Skip to content

macOS/Linux pre-CEF single-instance guard + reap, and installer pre-install process kill (follow-up to #3605) #4395

Description

@M3gA-Mind

Parent: #3605 · Deferred from PR #3793 (Windows-only landed there) · Sibling: #3900 (Windows scoped-safe reap hardening).

PR #3793 fixes the wedged-stale-process-blocks-update bug (#3605) on Windows only. The cross-platform pieces were intentionally deferred because they are unsafe without additional guards. This issue tracks that deferred work. (#3900 separately tracks hardening the Windows reap; the two Windows/other-platform tracks are complementary.)

Part 1 — macOS/Linux pre-CEF single-instance guard + staleness signal

On Windows, a Win32 named mutex early in run() forces any concurrent peer to exit(0) before the reap, so a survivor is genuinely a wedged prior instance. macOS and Linux have no equivalent pre-CEF guard at that point:

  • The mutex at app/src-tauri/src/lib.rs is #[cfg(windows)].
  • tauri_plugin_single_instance registers later (in the builder, after CEF init).

So a process holding the CEF SingletonLock past the cache-wait budget may be a healthy running primary (a live app holds its lock for its whole lifetime), not a wedged one. Reaping it there could SIGKILL a healthy instance and lose user data — this is exactly why the earlier macOS SIGKILL escalation in #3793 was reverted (flagged by @oxoxDev + Codex P1).

Required before any macOS/Linux reap:

  • Add a macOS/Linux pre-CEF single-instance guard (mirroring the Windows mutex) so a survivor past that point is provably not the sole legit instance; or
  • Gate the reap behind a real staleness signal (holder's binary path differs from the running bundle / post-update marker; no top-level window or RPC responds) rather than "lock held N seconds".
  • Re-validate the pid still owns the lock immediately before any kill (close the PID-reuse window; honor kill_pid_force's contract).

Part 2 — NSIS/MSI installer pre-install process kill (#3605 suggested-fix #1)

Complementary to the runtime reap: the installer/updater should cleanly terminate all openhuman-related processes before replacing the binary, so a stale process from the prior version can't survive the update in the first place. Applies to the NSIS (and MSI) installer flows.

Acceptance

  • macOS/Linux: a wedged stale process no longer blocks the updated app from starting, without risk of killing a healthy running instance.
  • Installer: update flow terminates prior-version processes pre-install.
  • Verify on real macOS, Linux, and Windows(installer) hosts — the runtime paths are #[cfg(...)]-gated and can't be exercised cross-platform.

Related

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
In progress

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions