Fixing Ctrl+C in Rust terminal apps: Child process management
59 comments
·July 29, 2025mprovost
aidenn0
That's good to know; ysh[1] will treat pipelines with a SIGPIPE indicative exit code as successful to allow e.g.
foo |head -n2
mprovost
In other shells, the status of the pipeline is the exit status of the last process, so in this case that would be head which exits with 0.
aidenn0
Not in e.g. bash with "pipefail" set. However the pipefail option in bash will choke on my previous example, hence treating a SIGPIPE the same as success in ysh.
duped
The graceful shutdown stuff is good, but always piping the output of child processes is not necessarily the right thing to do. Some processes need stdin (what if it's a shell?) and some processes will be checking if stdout is a tty. What you should do (and Rust doesn't make this easy) is allocate a new pty for your child processes if your own stdout is a tty. Some programs default to this (eg: ssh), others make it configurable (eg: docker).
You're also missing the standard techniques for managing and reaping your children, which I don't see mentioned. You don't need to maintain a registry of child processes for example, at least on Linux there are a few things you can do for this without any global state (PR_SET_PDEATHSIG, PR_SET_CHILD_SUBREAPER, PID namespaces). On MacOS you can write a routine to reap children like a linux init() process would. The registry approach is also fragile: what if library code spawns children?
Also, if the terminal is in raw mode then you'll never get ctrl+C. This is really about signal handling. You also can't gracefully shutdown if you get a SIGKILL, which is why PR_SET_PDEATHSIG and PID namespaces are very nice - they guarantee descendants get killed.
wpollock
>Also, if the terminal is in raw mode then you'll never get ctrl+C.
The process/thread/task won't receive SIGINT, true. But I believe it will see the character ETX (ASCII 3). Programs that use raw mode input need to do their own keystroke processing.
duped
If you're in raw mode, whether ^C is SIGINT is open for interpretation
mmastrac
Don't use PR_SET_PDEATHSIG. That way lies pain.
anp
I’ve definitely seen all of these problems in Rust programs but they certainly aren’t limited to Rust programs. I do think it would be nice if Rust libraries were a bit more misuse-resistant when it came to preserving a coherent terminal.
I also long for a more misuse-resistant terminal but that seems like a bigger problem.
vlovich123
Nothing here is specific to Rust and applies to any terminal app in any language that spawns a child process.
alt227
So none of this should be fixed in Rust just because others have the same problems?
stonogo
Nothing, that is, except for the examples, the source code, the libraries, and the linked references. But nothing else.
dwattttt
Are you suggesting that the examples, source, libraries, and references for Rust make these mistakes, but other languages don't?
oatsandsugar
the title: "fixing ... in rust". The problems aren't necessarily rust only problems, the solutions are rust solutions.
mook
I believe the real fun is when doing this on Windows, because it doesn't use Unix signals (and generally speaking you only get the equivalent of SIGKILL but not SIGTERM, but you can opt into ~SIGINT). I was hoping this would actually deal with that…
koakuma-chan
Are you saying that after the main process has exited, child processes can still run and write to stdout/stderr?
CGamesPlay
Child processes are created using, generally, 2 syscalls: fork, then exec. When you fork, all file descriptors the main process has open are copied, and are now open in two places. Then, when the child calls exec (to transform itself into the target program), all file descriptors stay open in the new process (unless a specific fd is explicitly configured otherwise, FD_CLOEXEC).
Standard output are just file descriptors with the number 0, 1, and 2, and you can use the dup2 syscall to assign those numbers to some pipes that you originally created before you fork. Now the standard output of your child process is going to those pipes in your parent process. Or you can close those file descriptors, which will prevent the child process from reading/writing them at all. Or you can do nothing, and the copied file descriptors from the parent still apply.
Conceptually, you think of "spawning a child" as something that is in some kind of container (the parent process), but the underlying mechanics are not like this at all, and processes don't actually exist in a "tree", they just happen to keep a record of their "parent process ID" so the OS knows who to notify when the process dies.
zokier
> Conceptually, you think of "spawning a child" as something that is in some kind of container (the parent process), but the underlying mechanics are not like this at all,
That is not quite right either, the newly created child processes generally go to the same process group as the parent, the process groups (and sessions) forming those "containers".
Tbh this is one of the many murky areas of UNIX.
