Bugfix: Fix copy cancellation on network mounts

vdavid · vdavid · commit 816e9e12bac2 · 2026-03-27T01:06:50.000+01:00
chunked_copy for everyone! (except APFS)

- `copyfile(3)` ignores `COPYFILE_QUIT` when source or dest is on a network mount, causing cancellation to take 30+ seconds or silently complete the full copy
- On macOS, now use `copyfile(3)` only for same-APFS-volume copies (the only case where clonefile works); use chunked copy for everything else
- Check cancellation after `copyfile` returns regardless of result code (safety net for when `copyfile` returns 0 despite `COPYFILE_QUIT`)
- Deduplicate cancellation log messages via `AtomicBool` (was logging ~1000 identical lines while buffers drained)
- On Linux, check both source and destination for network filesystem (was only checking dest)
- Delete macOS `is_network_filesystem` (replaced by `is_same_apfs_volume` in copy strategy)
- Evaluated `copyfile` on HFS+, exFAT, FAT32, NTFS-3G — no practical benefit over chunked copy on any of them

Entire-Checkpoint: 88f2e62bb2e6
diff --git a/apps/desktop/src-tauri/src/file_system/write_operations/CLAUDE.md b/apps/desktop/src-tauri/src/file_system/write_operations/CLAUDE.md
@@ -24,7 +24,7 @@ network mounts, cross-filesystem moves, and name/path length limits.
 | `copy_strategy.rs` | Strategy selection per file: network FS → chunked copy; overwrite → temp+rename; macOS → `copyfile(3)`; Linux → `copy_file_range(2)`. |
 | `macos_copy.rs` | FFI to macOS `copyfile(3)`. Preserves xattrs, ACLs, resource forks, Finder metadata. Supports APFS `clonefile`. |
 | `linux_copy.rs` | Linux `copy_file_range(2)` with reflink support on btrfs/XFS. 4 MB chunks, cancellation between iterations. |
-| `chunked_copy.rs` | 1 MB chunked read/write for network mounts. Checks cancellation between chunks. Copies xattrs, ACLs, timestamps. |
+| `chunked_copy.rs` | 1 MB chunked read/write — the default copy method for all non-APFS-clonefile copies on macOS and network copies on Linux. Checks cancellation between chunks. Copies xattrs, ACLs, timestamps. |
 | `volume_copy.rs`, `volume_conflict.rs`, `volume_strategy.rs` | Volume-to-volume copy (Local↔MTP abstraction). Publicly re-exported from `mod.rs` and at least partially wired up. |
 | `tests.rs`, `integration_test.rs` | Unit and integration tests. |
 
@@ -82,10 +82,10 @@ actual `copy_files_start` can consume the cache via `preview_id` in `WriteOperat
 `.cmdr-staging-<uuid>` dir at the destination root, then atomic `rename` into place, then source deletion.
 
 **Copy strategy selection** (`copy_strategy.rs`):
-- Destination is a network mount → `chunked_copy_with_metadata` (macOS `copyfile` ignores `COPYFILE_QUIT` on network mounts)
-- Needs safe overwrite → `safe_overwrite_file`
-- macOS → `copy_single_file_native` (macOS `copyfile(3)`, supports `COPYFILE_CLONE` for APFS instant copies)
-- Linux → `copy_single_file_linux` (Linux `copy_file_range(2)`, supports reflink on btrfs/XFS)
+- macOS, same APFS volume → `copyfile(3)` with `COPYFILE_CLONE` for instant clonefile
+- macOS, everything else → `chunked_copy_with_metadata` (1 MB chunks, cancellation between chunks)
+- Linux, network → `chunked_copy_with_metadata`
+- Linux, local → `copy_single_file_linux` (`copy_file_range(2)`, supports reflink on btrfs/XFS)
 - Other platforms → `std::fs::copy` fallback
 
 **Trash has no scan phase.** `trashItemAtURL` is atomic per top-level item (the OS moves the entire tree), so trash
@@ -125,6 +125,27 @@ operations when the frontend is destroyed.
 **Decision**: Keep `exacl` crate for ACL copy in chunked copies (not custom FFI bindings).
 **Why**: `exacl` adds zero new transitive dependencies (all of its deps — `bitflags`, `log`, `scopeguard`, `uuid` — are already in our tree). It provides cross-platform ACL support (macOS, Linux, FreeBSD) and full ACL parsing/manipulation for potential future UI features. The crate appears unmaintained (last release Feb 2024) but ACL APIs are stable and don't change. Our usage is best-effort with graceful fallback — if `exacl` ever breaks, files still copy, they just lose ACLs. MIT licensed (compatible with BSL).
 
