feat(uucore): add stdout write checking and tracking

mattsu2020 · mattsu2020 · commit b0004a04bfa3 · 2025-12-29T16:10:20.000+09:00
Implement mechanism to detect if stdout was closed at process start and track write attempts. Add `check_stdout_write()` to error on writes when stdout is closed, preventing issues in utilities like cp and printf. Use `TrackingWriter` in printf for write monitoring. This improves robustness in scenarios like pipeline redirections or closed stdout.
diff --git a/src/uu/cp/src/cp.rs b/src/uu/cp/src/cp.rs
@@ -139,6 +139,7 @@ pub type CopyResult<T> = Result<T, CpError>;
 fn write_stdout_line(args: fmt::Arguments) -> CopyResult<()> {
     use std::io::Write;
 
+    uucore::check_stdout_write(1)?;
     let mut stdout = io::stdout().lock();
     stdout.write_fmt(args)?;
     stdout.write_all(b"\n")?;
diff --git a/src/uu/printf/src/printf.rs b/src/uu/printf/src/printf.rs
@@ -38,12 +38,13 @@ pub fn uumain(args: impl uucore::Args) -> UResult<()> {
 
     let mut format_seen = false;
     // Parse and process the format string
+    let mut stdout = uucore::TrackingWriter::new(stdout());
     let mut args = FormatArguments::new(&values);
     for item in parse_spec_and_escape(format) {
         if let Ok(FormatItem::Spec(_)) = item {
             format_seen = true;
         }
-        match item?.write(stdout(), &mut args)? {
+        match item?.write(&mut stdout, &mut args)? {
             ControlFlow::Continue(()) => {}
             ControlFlow::Break(()) => return Ok(()),
         }
@@ -70,7 +71,7 @@ pub fn uumain(args: impl uucore::Args) -> UResult<()> {
 
     while !args.is_exhausted() {
         for item in parse_spec_and_escape(format) {
-            match item?.write(stdout(), &mut args)? {
+            match item?.write(&mut stdout, &mut args)? {
                 ControlFlow::Continue(()) => {}
                 ControlFlow::Break(()) => return Ok(()),
             }
diff --git a/src/uucore/src/lib/lib.rs b/src/uucore/src/lib/lib.rs
@@ -144,7 +144,10 @@ use std::iter;
 use std::os::unix::ffi::{OsStrExt, OsStringExt};
 use std::str;
 use std::str::Utf8Chunk;
-use std::sync::{LazyLock, atomic::Ordering};
+use std::sync::{
+    LazyLock,
+    atomic::{AtomicBool, Ordering},
+};
 
 /// Disables the custom signal handlers installed by Rust for stack-overflow handling. With those custom signal handlers processes ignore the first SIGBUS and SIGSEGV signal they receive.
 /// See <https://github.com/rust-lang/rust/blob/8ac1525e091d3db28e67adcbbd6db1e1deaa37fb/src/libstd/sys/unix/stack_overflow.rs#L71-L92> for details.
@@ -169,19 +172,118 @@ pub fn disable_rust_signal_handlers() -> Result<(), Errno> {
 pub fn stdout_is_closed() -> bool {
     #[cfg(unix)]
     {
-        use nix::fcntl::{FcntlArg, fcntl};
-        match fcntl(std::io::stdout(), FcntlArg::F_GETFL) {
-            Ok(_) => false,
-            Err(nix::errno::Errno::EBADF) => true,
-            Err(_) => false,
+        let res = unsafe { nix::libc::fcntl(nix::libc::STDOUT_FILENO, nix::libc::F_GETFL) };
+        if res != -1 {
+            return false;
         }
+        matches!(nix::errno::Errno::last(), nix::errno::Errno::EBADF)
     }
     #[cfg(not(unix))]
     {
         false
     }
 }
 
