// Mitigation for <https://github.com/rust-lang/rust/issues/126600>
61        ///
62        /// Mitigation is ***NOT*** implemented on this platform, either because this platform
63        /// is not affected, or because mitigation is not yet implemented for this platform.
64        #[cfg_attr(any(test, doctest), allow(dead_code))]
65        pub(crate) fn unique_thread_exit() {
66            // Mitigation not required on platforms where `exit` is thread-safe.
67        }
68    }
69}