fix(fspy): use memfd for Linux shared memory#523
Conversation
This stack of pull requests is managed by Graphite. Learn more about stacking. |
24813bf to
ebc6e41
Compare
ebc6e41 to
eac0891
Compare
eac0891 to
82c057f
Compare
82c057f to
aaaf01b
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 308b887e8b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
aaaf01b to
a64e9b8
Compare
a64e9b8 to
ae72983
Compare
ae72983 to
ac080f6
Compare
ac080f6 to
ca12e8b
Compare
ca12e8b to
4119fee
Compare
3f7527b to
a6a417e
Compare
4119fee to
d949311
Compare
0f5cacc to
cf3315b
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a55127096e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
cf3315b to
9e72876
Compare
Replace the Linux /dev/shm-backed adapter with a sealed memfd mapping. Each client connection receives the descriptor immediately from a broker task on the ambient Tokio runtime. Dropping the owner cancels the broker, while already-open mappings remain valid. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Co-authored-by: GPT-5 Codex <codex@openai.com>
Co-authored-by: GPT-5 Codex <codex@openai.com>
Co-authored-by: GPT-5 Codex <codex@openai.com>
Co-authored-by: GPT-5 Codex <codex@openai.com>
Co-authored-by: GPT-5 Codex <codex@openai.com>
Co-authored-by: GPT-5 Codex <codex@openai.com>
Co-authored-by: GPT-5 Codex <codex@openai.com>
Co-authored-by: GPT-5 Codex <codex@openai.com>
Co-authored-by: GPT-5 Codex <codex@openai.com>
Co-authored-by: GPT-5 Codex <codex@openai.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: cc96f186e1
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| let address = SocketAddrUnix::new_abstract_name(id.as_bytes())?; | ||
| connect(&socket, &address)?; |
There was a problem hiding this comment.
Avoid namespace-scoped broker addresses
When a traced task execs a descendant after entering another network namespace (for example through unshare -n or a sandbox helper), Linux abstract AF_UNIX names are looked up in that new namespace, so this connect cannot reach the broker that was bound in the parent namespace. The preload constructor treats ChannelConf::sender() failures as ipc_sender: None and then drops all accesses from that process, which can leave cache inputs incomplete for those sandboxed subtrees; use a namespace-independent handoff such as an inherited broker fd or an accessible filesystem socket instead.
Useful? React with 👍 / 👎.
Bumps the `vite-task` git dependency from `cb580c2` to `4003f65`. ## Changes The delta is entirely internal `fspy` (file-access tracking) shared-memory work — no user-facing CLI flags, config fields, or behavior changes, so no docs updates were needed. - **fix(fspy):** use `memfd` for Linux shared memory — automatic file-access tracking on Linux now works in containers and Kubernetes runners with limited `/dev/shm` space ([#523](voidzero-dev/vite-task#523), [#353](voidzero-dev/vite-task#353)) - **perf(fspy):** use sparse Windows shared memory — Windows file-access tracking now uses sparse temporary backing files where supported, avoiding upfront allocation of the full backing file on disk ([#524](voidzero-dev/vite-task#524)) - **refactor(fspy):** own macOS shared-memory mapping ([#526](voidzero-dev/vite-task#526)) - **docs/test(fspy):** document shared-memory facade ownership semantics ([#521](voidzero-dev/vite-task#521)); reproduce constrained dev shm failure ([#522](voidzero-dev/vite-task#522)) The lockfile change reflects this refactor: `fspy` now pulls in `memfd` and drops `shared_memory`. ## Validation - `cargo check --workspace` passes — the new `vite-task` compiles cleanly, confirming no breaking changes on the consuming side (including `vite_cli_snapshots`, which compiles against vite-task's PTY/snapshot test crates). - vite-plus crate tests pass. (One pre-existing, environment-specific stack overflow in `vite_global_cli`'s `unknown_argument_detected_with_pass_as_value_hint` clap-parsing test reproduces identically on `main` and is unrelated to this bump.) - PTY snapshot output is unchanged by the bump; the remaining local snapshot diffs in this sandbox are all environmental (no built `packages/cli/dist`, plus registry TLS/network restrictions), left to CI, which builds the JS CLI and has registry access. ## Changelog Full vite-task CHANGELOG diff: ``https://github.com/voidzero-dev/vite-task/compare/cb580c214bb2314fc1f633a3812782c9b3a1d956...4003f65a3e5e3d957ff81b157e85e6ee41cc59fc#diff-06572a96a58dc510037d5efa622f9bec8519bc1beab13c9f251e97e657a9d4ed`` 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- _Generated by [Claude Code](https://claude.ai/code/session_01YERo1yECf81w37US2Gqnow)_ Co-authored-by: Claude <noreply@anthropic.com>
