1 use crate::os::windows::prelude::*;
2
3 use crate::ffi::OsStr;
4 use crate::io::{self, IoSlice, IoSliceMut};
5 use crate::mem;
6 use crate::path::Path;
7 use crate::ptr;
8 use crate::slice;
9 use crate::sync::atomic::AtomicUsize;
10 use crate::sync::atomic::Ordering::SeqCst;
11 use crate::sys::c;
12 use crate::sys::fs::{File, OpenOptions};
13 use crate::sys::handle::Handle;
14 use crate::sys::hashmap_random_keys;
15 use crate::sys_common::IntoInner;
16
17 ////////////////////////////////////////////////////////////////////////////////
18 // Anonymous pipes
19 ////////////////////////////////////////////////////////////////////////////////
20
21 pub struct AnonPipe {
22 inner: Handle,
23 }
24
25 impl IntoInner<Handle> for AnonPipe {
into_inner(self) -> Handle26 fn into_inner(self) -> Handle {
27 self.inner
28 }
29 }
30
31 pub struct Pipes {
32 pub ours: AnonPipe,
33 pub theirs: AnonPipe,
34 }
35
36 /// Although this looks similar to `anon_pipe` in the Unix module it's actually
37 /// subtly different. Here we'll return two pipes in the `Pipes` return value,
38 /// but one is intended for "us" where as the other is intended for "someone
39 /// else".
40 ///
41 /// Currently the only use case for this function is pipes for stdio on
42 /// processes in the standard library, so "ours" is the one that'll stay in our
43 /// process whereas "theirs" will be inherited to a child.
44 ///
45 /// The ours/theirs pipes are *not* specifically readable or writable. Each
46 /// one only supports a read or a write, but which is which depends on the
47 /// boolean flag given. If `ours_readable` is `true`, then `ours` is readable and
48 /// `theirs` is writable. Conversely, if `ours_readable` is `false`, then `ours`
49 /// is writable and `theirs` is readable.
50 ///
51 /// Also note that the `ours` pipe is always a handle opened up in overlapped
52 /// mode. This means that technically speaking it should only ever be used
53 /// with `OVERLAPPED` instances, but also works out ok if it's only ever used
54 /// once at a time (which we do indeed guarantee).
anon_pipe(ours_readable: bool, their_handle_inheritable: bool) -> io::Result<Pipes>55 pub fn anon_pipe(ours_readable: bool, their_handle_inheritable: bool) -> io::Result<Pipes> {
56 // Note that we specifically do *not* use `CreatePipe` here because
57 // unfortunately the anonymous pipes returned do not support overlapped
58 // operations. Instead, we create a "hopefully unique" name and create a
59 // named pipe which has overlapped operations enabled.
60 //
61 // Once we do this, we connect do it as usual via `CreateFileW`, and then
62 // we return those reader/writer halves. Note that the `ours` pipe return
63 // value is always the named pipe, whereas `theirs` is just the normal file.
64 // This should hopefully shield us from child processes which assume their
65 // stdout is a named pipe, which would indeed be odd!
66 unsafe {
67 let ours;
68 let mut name;
69 let mut tries = 0;
70 let mut reject_remote_clients_flag = c::PIPE_REJECT_REMOTE_CLIENTS;
71 loop {
72 tries += 1;
73 name = format!(
74 r"\\.\pipe\__rust_anonymous_pipe1__.{}.{}",
75 c::GetCurrentProcessId(),
76 random_number()
77 );
78 let wide_name = OsStr::new(&name).encode_wide().chain(Some(0)).collect::<Vec<_>>();
79 let mut flags = c::FILE_FLAG_FIRST_PIPE_INSTANCE | c::FILE_FLAG_OVERLAPPED;
80 if ours_readable {
81 flags |= c::PIPE_ACCESS_INBOUND;
82 } else {
83 flags |= c::PIPE_ACCESS_OUTBOUND;
84 }
85
86 let handle = c::CreateNamedPipeW(
87 wide_name.as_ptr(),
88 flags,
89 c::PIPE_TYPE_BYTE
90 | c::PIPE_READMODE_BYTE
91 | c::PIPE_WAIT
92 | reject_remote_clients_flag,
93 1,
94 4096,
95 4096,
96 0,
97 ptr::null_mut(),
98 );
99
100 // We pass the `FILE_FLAG_FIRST_PIPE_INSTANCE` flag above, and we're
101 // also just doing a best effort at selecting a unique name. If
102 // `ERROR_ACCESS_DENIED` is returned then it could mean that we
103 // accidentally conflicted with an already existing pipe, so we try
104 // again.