CGamesPlay
My explanation definitely glosses over some details, but a process group isn't really a "container" in any meaningful sense, either. It can be left by any member (who can form a new process group completely unrelated to its old one, setsid), which resets the "controlling terminal" but isn't related to the standard output channels at all.
burnt-resistor
fork() when followed by exec*() is generally inefficient. That's why vfork(), clone(), and clone3() exist. There's no point in duplicating (even CoW) the entire kernel side and libc internal state of a process if it's going to be replaced with exec*() by a new, unrelated process.
duped
Yes, this is easy to test too:
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
int main() {
pid_t pid = fork();
if (pid == 0) {
sleep(1);
printf("after parent died!\n");
return 0;
}
return 0;
}
Callicles
I believe I am saying child processes can write to stdout as the main process is shutting down. Also, if the child processes are not shut down properly and are left dangling, and the child processes were set up as 'inherit' to be able to write directly to stdout/stderr then yes.
null
silon42
It seems wrong that the app would be responsible for cleanup... Shouldn't this be solved in the shell / terminal ? What if kill -9?
pjerem
When you use ctrl+c, you are not killing the program, you are sending it a SIGTERM signal which essentially means « could you please stop yourself ? » so the program have a chance to clean things before exiting.
kill -9 is sending a SIGKILL signal which, well, kills the program immediately.
sfoley
SIGINT, not SIGTERM.
Vogtinator
ctrl-c sends SIGINT.
rendaw
I hate to be the guy, but I could barely see the code snippets. Is contrast an issue for anyone else? Reader mode improves thins slightly but at the cost of code being unhighlighted and wrapping like crazy.
chrismorgan
The highlighting is clearly designed for a dark background but has been given a light background in light mode. Change the bg-neutral-100 to bg-neutral-900 and it’s fine—still not magnificent, but fine.
(But as for barely… if you don’t run JS, then you just don’t see the code snippets, because for some inscrutable reason, unlike the rest of the document, they’re only rendered client-side.)
dxdm
Yes, the contrast of the code examples is not great. Grey on grey, light pastels and orange does not combine into an easy-to-read color palette for me.
burnt-resistor
LGTM on a MBP + Brave browser.
null
windowshopping
This title was close to being a garden path sentence, but ultimately avoided it.
impish9208
Yes, daemonized children must always be killed; preferably by the parent, but any reaper would also work.
oatsandsugar
Is that a forking path sentence? If so, whoosh.
alt227
I have never undestood why garden path sentences are interesting. They can always be rewritten to make more obvious sense. Its like saying theres a way to take any sentence and remove some words to make its intended meaning confusing. I dont personally find this interesting, just frustrating that the author didnt take more time to use punctuation or more words to convey explicit meaning.
abnercoimbre
Tell more about garden paths in this context, I'm curious!
xoxxala
I had no idea what a garden path sentence was, too, but wiki to the rescue:
oatsandsugar
The old man the boat
oldpersonintx2
[dead]
npalli
Fearless concurrency with Rust unless you are worried about lifecycle management, threads/co-operation and general ergonomics. Even modern c++ might be better at this (gasp!) with std::jthread
duped
Are there any languages that provide for or care about lifecycle management across address space boundaries? After fork() you're usually fucked and need explicit controls.
zokier
Pythons multiprocessing comes to mind
dwattttt
I believe Rust's std::thread::scope is an equivalent.
> Unlike non-scoped threads, scoped threads can borrow non-'static data, as the scope guarantees all threads will be joined at the end of the scope.
> All threads spawned within the scope that haven’t been manually joined will be automatically joined before this function returns.
tialaramex
So, std::jthread is basically fixing std::thread. In C++ it's difficult to fix broken standard library features so they just make a new thing and discard the old busted one. Landfill programming.
The fact Rust actually has scoped threads is unrelated, in Rust they can do this because they have working lifetime checking and in C++ such a feature would be meaningless, you're always assumed to have manually ensured the correct lifetimes and they aren't checked.
Generously you could say they're gesturing at the fact C++ decided to bolt the stop flag mechanic to jthreads, so you can have the old broken threads or this newer non-broken threads which also has built-in stop flags. But that's less choice, it's not as though you can't have a stop flag in Rust.
imtringued
Ok, but I am literally getting filtered by installing C++ libraries. I haven't accomplished anything in the last 5 days other than determine that the previous libraries are not usable.
psyclobe
Heretic!
jeffbee
Yes, and if you update to a version of LLVM that was released literally a week ago, jthread exists.
Handling SIGINT (ctrl-c) with child processes is tricky, but a more pervasive problem for Rust CLI programs is handling SIGPIPE. For historical reasons the compiler adds a signal handler before calling main() which ignores SIGPIPE. It means when you pipe your Rust CLI program's output to something like head, instead of being killed by the signal sent when head closes the pipe, you get a write error and usually print an error message instead of silently dying. You can match on the type of write error and skip printing a message when it's from a broken pipe, but a more subtle problem is that the shell sets the exit status of a program killed by a signal to 128 + the signal number, so 141 in the case of a broken pipe. You can emulate this behaviour by checking for a broken pipe and explicitly exiting with a 141 status code, but it's not possible to fully reproduce being killed by a signal. There's been an issue to make this configurable (the latest proposal is via a compiler flag) for years.