+**Decision**: On macOS, use `copyfile(3)` only for same-APFS-volume copies; use chunked copy for everything else.
+**Why**: The only practical benefit of `copyfile(3)` is APFS clonefile (instant copy-on-write, zero extra disk usage),
+which only works on the same APFS volume. We evaluated `copyfile` on other filesystems:
+- **HFS+**: No clonefile. Marginal metadata edge (birthtime, file flags), but HFS+ is rare since Apple converted all
+  Macs to APFS in 2017.
+- **exFAT / FAT32**: No clonefile, no xattrs, no ACLs, no file flags — the metadata `copyfile` would preserve doesn't
+  exist on these filesystems. No practical benefit.
+- **NTFS-3G**: FUSE-based, so `copyfile` goes through userspace with the same I/O buffering issues as network mounts.
+  `COPYFILE_QUIT` is unreliable. No benefit.
+- **Network mounts (SMB, NFS, AFP, WebDAV)**: `copyfile` ignores `COPYFILE_QUIT` while draining buffered I/O, causing
+  cancellation to take 30+ seconds or complete the copy entirely. This applies when *either* the source or destination
+  is on a network mount (for example, NAS-to-local copies).
+- **USB / external drives**: Typically exFAT or HFS+ — no clonefile. Different volume from the internal drive, so no
+  same-volume benefits.
+
+Our chunked copy (1 MB read/write chunks) provides: identical speed for non-clonefile copies, reliable cancellation
+between chunks, and granular progress callbacks. It preserves xattrs (including resource forks), ACLs, timestamps, and
+permissions. The only metadata it doesn't preserve is birthtime (creation date) and file flags (`chflags`), which
+matter only on same-volume copies where we use `copyfile` anyway. Detection uses `st_dev` (device ID) for same-volume
+and `statfs.f_fstypename` for APFS. See `copy_strategy.rs` for the implementation.
+
 ## Dependencies
 
 - `crate::file_system::volume` — `Volume` trait, `SpaceInfo`, `ScanConflict` (used by `volume_copy`)
diff --git a/apps/desktop/src-tauri/src/file_system/write_operations/chunked_copy.rs b/apps/desktop/src-tauri/src/file_system/write_operations/chunked_copy.rs
@@ -30,57 +30,14 @@ const CHUNK_SIZE: usize = 1024 * 1024;
 ///
 /// Returns `true` for SMB, NFS, AFP, and WebDAV filesystems.
 /// Returns `false` for local filesystems (APFS, HFS+, etc.) or if detection fails.
-#[cfg(target_os = "macos")]
-pub fn is_network_filesystem(path: &Path) -> bool {
-    use std::ffi::CString;
-
-    // For non-existent paths, check the parent directory
-    let check_path = if path.exists() {
-        path.to_path_buf()
-    } else {
-        match path.parent() {
-            Some(p) if p.exists() => p.to_path_buf(),
-            _ => return false,
-        }
-    };
-
-    let c_path = match CString::new(check_path.to_string_lossy().as_bytes()) {
-        Ok(p) => p,
-        Err(_) => return false,
-    };
-
-    let mut stat: libc::statfs = unsafe { std::mem::zeroed() };
-    if unsafe { libc::statfs(c_path.as_ptr(), &mut stat) } != 0 {
-        return false;
-    }
-
-    // SAFETY: f_fstypename is a null-terminated C string
-    let fstype = unsafe { std::ffi::CStr::from_ptr(stat.f_fstypename.as_ptr()).to_string_lossy() };
-
-    let is_network = matches!(fstype.as_ref(), "smbfs" | "nfs" | "afpfs" | "webdav");
-
-    if is_network {
-        log::debug!(
-            "is_network_filesystem: {} is on network filesystem type '{}'",
-            path.display(),
-            fstype
-        );
-    }
-
-    is_network
-}
-
+///
+/// On macOS, copy strategy uses `is_same_apfs_volume` instead (see `copy_strategy.rs`).
+/// This function is only used on Linux.
 #[cfg(target_os = "linux")]
 pub fn is_network_filesystem(path: &Path) -> bool {
     crate::file_system::linux_mounts::is_network_filesystem_linux(path)
 }
 