105 //
106 // Don't try again too much though as this could also perhaps be a
107 // legit error.
108 // If `ERROR_INVALID_PARAMETER` is returned, this probably means we're
109 // running on pre-Vista version where `PIPE_REJECT_REMOTE_CLIENTS` is
110 // not supported, so we continue retrying without it. This implies
111 // reduced security on Windows versions older than Vista by allowing
112 // connections to this pipe from remote machines.
113 // Proper fix would increase the number of FFI imports and introduce
114 // significant amount of Windows XP specific code with no clean
115 // testing strategy
116 // For more info, see https://github.com/rust-lang/rust/pull/37677.
117 if handle == c::INVALID_HANDLE_VALUE {
118 let err = io::Error::last_os_error();
119 let raw_os_err = err.raw_os_error();
120 if tries < 10 {
121 if raw_os_err == Some(c::ERROR_ACCESS_DENIED as i32) {
122 continue;
123 } else if reject_remote_clients_flag != 0
124 && raw_os_err == Some(c::ERROR_INVALID_PARAMETER as i32)
125 {
126 reject_remote_clients_flag = 0;
127 tries -= 1;
128 continue;
129 }
130 }
131 return Err(err);
132 }
133 ours = Handle::from_raw_handle(handle);
134 break;
135 }
136
137 // Connect to the named pipe we just created. This handle is going to be
138 // returned in `theirs`, so if `ours` is readable we want this to be
139 // writable, otherwise if `ours` is writable we want this to be
140 // readable.
141 //
142 // Additionally we don't enable overlapped mode on this because most
143 // client processes aren't enabled to work with that.
144 let mut opts = OpenOptions::new();
145 opts.write(ours_readable);
146 opts.read(!ours_readable);
147 opts.share_mode(0);
148 let size = mem::size_of::<c::SECURITY_ATTRIBUTES>();
149 let mut sa = c::SECURITY_ATTRIBUTES {
150 nLength: size as c::DWORD,
151 lpSecurityDescriptor: ptr::null_mut(),
152 bInheritHandle: their_handle_inheritable as i32,
153 };
154 opts.security_attributes(&mut sa);
155 let theirs = File::open(Path::new(&name), &opts)?;
156 let theirs = AnonPipe { inner: theirs.into_inner() };
157
158 Ok(Pipes {
159 ours: AnonPipe { inner: ours },
160 theirs: AnonPipe { inner: theirs.into_inner() },
161 })
162 }
163 }
164
random_number() -> usize165 fn random_number() -> usize {
166 static N: AtomicUsize = AtomicUsize::new(0);
167 loop {
168 if N.load(SeqCst) != 0 {
169 return N.fetch_add(1, SeqCst);
170 }
171
172 N.store(hashmap_random_keys().0 as usize, SeqCst);
173 }
174 }
175
176 impl AnonPipe {
handle(&self) -> &Handle177 pub fn handle(&self) -> &Handle {
178 &self.inner
179 }
into_handle(self) -> Handle180 pub fn into_handle(self) -> Handle {
181 self.inner
182 }
183
read(&self, buf: &mut [u8]) -> io::Result<usize>184 pub fn read(&self, buf: &mut [u8]) -> io::Result<usize> {
185 self.inner.read(buf)
186 }
187
read_vectored(&self, bufs: &mut [IoSliceMut<'_>]) -> io::Result<usize>188 pub fn read_vectored(&self, bufs: &mut [IoSliceMut<'_>]) -> io::Result<usize> {
189 self.inner.read_vectored(bufs)
190 }
191
192 #[inline]
is_read_vectored(&self) -> bool193 pub fn is_read_vectored(&self) -> bool {
194 self.inner.is_read_vectored()
195 }
196