) Release vite-plus v0.2.5: Cleaner environments and more reliable workflows. This release adds cleanup and package version commands, supports TypeScript 7 declaration generation, reduces the standalone binary size, and hardens task tracking, CLI output, package-manager routing, Docker workflows, and project scaffolding. ### Highlights - Add `vp env clean` to remove unused managed Node.js runtimes and package-manager caches ([#2003](#2003)), by @liangmiQwQ - Add `vp pm version`, forwarding native version commands to npm, pnpm, Yarn, and Bun ([#2127](#2127)), by @jong-kyung - Add TypeScript 7 support to declaration generation and generated library projects with tsdown `0.22.7` ([#2104](#2104), [#2168](#2168)), by @wan9chi - Improve automatic task input tracking for Bun on macOS, Linux containers with constrained `/dev/shm`, and Windows process images, reduce Windows backing-file allocation, and clarify task wait failures ([vite-task#515](voidzero-dev/vite-task#515), [vite-task#518](voidzero-dev/vite-task#518), [vite-task#523](voidzero-dev/vite-task#523), [vite-task#524](voidzero-dev/vite-task#524), [vite-task#542](voidzero-dev/vite-task#542), [#2126](#2126), [#2167](#2167)), by @wan9chi - Prevent CLI diagnostics from truncating or panicking when inherited standard output or error is nonblocking ([#2172](#2172), [#2173](#2173)), by @wan9chi ### Fixes & Enhancements - Reduce standalone `vp` binary sizes by about 5% on Linux and macOS and 19% on Windows ([#2043](#2043)), by @fengmk2 - Keep the Docker image non-root by default while allowing passwordless `sudo` for Playwright browser dependencies and system packages ([#2088](#2088)), by @fengmk2 - Ignore `.env` and `.env.*` in generated projects while keeping `.env.example` trackable ([#2095](#2095)), by @forehalo - Create `vp-use.cmd` after the Windows environment bin directory is ready and document its Command Prompt-only usage ([#2128](#2128)), by @liangmiQwQ - Render user-facing process statuses and paths without Rust debug wrappers ([#2130](#2130)), by @liangmiQwQ - Make `vp dedupe` fall back to `yarn install` with a warning on Yarn Classic ([#2139](#2139)), by @jong-kyung - Ensure package-manager child processes, including Bun, can always find the managed Node.js runtime ([#2158](#2158)), by @BlankParticle ### Docs - Update the release-manager post-release guidance ([#2096](#2096)), by @wan9chi - Add Windows to the Namespace sponsor credit ([#2108](#2108)), by @fengmk2 - Document installer and runtime environment variables, registry settings, TLS options, and precedence rules ([#2114](#2114)), by @yukinoshi - Mark shell examples in `CONTRIBUTING.md` as Bash code blocks ([#2159](#2159)), by @BlankParticle ### Chore - Assign prepared release PRs to the workflow actor ([#2094](#2094)), by @wan9chi - Complete the PTY snapshot migration and harden the runner, fixtures, release-version redaction, registry teardown, timeouts, and Linux parallelism ([#2071](#2071), [#2080](#2080), [#2084](#2084), [#2099](#2099), [#2102](#2102), [#2103](#2103), [#2107](#2107), [#2109](#2109), [#2115](#2115), [#2117](#2117), [#2118](#2118), [#2119](#2119), [#2120](#2120), [#2121](#2121), [#2131](#2131), [#2132](#2132), [#2134](#2134), [#2137](#2137), [#2138](#2138), [#2141](#2141), [#2143](#2143), [#2145](#2145), [#2182](#2182)), by @fengmk2 and @wan9chi - Expose Vite+ managed binaries consistently inside snapshot fixtures ([#2110](#2110)), by @liangmiQwQ - Exclude PTY snapshot configuration from Vitest discovery and remove the legacy snapshot infrastructure ([#2135](#2135), [#2146](#2146)), by @jong-kyung - Modernize Windows runners, registry bridge publishing, native size reporting, merge-base comparisons, and package-manager installation CI ([#2083](#2083), [#2100](#2100), [#2105](#2105), [#2106](#2106), [#2112](#2112), [#2133](#2133)), by @fengmk2 - Verify that created monorepo libraries emit declarations in CI ([#2171](#2171)), by @wan9chi ### Bundled Versions | Tool | Version | Source | | --------------- | ------- | ----------------------------------------------------------------------- | | vite | `8.1.4` | [`a477454`](vitejs/vite@a477454) | | rolldown | `1.1.5` | [`f09947a`](rolldown/rolldown@f09947a) | | tsdown | `0.22.7` | [npm](https://npmx.dev/package/tsdown/v/0.22.7) | | vitest | `4.1.10` | [npm](https://npmx.dev/package/vitest/v/4.1.10) | | oxlint | `1.73.0` | [npm](https://npmx.dev/package/oxlint/v/1.73.0) | | oxlint-tsgolint | `0.24.0` | [npm](https://npmx.dev/package/oxlint-tsgolint/v/0.24.0) | | oxfmt | `0.58.0` | [npm](https://npmx.dev/package/oxfmt/v/0.58.0) | ### Upgrade ```bash vp upgrade ``` ### New Contributors Welcome @yukinoshi and @BlankParticle. **Full Changelog**: v0.2.4...v0.2.5 --- Merging this PR will trigger the release workflow. --------- Co-authored-by: voidzero-guard[bot] <278573678+voidzero-guard[bot]@users.noreply.github.com> Co-authored-by: wan9chi <dk4rest@gmail.com>

Motivation
Stop Linux file-access tracking from consuming the container's
/dev/shmquota and crashing withSIGBUS.Changes
memfd./dev/shmfixture to succeed.Fixes #353