-#[cfg(not(any(target_os = "macos", target_os = "linux")))]
-pub fn is_network_filesystem(_path: &Path) -> bool {
-    // On unsupported platforms, assume local filesystem
-    false
-}
-
 // ============================================================================
 // Chunked copy with metadata
 // ============================================================================
@@ -347,20 +304,6 @@ mod tests {
         let _ = fs::remove_dir_all(path);
     }
 
-    #[test]
-    fn test_is_network_filesystem_local() {
-        // Local paths should return false
-        assert!(!is_network_filesystem(Path::new("/")));
-        assert!(!is_network_filesystem(Path::new("/tmp")));
-        assert!(!is_network_filesystem(Path::new("/Users")));
-    }
-
-    #[test]
-    fn test_is_network_filesystem_nonexistent() {
-        // Non-existent paths should check parent
-        assert!(!is_network_filesystem(Path::new("/tmp/nonexistent_file_12345")));
-    }
-
     #[test]
     fn test_chunked_copy_basic() {
         let temp_dir = create_temp_dir("basic");
diff --git a/apps/desktop/src-tauri/src/file_system/write_operations/copy_strategy.rs b/apps/desktop/src-tauri/src/file_system/write_operations/copy_strategy.rs
@@ -1,11 +1,22 @@
 //! Copy strategy selection for file operations.
 //!
-//! Encapsulates the decision of which copy method to use:
-//! - Network filesystems: chunked copy for responsive cancellation
-//! - Safe overwrite needed: temp file + rename pattern
-//! - macOS: native copyfile(3) with APFS clonefile support
-//! - Linux: copy_file_range(2) with reflink support on btrfs/XFS
-//! - Other platforms: std::fs::copy fallback
+//! The only reason to use platform-native copy APIs (`copyfile(3)`, `copy_file_range(2)`) is
+//! filesystem-level cloning (APFS clonefile, btrfs/XFS reflink) — instant, zero-cost copies
+//! that create a copy-on-write pointer instead of copying bytes. In all other cases, our chunked
+//! copy is equivalent in speed and strictly better for progress reporting and cancellation.
+//!
+//! Strategy (macOS):
+//! - Same APFS volume → `copyfile(3)` with `COPYFILE_CLONE` for instant clonefile
+//! - Everything else → chunked copy (1 MB chunks, cancellation between chunks)
+//!
+//! Strategy (Linux):
+//! - Local, non-network → `copy_file_range(2)` (kernel handles reflink on btrfs/XFS)
+//! - Network → chunked copy
+//!
+//! We evaluated `copyfile` on non-APFS filesystems (HFS+, exFAT, FAT32, NTFS-3G) and found no
+//! practical benefit: no clonefile support, and the metadata advantages (birthtime, file flags)
+//! either don't apply (exFAT/FAT32 don't store them) or aren't worth the cancellation tradeoff
+//! (NTFS-3G is FUSE-based and has the same buffering issues as network mounts). See CLAUDE.md.
 
 #[cfg(not(any(target_os = "macos", target_os = "linux")))]
 use std::fs;
@@ -18,20 +29,82 @@ use super::linux_copy::copy_single_file_linux;
 #[cfg(target_os = "macos")]
 use super::macos_copy::{CopyProgressContext, copy_single_file_native};
 
-use super::chunked_copy::{ChunkedCopyProgressFn, chunked_copy_with_metadata, is_network_filesystem};
+use super::chunked_copy::ChunkedCopyProgressFn;
+#[cfg(any(target_os = "macos", target_os = "linux"))]
+use super::chunked_copy::chunked_copy_with_metadata;
+#[cfg(target_os = "linux")]
+use super::chunked_copy::is_network_filesystem;
 use super::helpers::safe_overwrite_file;
 #[cfg(not(any(target_os = "macos", target_os = "linux")))]
 use super::types::IoResultExt;
 use super::types::WriteOperationError;
 