write(&self, buf: &[u8]) -> io::Result<usize>197 pub fn write(&self, buf: &[u8]) -> io::Result<usize> {
198 self.inner.write(buf)
199 }
200
write_vectored(&self, bufs: &[IoSlice<'_>]) -> io::Result<usize>201 pub fn write_vectored(&self, bufs: &[IoSlice<'_>]) -> io::Result<usize> {
202 self.inner.write_vectored(bufs)
203 }
204
205 #[inline]
is_write_vectored(&self) -> bool206 pub fn is_write_vectored(&self) -> bool {
207 self.inner.is_write_vectored()
208 }
209 }
210
read2(p1: AnonPipe, v1: &mut Vec<u8>, p2: AnonPipe, v2: &mut Vec<u8>) -> io::Result<()>211 pub fn read2(p1: AnonPipe, v1: &mut Vec<u8>, p2: AnonPipe, v2: &mut Vec<u8>) -> io::Result<()> {
212 let p1 = p1.into_handle();
213 let p2 = p2.into_handle();
214
215 let mut p1 = AsyncPipe::new(p1, v1)?;
216 let mut p2 = AsyncPipe::new(p2, v2)?;
217 let objs = [p1.event.as_raw_handle(), p2.event.as_raw_handle()];
218
219 // In a loop we wait for either pipe's scheduled read operation to complete.
220 // If the operation completes with 0 bytes, that means EOF was reached, in
221 // which case we just finish out the other pipe entirely.
222 //
223 // Note that overlapped I/O is in general super unsafe because we have to
224 // be careful to ensure that all pointers in play are valid for the entire
225 // duration of the I/O operation (where tons of operations can also fail).
226 // The destructor for `AsyncPipe` ends up taking care of most of this.
227 loop {
228 let res = unsafe { c::WaitForMultipleObjects(2, objs.as_ptr(), c::FALSE, c::INFINITE) };
229 if res == c::WAIT_OBJECT_0 {
230 if !p1.result()? || !p1.schedule_read()? {
231 return p2.finish();
232 }
233 } else if res == c::WAIT_OBJECT_0 + 1 {
234 if !p2.result()? || !p2.schedule_read()? {
235 return p1.finish();
236 }
237 } else {
238 return Err(io::Error::last_os_error());
239 }
240 }
241 }
242
243 struct AsyncPipe<'a> {
244 pipe: Handle,
245 event: Handle,
246 overlapped: Box<c::OVERLAPPED>, // needs a stable address
247 dst: &'a mut Vec<u8>,
248 state: State,
249 }
250
251 #[derive(PartialEq, Debug)]
252 enum State {
253 NotReading,
254 Reading,
255 Read(usize),
256 }
257
258 impl<'a> AsyncPipe<'a> {
new(pipe: Handle, dst: &'a mut Vec<u8>) -> io::Result<AsyncPipe<'a>>259 fn new(pipe: Handle, dst: &'a mut Vec<u8>) -> io::Result<AsyncPipe<'a>> {
260 // Create an event which we'll use to coordinate our overlapped
261 // operations, this event will be used in WaitForMultipleObjects
262 // and passed as part of the OVERLAPPED handle.
263 //
264 // Note that we do a somewhat clever thing here by flagging the
265 // event as being manually reset and setting it initially to the
266 // signaled state. This means that we'll naturally fall through the
267 // WaitForMultipleObjects call above for pipes created initially,
268 // and the only time an even will go back to "unset" will be once an
269 // I/O operation is successfully scheduled (what we want).
270 let event = Handle::new_event(true, true)?;
271 let mut overlapped: Box<c::OVERLAPPED> = unsafe { Box::new(mem::zeroed()) };
272 overlapped.hEvent = event.as_raw_handle();
273 Ok(AsyncPipe { pipe, overlapped, event, dst, state: State::NotReading })
274 }
275
276 /// Executes an overlapped read operation.
