Parent: #3605 · Deferred from PR #3793 (Windows-only landed there) · Sibling: #3900 (Windows scoped-safe reap hardening).
PR #3793 fixes the wedged-stale-process-blocks-update bug (#3605) on Windows only. The cross-platform pieces were intentionally deferred because they are unsafe without additional guards. This issue tracks that deferred work. (#3900 separately tracks hardening the Windows reap; the two Windows/other-platform tracks are complementary.)
Part 1 — macOS/Linux pre-CEF single-instance guard + staleness signal
On Windows, a Win32 named mutex early in run() forces any concurrent peer to exit(0) before the reap, so a survivor is genuinely a wedged prior instance. macOS and Linux have no equivalent pre-CEF guard at that point:
- The mutex at
app/src-tauri/src/lib.rs is #[cfg(windows)].
tauri_plugin_single_instance registers later (in the builder, after CEF init).
So a process holding the CEF SingletonLock past the cache-wait budget may be a healthy running primary (a live app holds its lock for its whole lifetime), not a wedged one. Reaping it there could SIGKILL a healthy instance and lose user data — this is exactly why the earlier macOS SIGKILL escalation in #3793 was reverted (flagged by @oxoxDev + Codex P1).
Required before any macOS/Linux reap:
- Add a macOS/Linux pre-CEF single-instance guard (mirroring the Windows mutex) so a survivor past that point is provably not the sole legit instance; or
- Gate the reap behind a real staleness signal (holder's binary path differs from the running bundle / post-update marker; no top-level window or RPC responds) rather than "lock held N seconds".
- Re-validate the pid still owns the lock immediately before any kill (close the PID-reuse window; honor
kill_pid_force's contract).
Part 2 — NSIS/MSI installer pre-install process kill (#3605 suggested-fix #1)
Complementary to the runtime reap: the installer/updater should cleanly terminate all openhuman-related processes before replacing the binary, so a stale process from the prior version can't survive the update in the first place. Applies to the NSIS (and MSI) installer flows.
Acceptance
- macOS/Linux: a wedged stale process no longer blocks the updated app from starting, without risk of killing a healthy running instance.
- Installer: update flow terminates prior-version processes pre-install.
- Verify on real macOS, Linux, and Windows(installer) hosts — the runtime paths are
#[cfg(...)]-gated and can't be exercised cross-platform.
Related
Parent: #3605 · Deferred from PR #3793 (Windows-only landed there) · Sibling: #3900 (Windows scoped-safe reap hardening).
PR #3793 fixes the wedged-stale-process-blocks-update bug (#3605) on Windows only. The cross-platform pieces were intentionally deferred because they are unsafe without additional guards. This issue tracks that deferred work. (#3900 separately tracks hardening the Windows reap; the two Windows/other-platform tracks are complementary.)
Part 1 — macOS/Linux pre-CEF single-instance guard + staleness signal
On Windows, a Win32 named mutex early in
run()forces any concurrent peer toexit(0)before the reap, so a survivor is genuinely a wedged prior instance. macOS and Linux have no equivalent pre-CEF guard at that point:app/src-tauri/src/lib.rsis#[cfg(windows)].tauri_plugin_single_instanceregisters later (in the builder, after CEF init).So a process holding the CEF
SingletonLockpast the cache-wait budget may be a healthy running primary (a live app holds its lock for its whole lifetime), not a wedged one. Reaping it there could SIGKILL a healthy instance and lose user data — this is exactly why the earlier macOS SIGKILL escalation in #3793 was reverted (flagged by @oxoxDev + Codex P1).Required before any macOS/Linux reap:
kill_pid_force's contract).Part 2 — NSIS/MSI installer pre-install process kill (#3605 suggested-fix #1)
Complementary to the runtime reap: the installer/updater should cleanly terminate all
openhuman-related processes before replacing the binary, so a stale process from the prior version can't survive the update in the first place. Applies to the NSIS (and MSI) installer flows.Acceptance
#[cfg(...)]-gated and can't be exercised cross-platform.Related