fix: three robustness bugs outside the friends list

Found in a wider bug audit of the streaming/process-management code. - Viewer ctrl-c/SIGINT was ignored mid-stream: viewer::run raced the cancel token only against listener.accept(), not the bridge itself, so once the local player connected nothing checked it. CLI needed a second ctrl-c to quit and a GUI "Disconnect" only took effect via the child's 2s SIGKILL backstop (and the host saw the viewer ~2s longer). Now races the bridge against cancel, mirroring the host's handle_peer. (viewer/mod.rs) - Wayland portal pipewire fd leaked on a capture-setup error: wayland::start into_raw_fd'd the fd and relied on pipeline::spawn's after_spawn hook to close it, but setup_audio/gst-spawn can ?-return before the hook runs, leaking the fd per failed attempt. Now the OwnedFd is moved into the hook, so it's closed whether the hook runs or (on early error) the unused closure is dropped. (host/wayland.rs) - Detached players (mpv/vlc) zombied under the long-lived GUI: spawn_detached dropped the std Child, which has no orphan reaping, so each closed player left a <defunct> entry until the GUI exited. Now a detached thread wait()s it; the setsid'd player still survives a parent exit (init reaps it then). A double-fork was avoided deliberately — fork(2) + non-trivial work in this multithreaded process is unsound. (common/process.rs) 47 gui / 8 headless tests pass, clippy + fmt clean. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-31 15:27:07 -04:00
parent 6d0bf99076
commit cfc480044f
3 changed files with 39 additions and 13 deletions
@@ -6,10 +6,19 @@ use std::process::{Command, Stdio};
 ///
 /// The child gets its own session via `setsid(2)` and null stdio, so it
 /// survives the parent exiting and doesn't take a SIGKILL cascade when
-/// pixelpass dies. The `Child` is dropped immediately — `std::process::Child::drop`
-/// does not kill the process on Unix.
+/// pixelpass dies.
+///
+/// A detached reaper thread `wait()`s the child so it doesn't linger as a
+/// `<defunct>` zombie under a long-lived parent — the `--gui` front-end launches
+/// players itself and lives for the whole session, and `std::process::Child`
+/// (unlike tokio's) has no orphan reaping, so simply dropping the handle would
+/// leak a zombie per closed player. If the parent exits while the player is
+/// still up, the reaper thread dies with it but the `setsid`'d player survives
+/// and is reaped by init. (A double-fork would also avoid the zombie, but
+/// `fork(2)` followed by non-trivial work in this multithreaded process is
+/// unsound — the reaper thread is the safe equivalent.)
 pub fn spawn_detached(prog: &str, args: &[&str]) -> io::Result<()> {
-    unsafe {
+    let child = unsafe {
        Command::new(prog)
            .args(args)
            .stdin(Stdio::null())
@@ -19,7 +28,11 @@ pub fn spawn_detached(prog: &str, args: &[&str]) -> io::Result<()> {
                nix::unistd::setsid().ok();
                Ok(())
            })
-            .spawn()?;
-    }
+            .spawn()?
+    };
+    std::thread::spawn(move || {
+        let mut child = child;
+        let _ = child.wait();
+    });
    Ok(())
 }