Skip to main content

sqlite_graphrag/
signals.rs

1//! Cross-platform signal handling: SIGINT, SIGTERM, SIGHUP.
2
3use std::sync::atomic::Ordering;
4
5/// Registers the global shutdown handler for Ctrl+C / SIGTERM / SIGHUP.
6///
7/// First signal: sets [`SHUTDOWN`](crate::SHUTDOWN) flag, cancels the global
8/// cancellation token and emits a best-effort notice on stderr.
9///
10/// Second signal: calls [`std::process::exit(130)`] for immediate termination
11/// following Unix convention (128 + SIGINT=2) — with ZERO I/O on that path.
12///
13/// # G42/S8 — panic-free by contract
14///
15/// The pre-v1.0.79 handler used `eprintln!` (second signal) and
16/// `tracing::warn!` (first signal). When the parent shell dies the CLI is
17/// reparented to PID 1 and stderr becomes a CLOSED pipe; `eprintln!` then
18/// panics with `BrokenPipe`, which under `panic = "abort"` becomes the
19/// SIGABRT observed on the "ctrl-c" thread (G42/C2 crash report). This
20/// handler therefore:
21/// - writes the first-signal notice with `writeln!` and IGNORES any I/O
22///   error (`let _ =`), never panicking;
23/// - performs NO I/O at all on the forced-exit path.
24///
25/// BrokenPipe on stdout/stderr elsewhere is handled by resetting SIGPIPE
26/// to its default disposition in `main` (clean exit 141, Unix convention).
27pub fn register_shutdown_handler() {
28    // SIGINT: ctrlc crate (cross-platform, the only signal that works on
29    // both Unix and Windows without a tokio runtime).
30    if let Err(e) = ctrlc::set_handler(move || {
31        handle_first_signal("SIGINT", 2);
32    }) {
33        tracing::warn!(target: "signals", error = %e, "SIGINT handler registration failed");
34    }
35
36    // SIGTERM + SIGHUP: signal-hook (Unix only; Windows uses TerminateProcess
37    // for SIGTERM equivalents and has no SIGHUP).
38    #[cfg(unix)]
39    {
40        use std::sync::mpsc;
41        let (tx, rx) = mpsc::channel::<i32>();
42
43        let mut signals = match signal_hook::iterator::Signals::new([
44            signal_hook::consts::SIGTERM,
45            signal_hook::consts::SIGHUP,
46        ]) {
47            Ok(s) => s,
48            Err(e) => {
49                tracing::warn!(target: "signals", error = %e, "SIGTERM/SIGHUP handler registration failed");
50                return;
51            }
52        };
53
54        // Detached thread: lives until process exit. The kernel kills it
55        // automatically on process termination. We do NOT join it because
56        // that would require the CLI to wait for an indeterminate signal.
57        std::thread::Builder::new()
58            .name("sqlite-graphrag-sigterm".into())
59            .spawn(move || {
60                for sig in signals.forever() {
61                    if tx.send(sig).is_err() {
62                        break;
63                    }
64                }
65            })
66            .inspect_err(|e| tracing::warn!(target: "signals", error = %e, "SIGTERM/SIGHUP handler thread spawn failed"))
67            .ok();
68
69        // Drain thread: blocks on the channel and calls the same handler
70        // used by the SIGINT path. Synchronous main() can't await this,
71        // but the channel is bounded so a 100ms wait is fine.
72        std::thread::Builder::new()
73            .name("sqlite-graphrag-sigterm-drain".into())
74            .spawn(move || {
75                while let Ok(sig) = rx.recv() {
76                    let (name, number) = match sig {
77                        libc::SIGTERM => ("SIGTERM", 15u8),
78                        libc::SIGHUP => ("SIGHUP", 1u8),
79                        _ => continue,
80                    };
81                    handle_first_signal(name, number);
82                }
83            })
84            .inspect_err(|e| tracing::warn!(target: "signals", error = %e, "SIGTERM drain thread spawn failed"))
85            .ok();
86    }
87}
88
89/// First-signal handler shared by both SIGINT (via  crate) and
90/// SIGTERM/SIGHUP (via signal-hook).
91///
92/// Idempotent: only the first invocation does work. The Ctrl+C handler is
93/// synchronous (no tokio runtime is built in the LLM-only main path).
