Add a failsafe to kill tor if the new exit code doesn't work.

It _should_ work, and I don't see a reason that it wouldn't, but just in case, add a 10 second timer to make tor die with an assertion failure if it's supposed to exit but it doesn't.

Add a failsafe to kill tor if the new exit code doesn't work.
c82cc8ac · Nick Mathewson · f0c3b623 · c82cc8ac
Commit c82cc8ac authored 7 years ago by Nick Mathewson
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -656,6 +656,22 @@ tell_event_loop_to_run_external_code(void)
  }
 }

+/** Failsafe measure that should never actually be necessary: If
+ * tor_shutdown_event_loop_and_exit() somehow doesn't successfully exit the
+ * event loop, then this callback will kill Tor with an assertion failure
+ * seconds later
+ */
+static void
+shutdown_did_not_work_callback(evutil_socket_t fd, short event, void *arg)
+{
+  // LCOV_EXCL_START
+  (void) fd;
+  (void) event;
+  (void) arg;
+  tor_assert_unreached();
+  // LCOV_EXCL_STOP
+}
+
 /**
 * After finishing the current callback (if any), shut down the main loop,
 * clean up the process, and exit with <b>exitcode</b>.
@@ -669,6 +685,13 @@ tor_shutdown_event_loop_and_exit(int exitcode)
  main_loop_should_exit = 1;
  main_loop_exit_value = exitcode;

+  /* Die with an assertion failure in ten seconds, if for some reason we don't
+   * exit normally. */
+  struct timeval ten_seconds = { 10, 0 };
+  event_base_once(tor_libevent_get_base(), -1, EV_TIMEOUT,
+                  shutdown_did_not_work_callback, NULL,
+                  &ten_seconds);
+
  /* Unlike loopexit, loopbreak prevents other callbacks from running. */
  tor_event_base_loopbreak(tor_libevent_get_base());
 }