+static STDOUT_WRITTEN: AtomicBool = AtomicBool::new(false);
+static STDOUT_WAS_CLOSED: AtomicBool = AtomicBool::new(false);
+static STDOUT_WAS_CLOSED_SET: AtomicBool = AtomicBool::new(false);
+
+/// Reset the stdout-written flag for the current process.
+pub fn reset_stdout_written() {
+    STDOUT_WRITTEN.store(false, Ordering::Relaxed);
+}
+
+/// Record whether stdout was closed at process start.
+pub fn set_stdout_was_closed(value: bool) {
+    STDOUT_WAS_CLOSED.store(value, Ordering::Relaxed);
+    STDOUT_WAS_CLOSED_SET.store(true, Ordering::Relaxed);
+}
+
+/// Returns true if stdout was closed at process start.
+pub fn stdout_was_closed() -> bool {
+    STDOUT_WAS_CLOSED.load(Ordering::Relaxed)
+}
+
+/// Initialize stdout state if it wasn't set by early startup code.
+pub fn init_stdout_state() {
+    if !STDOUT_WAS_CLOSED_SET.load(Ordering::Relaxed) {
+        set_stdout_was_closed(stdout_is_closed());
+    }
+}
+
+/// Mark that at least one non-empty write to stdout was attempted.
+pub fn mark_stdout_written() {
+    STDOUT_WRITTEN.store(true, Ordering::Relaxed);
+}
+
+/// Returns true if any write to stdout was attempted.
+pub fn stdout_was_written() -> bool {
+    STDOUT_WRITTEN.load(Ordering::Relaxed)
+}
+
+#[cfg(unix)]
+mod early_stdout_state {
+    use super::set_stdout_was_closed;
+
+    extern "C" fn init() {
+        set_stdout_was_closed(super::stdout_is_closed());
+    }
+
+    #[used]
+    #[cfg_attr(
+        target_os = "macos",
+        unsafe(link_section = "__DATA,__mod_init_func")
+    )]
+    #[cfg_attr(not(target_os = "macos"), unsafe(link_section = ".init_array"))]
+    static INIT: extern "C" fn() = init;
+}
+
+/// Record a pending stdout write and error if stdout was closed at startup.
+pub fn check_stdout_write(len: usize) -> std::io::Result<()> {
+    if len == 0 {
+        return Ok(());
+    }
+    mark_stdout_written();
+    if stdout_was_closed() {
+        #[cfg(unix)]
+        {
+            return Err(std::io::Error::from_raw_os_error(
+                nix::errno::Errno::EBADF as i32,
+            ));
+        }
+        #[cfg(not(unix))]
+        {
+            return Err(std::io::Error::new(
+                std::io::ErrorKind::BrokenPipe,
+                "stdout was closed",
+            ));
+        }
+    }
+    Ok(())
+}
+
+/// A writer wrapper that marks stdout as written when non-empty data is written.
+pub struct TrackingWriter<W> {
+    inner: W,
+}
+
+impl<W> TrackingWriter<W> {
+    pub fn new(inner: W) -> Self {
+        Self { inner }
+    }
+}
+
+impl<W: std::io::Write> std::io::Write for TrackingWriter<W> {
+    fn write(&mut self, buf: &[u8]) -> std::io::Result<usize> {
+        check_stdout_write(buf.len())?;
+        self.inner.write(buf)
+    }
+
+    fn flush(&mut self) -> std::io::Result<()> {
+        self.inner.flush()
+    }
+}
+
 /// Returns true if the error corresponds to writing to a closed stdout.
 pub fn is_closed_stdout_error(err: &std::io::Error, stdout_was_closed: bool) -> bool {
     if !stdout_was_closed {
@@ -228,6 +330,12 @@ macro_rules! bin {
             use std::io::Write;
             use uucore::locale;
 
+            // Capture whether stdout was already closed before we run the utility.
+            // This must happen before any setup that might open files and reuse fd 1.
+            uucore::init_stdout_state();
+            uucore::reset_stdout_written();
+            let stdout_was_closed = uucore::stdout_was_closed();
+
             // Preserve inherited SIGPIPE settings (e.g., from env --default-signal=PIPE)
             uucore::panic::preserve_inherited_sigpipe();
 
@@ -245,17 +353,15 @@ macro_rules! bin {
                     std::process::exit(99)
                 });
 
-            // Capture whether stdout was already closed before we run the utility.
-            // This avoids treating a closed stdout as a flush failure for "silent" commands.
-            let stdout_was_closed = uucore::stdout_is_closed();
-
             // execute utility code
             let mut code = $util::uumain(uucore::args_os());
             // (defensively) flush stdout for utility prior to exit; see <https://github.com/rust-lang/rust/issues/23818>
             if let Err(e) = std::io::stdout().flush() {
                 // Treat write errors as a failure, but ignore BrokenPipe to avoid
                 // breaking utilities that intentionally silence it (e.g., seq).
-                let ignore_closed_stdout = uucore::is_closed_stdout_error(&e, stdout_was_closed);
+                let stdout_was_written = uucore::stdout_was_written();
+                let ignore_closed_stdout = uucore::is_closed_stdout_error(&e, stdout_was_closed)
+                    && !stdout_was_written;
                 if e.kind() != std::io::ErrorKind::BrokenPipe && !ignore_closed_stdout {
                     eprintln!("Error flushing stdout: {e}");
                     if code == 0 {
diff --git a/src/uucore/src/lib/mods/display.rs b/src/uucore/src/lib/mods/display.rs
@@ -49,6 +49,7 @@ pub use os_display::{Quotable, Quoted};
 /// using low-level library calls and bypassing `io::Write`. This is not a big priority
 /// because broken filenames are much rarer on Windows than on Unix.
 pub fn println_verbatim<S: AsRef<OsStr>>(text: S) -> io::Result<()> {
+    crate::check_stdout_write(1)?;
     let mut stdout = io::stdout().lock();
     stdout.write_all_os(text.as_ref())?;
     stdout.write_all(b"\n")?;
@@ -57,6 +58,9 @@ pub fn println_verbatim<S: AsRef<OsStr>>(text: S) -> io::Result<()> {
 
 /// Like `println_verbatim`, without the trailing newline.
 pub fn print_verbatim<S: AsRef<OsStr>>(text: S) -> io::Result<()> {
+    if !text.as_ref().is_empty() {
+        crate::check_stdout_write(1)?;
+    }
     io::stdout().write_all_os(text.as_ref())
 }
 
@@ -125,6 +129,7 @@ impl OsWrite for Box<dyn OsWrite> {
 /// This function handles non-UTF-8 environment variable names and values correctly by using
 /// raw bytes on Unix systems.
 pub fn print_all_env_vars<T: fmt::Display>(line_ending: T) -> io::Result<()> {
+    crate::check_stdout_write(1)?;
     let mut stdout = io::stdout().lock();
     for (name, value) in env::vars_os() {
         stdout.write_all_os(&name)?;