94/// The SIGTERM/SIGHUP task is async but the underlying work is atomic via
95/// the  fetch_add pattern.
96fn handle_first_signal(signal_name: &'static str, signal_number: u8) {
97    let prev = crate::SIGNAL_COUNT.fetch_add(1, Ordering::AcqRel);
98    if prev != 0 {
99        // Second signal: forced shutdown, NO I/O (G42/S8).
100        std::process::exit(130);
101    }
102    crate::SHUTDOWN.store(true, Ordering::Release);
103    crate::SIGNAL_NUMBER.store(signal_number, Ordering::Release);
104    crate::cancel_token().cancel();
105
106    // Best-effort stderr notice: closed pipe must NEVER abort (G42/S8).
107    use std::io::Write;
108    let _ = writeln!(
109        std::io::stderr(),
110        "shutdown signal received ({signal_name}); finishing current operation gracefully"
111    );
112
113    // GAP-002 (v1.0.82): emit JSON envelope to stdout before exit so that
114    // piped consumers receive a parseable error with `code: 19`
115    // (SHUTDOWN_EXIT_CODE) instead of an empty stdout that triggers
116    // a parse error. Best-effort: if stdout is closed, writeln fails
117    // silently.
118    let envelope = format!(
119        "{{\"error\":true,\"code\":19,\"message\":\"shutdown signal received; operation cancelled by {signal_name}\",\"signal\":\"{signal_name}\",\"graceful\":true}}"
120    );
121    let mut stdout = std::io::stdout().lock();
122    let _ = writeln!(stdout, "{envelope}");
123    let _ = stdout.flush();
124}
125
126#[cfg(test)]
127mod tests {
128    /// G42/S8 regression guard: the SHARED `handle_first_signal` function
129    /// (called by both the SIGINT ctrlc closure and the SIGTERM/SIGHUP
130    /// signal-hook drain) must not contain `eprintln!` or `tracing::warn!`
131    /// — both can panic (and abort under `panic = "abort"`) when stderr
132    /// is a closed pipe in an orphaned process.
133    #[test]
134    fn handler_source_has_no_panicking_io() {
135        let source = include_str!("signals.rs");
136        // The shared first-signal body starts at `fn handle_first_signal`
137        // and ends at the closing brace of the function. We locate the
138        // start of the next free-standing function or the test module
139        // as the boundary.
140        let body_start = source
141            .find("fn handle_first_signal(")
142            .expect("handle_first_signal must exist");
143        let after_body = source[body_start..]
144            .find("\nfn ")
145            .or_else(|| source[body_start..].find("\n#[cfg(test)]"))
146            .expect("body boundary not found");
147        let body = &source[body_start..body_start + after_body];
148        assert!(
149            !body.contains("eprintln!"),
150            "handle_first_signal must not use eprintln! (BrokenPipe panic, G42/C2)"
151        );
152        assert!(
153            !body.contains("tracing::"),
154            "handle_first_signal must not use tracing (stderr I/O can panic, G42/C2)"
155        );
156        assert!(
157            body.contains("let _ = writeln!"),
158            "first-signal notice must be a best-effort write"
159        );
160        assert!(
161            body.contains("std::process::exit(130)"),
162            "forced-exit path must remain in the shared handler"
163        );
164    }
165
166    /// GAP-002 (v1.0.82) regression guard: the JSON envelope must use
167    /// the deterministic SHUTDOWN_EXIT_CODE (19) so LLM agents can
168    /// branch on a single code regardless of the triggering signal.
169    #[test]
170    fn envelope_uses_shutdown_exit_code() {
171        let source = include_str!("signals.rs");
172        // The envelope format string contains "code":19.
173        assert!(
174            source.contains("\\\"code\\\":19"),
175            "shutdown envelope must embed SHUTDOWN_EXIT_CODE = 19"
176        );
177    }
178
179    /// GAP-002 (v1.0.82) regression guard: `AppError::Shutdown` is the
180    /// canonical error variant for shutdown. Constants and i18n are
181    /// wired in lock-step — if SHUTDOWN_EXIT_CODE drifts away from 19,
182    /// this test fails.
183    #[test]
184    fn shutdown_exit_code_is_19() {
185        use crate::constants::SHUTDOWN_EXIT_CODE;
186        assert_eq!(SHUTDOWN_EXIT_CODE, 19);
187    }
188}