tacet 0.4.2

Detect timing side channels in cryptographic code
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204

//! File-based locking for kperf exclusive PMU access.
//!
//! The macOS kpc API requires exclusive system-wide access to PMU counters via
//! `kpc_force_all_ctrs_set(1)`. When multiple processes try to initialize kperf
//! simultaneously (e.g., nextest running tests in parallel), only one can succeed.
//!
//! This module provides file-based locking to serialize kperf initialization across
//! processes, with graceful fallback when the lock cannot be acquired.
//!
//! # Deadlock Resistance
//!
//! - Uses `LOCK_NB` (non-blocking) with timeout - never blocks indefinitely
//! - `flock` auto-releases when process exits (even on crash/SIGKILL)
//! - Single resource (one lock file) - circular dependencies impossible

use std::fs::{File, OpenOptions};
use std::io;
use std::os::unix::fs::OpenOptionsExt;
use std::os::unix::io::AsRawFd;
use std::time::{Duration, Instant};

extern crate libc;

/// Lock file path for kperf PMU access serialization.
/// Using /tmp ensures world-writable access and local filesystem (not NFS).
const LOCK_FILE_PATH: &str = "/tmp/tacet-kperf.lock";

/// Default timeout for acquiring the lock.
/// 200ms is generous for typical test initialization while not blocking too long.
const DEFAULT_LOCK_TIMEOUT: Duration = Duration::from_millis(200);

/// Result of attempting to acquire the kperf lock.
#[derive(Debug)]
pub enum LockResult {
    /// Lock acquired successfully; holder must keep the guard alive.
    Acquired(LockGuard),
    /// Lock acquisition timed out; another process holds PMU access.
    Timeout,
    /// Lock file could not be created/opened.
    IoError(io::Error),
}

/// RAII guard that releases the lock when dropped.
///
/// The lock is automatically released when:
/// - This guard is dropped
/// - The process exits (normally or via signal)
/// - The file descriptor is closed
pub struct LockGuard {
    file: File,
}

impl Drop for LockGuard {
    fn drop(&mut self) {
        // flock is automatically released when file is closed,
        // but explicit unlock is good practice
        unsafe {
            libc::flock(self.file.as_raw_fd(), libc::LOCK_UN);
        }
    }
}

// Implement Debug manually to avoid exposing file internals
impl std::fmt::Debug for LockGuard {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        f.debug_struct("LockGuard").field("locked", &true).finish()
    }
}

/// Try to acquire exclusive lock for kperf PMU access.
///
/// # Arguments
///
/// * `timeout` - Maximum time to wait for the lock
///
/// # Returns
///
/// - `LockResult::Acquired(guard)` - Lock acquired, keep guard alive while using PMU
/// - `LockResult::Timeout` - Another process holds the lock
/// - `LockResult::IoError(e)` - Failed to create/open lock file
pub fn try_acquire(timeout: Duration) -> LockResult {
    // Open/create lock file with world-writable permissions (0666)
    // This ensures any user can acquire the lock, even if a previous run
    // created it as root. The mode is masked by umask on creation.
    let file = match OpenOptions::new()
        .write(true)
        .create(true)
        .truncate(false)
        .mode(0o666)
        .open(LOCK_FILE_PATH)
    {
        Ok(f) => f,
        Err(e) => return LockResult::IoError(e),
    };

    let fd = file.as_raw_fd();
    let start = Instant::now();

    // Try non-blocking lock in a loop with small sleeps
    loop {
        // LOCK_EX = exclusive lock, LOCK_NB = non-blocking
        let result = unsafe { libc::flock(fd, libc::LOCK_EX | libc::LOCK_NB) };

        if result == 0 {
            // Lock acquired successfully
            return LockResult::Acquired(LockGuard { file });
        }

        // Check errno - EWOULDBLOCK means lock held by another process
        let errno = io::Error::last_os_error();
        if errno.kind() != io::ErrorKind::WouldBlock {
            // Unexpected error
            return LockResult::IoError(errno);
        }

        // Check if we've exceeded timeout
        if start.elapsed() >= timeout {
            return LockResult::Timeout;
        }

        // Sleep briefly before retrying (10ms)
        std::thread::sleep(Duration::from_millis(10));
    }
}

/// Acquire lock with default timeout (200ms).
pub fn try_acquire_default() -> LockResult {
    try_acquire(DEFAULT_LOCK_TIMEOUT)
}

#[cfg(test)]
mod tests {
    use super::*;

    /// Helper to skip tests that require lock file access.
    /// Returns true if lock is available, false if we should skip.
    fn can_acquire_lock() -> bool {
        match try_acquire_default() {
            LockResult::Acquired(_) => true,
            LockResult::IoError(e) if e.kind() == io::ErrorKind::PermissionDenied => {
                eprintln!(
                    "Skipping kperf lock test: permission denied (lock file may be owned by root)"
                );
                false
            }
            LockResult::Timeout => {
                eprintln!("Skipping kperf lock test: lock held by another process");
                false
            }
            LockResult::IoError(e) => {
                eprintln!("Skipping kperf lock test: I/O error: {}", e);
                false
            }
        }
    }

    #[test]
    fn test_lock_acquire_release() {
        // Skip if lock file isn't accessible (e.g., owned by root from sudo run)
        if !can_acquire_lock() {
            return;
        }

        // Should be able to acquire lock
        let result = try_acquire_default();
        assert!(
            matches!(result, LockResult::Acquired(_)),
            "Should acquire lock: {:?}",
            result
        );

        // Guard dropped here, lock released
    }

    #[test]
    fn test_lock_contention_same_process() {
        // Skip if lock file isn't accessible
        let guard1 = match try_acquire_default() {
            LockResult::Acquired(g) => g,
            LockResult::IoError(e) if e.kind() == io::ErrorKind::PermissionDenied => {
                tracing::debug!("Skipping: permission denied");
                return;
            }
            LockResult::Timeout => {
                tracing::debug!("Skipping: lock held by another process");
                return;
            }
            other => panic!("Unexpected result: {:?}", other),
        };

        // Second acquire (different fd) should timeout since first holds lock
        let result = try_acquire(Duration::from_millis(50));
        assert!(
            matches!(result, LockResult::Timeout),
            "Expected timeout, got: {:?}",
            result
        );

        // After dropping first guard, should be able to acquire
        drop(guard1);
        let guard3 = try_acquire_default();
        assert!(matches!(guard3, LockResult::Acquired(_)));
    }
}