277 ///
278 /// Must not currently be reading, and returns whether the pipe is currently
279 /// at EOF or not. If the pipe is not at EOF then `result()` must be called
280 /// to complete the read later on (may block), but if the pipe is at EOF
281 /// then `result()` should not be called as it will just block forever.
schedule_read(&mut self) -> io::Result<bool>282 fn schedule_read(&mut self) -> io::Result<bool> {
283 assert_eq!(self.state, State::NotReading);
284 let amt = unsafe {
285 let slice = slice_to_end(self.dst);
286 self.pipe.read_overlapped(slice, &mut *self.overlapped)?
287 };
288
289 // If this read finished immediately then our overlapped event will
290 // remain signaled (it was signaled coming in here) and we'll progress
291 // down to the method below.
292 //
293 // Otherwise the I/O operation is scheduled and the system set our event
294 // to not signaled, so we flag ourselves into the reading state and move
295 // on.
296 self.state = match amt {
297 Some(0) => return Ok(false),
298 Some(amt) => State::Read(amt),
299 None => State::Reading,
300 };
301 Ok(true)
302 }
303
304 /// Wait for the result of the overlapped operation previously executed.
305 ///
306 /// Takes a parameter `wait` which indicates if this pipe is currently being
307 /// read whether the function should block waiting for the read to complete.
308 ///
309 /// Returns values:
310 ///
311 /// * `true` - finished any pending read and the pipe is not at EOF (keep
312 /// going)
313 /// * `false` - finished any pending read and pipe is at EOF (stop issuing
314 /// reads)
result(&mut self) -> io::Result<bool>315 fn result(&mut self) -> io::Result<bool> {
316 let amt = match self.state {
317 State::NotReading => return Ok(true),
318 State::Reading => self.pipe.overlapped_result(&mut *self.overlapped, true)?,
319 State::Read(amt) => amt,
320 };
321 self.state = State::NotReading;
322 unsafe {
323 let len = self.dst.len();
324 self.dst.set_len(len + amt);
325 }
326 Ok(amt != 0)
327 }
328
329 /// Finishes out reading this pipe entirely.
330 ///
331 /// Waits for any pending and schedule read, and then calls `read_to_end`
332 /// if necessary to read all the remaining information.
finish(&mut self) -> io::Result<()>333 fn finish(&mut self) -> io::Result<()> {
334 while self.result()? && self.schedule_read()? {
335 // ...
336 }
337 Ok(())
338 }
339 }
340
341 impl<'a> Drop for AsyncPipe<'a> {
drop(&mut self)342 fn drop(&mut self) {
343 match self.state {
344 State::Reading => {}
345 _ => return,
346 }
347
348 // If we have a pending read operation, then we have to make sure that
349 // it's *done* before we actually drop this type. The kernel requires
350 // that the `OVERLAPPED` and buffer pointers are valid for the entire
351 // I/O operation.
352 //
353 // To do that, we call `CancelIo` to cancel any pending operation, and
354 // if that succeeds we wait for the overlapped result.
355 //
356 // If anything here fails, there's not really much we can do, so we leak
357 // the buffer/OVERLAPPED pointers to ensure we're at least memory safe.
358 if self.pipe.cancel_io().is_err() || self.result().is_err() {
359 let buf = mem::take(self.dst);
360 let overlapped = Box::new(unsafe { mem::zeroed() });
361 let overlapped = mem::replace(&mut self.overlapped, overlapped);
362 mem::forget((buf, overlapped));
363 }
364 }
365 }
366
slice_to_end(v: &mut Vec<u8>) -> &mut [u8]367 unsafe fn slice_to_end(v: &mut Vec<u8>) -> &mut [u8] {
368 if v.capacity() == 0 {
369 v.reserve(16);
370 }
371 if v.capacity() == v.len() {
372 v.reserve(1);
373 }
374 slice::from_raw_parts_mut(v.as_mut_ptr().add(v.len()), v.capacity() - v.len())
375 }
376