fix(resource-monitor): drop subtree when root identity is unverifiable (#543)#572
Merged
Conversation
Extend the #516 root-PID-reuse guard in build_observed_tree. The #516 guard dropped a recycled root's subtree only when the live root process had a readable creation time that differed from the registered identity. It skipped the case where the live root is UNREADABLE (identity resolves to None, creation_time 0): the root itself got kill_allowed = false, but a readable foreign child hanging off it was still walked and marked kill_allowed = true, so a later kill could terminate the foreign child. The guard now drops the whole subtree whenever the live root identity does not match the registered creation time, covering both the readable-mismatch (#516) and the unreadable (#543) cases: resolved_identity.map(|id| id.creation_time_100ns) != Some(root.creation_time_100ns) - Resolve the root identity before the placeholder push and run the guard on the raw Option, so the unreadable-root drop emits exactly one error (the existing "root pid N was not in process snapshot"), matching #516's clean single-error contract instead of also emitting "identity unavailable". - The drop reuses the missing-root error and is re-evaluated every observe cycle, so a briefly-unreadable own root is re-adopted in full on the next clean read. No cleanup regression: the reap path stays gated by the #559 observe_identity confirm, which resets strikes for an alive-but-unverifiable root, and kill_group still kills already-accumulated descendants. - Add unit test unreadable_root_drops_subtree_and_protects_readable_child: unreadable root + readable child -> child is never observed and never kill_allowed. Existing #516 guard tests stay green. cargo check and cargo clippy --all-targets clean; full suite cargo test --lib --bins --tests: 1347 passed, 0 failed, 12 ignored. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #543.
Extends the #516 root-PID-reuse guard in
build_observed_tree(src-tauri/src/resource_monitor/windows.rs) so a registered root whose live identity is unverifiable (creation_time == 0) also drops its subtree — closing the narrow edge where an unreadable foreign parent (recycled root PID) with a readable child could let that foreign child becomekill_allowed = true.Change
None/creation_time == 0(unreadable) case — previously only the readable-mismatch case was dropped.unreadable_root_drops_subtree_and_protects_readable_child; all four Add detachable resource monitor and process guardrails #516 guard tests stay green.No own-cleanup regression
Our own briefly-unreadable root subtree stays killable:
kill_groupbuilds targets from the accumulatedobserved_processes(add-only), and the reap path stays gated by the #559observe_identityconfirm (alive-but-unopenable root →Err→ reap aborts; only genuinely-gone or recycled roots are reaped).Testing
cargo test --lib --bins --tests→ 1347 passed / 0 failed; clippy clean;/code-review(high) → 1 candidate refuted, 0 HIGH.agentscommander_standalone_wg-1.exeto0_AC.0_ACexe (lifecycle regression check) and approved landing.Single-file backend change in
resource_monitor/windows.rs; no schema / IPC / type / dependency changes.