-/// Copies file contents using the appropriate strategy based on destination type.
+// ============================================================================
+// macOS: APFS clonefile detection
+// ============================================================================
+
+/// Returns true if source and dest are on the same APFS volume (clonefile is possible).
+///
+/// Checks two things:
+/// 1. Same volume via `st_dev` (device ID from `stat`) — same approach as `is_same_filesystem`
+/// 2. Filesystem type is APFS via `statfs.f_fstypename`
 ///
-/// Strategy selection:
-/// - Network filesystems: chunked copy for responsive cancellation
-/// - Safe overwrite needed: temp file + rename pattern to preserve original on failure
-/// - macOS: native copyfile(3) with APFS clonefile support
-/// - Linux: copy_file_range(2) with reflink support on btrfs/XFS
-/// - Other platforms: std::fs::copy fallback
+/// Handles non-existent destination paths by checking the parent directory.
+#[cfg(target_os = "macos")]
+fn is_same_apfs_volume(source: &Path, dest: &Path) -> bool {
+    use std::os::unix::fs::MetadataExt;
+
+    // Check same volume via device ID (works even when dest doesn't exist — we check parent)
+    let src_dev = match std::fs::metadata(source) {
+        Ok(m) => m.dev(),
+        Err(_) => return false,
+    };
+    let dest_check_path = if dest.exists() {
+        dest.to_path_buf()
+    } else {
+        match dest.parent() {
+            Some(p) if p.exists() => p.to_path_buf(),
+            _ => return false,
+        }
+    };
+    let dest_dev = match std::fs::metadata(&dest_check_path) {
+        Ok(m) => m.dev(),
+        Err(_) => return false,
+    };
+    if src_dev != dest_dev {
+        return false;
+    }
+
+    // Same volume — now check if it's APFS (only APFS supports clonefile)
+    is_apfs(source)
+}
+
+/// Returns true if the path is on an APFS volume.
+#[cfg(target_os = "macos")]
+fn is_apfs(path: &Path) -> bool {
+    use std::ffi::CString;
+
+    let c_path = match CString::new(path.to_string_lossy().as_bytes()) {
+        Ok(p) => p,
+        Err(_) => return false,
+    };
+    let mut stat: libc::statfs = unsafe { std::mem::zeroed() };
+    if unsafe { libc::statfs(c_path.as_ptr(), &mut stat) } != 0 {
+        return false;
+    }
+    let fstype = unsafe { std::ffi::CStr::from_ptr(stat.f_fstypename.as_ptr()).to_string_lossy() };
+    fstype == "apfs"
+}
+
+// ============================================================================
+// Strategy selection
+// ============================================================================
+
+/// Copies file contents using the best strategy for the source/destination combination.
+///
+/// On macOS, uses `copyfile(3)` only for same-APFS-volume copies (APFS clonefile — instant,
+/// zero-cost copy-on-write). All other cases use chunked copy for reliable cancellation and
+/// progress reporting.
 #[cfg(target_os = "macos")]
 pub(super) fn copy_file_with_strategy(
     source: &Path,
@@ -40,18 +113,25 @@ pub(super) fn copy_file_with_strategy(
     cancelled: &Arc<AtomicBool>,
     progress_callback: Option<ChunkedCopyProgressFn>,
 ) -> Result<u64, WriteOperationError> {
-    if is_network_filesystem(dest) {
+    if is_same_apfs_volume(source, dest) {
         log::debug!(
-            "copy_file_with_strategy: using chunked copy for network destination {}",
+            "copy_file_with_strategy: same APFS volume, using copyfile for clonefile (src={}, dest={})",
+            source.display(),
             dest.display()
         );
-        chunked_copy_with_metadata(source, dest, cancelled, progress_callback)
-    } else if needs_safe_overwrite {
         let context = CopyProgressContext::with_cancellation(Arc::clone(cancelled));
-        safe_overwrite_file(source, dest, Some(&context))
+        if needs_safe_overwrite {
+            safe_overwrite_file(source, dest, Some(&context))
+        } else {
+            copy_single_file_native(source, dest, false, Some(&context))
+        }
     } else {
-        let context = CopyProgressContext::with_cancellation(Arc::clone(cancelled));
-        copy_single_file_native(source, dest, false, Some(&context))
+        log::debug!(
+            "copy_file_with_strategy: different volumes or non-APFS, using chunked copy (src={}, dest={})",
+            source.display(),
+            dest.display()
+        );
+        chunked_copy_with_metadata(source, dest, cancelled, progress_callback)
     }
 }
 
@@ -63,9 +143,10 @@ pub(super) fn copy_file_with_strategy(
     cancelled: &Arc<AtomicBool>,
     progress_callback: Option<ChunkedCopyProgressFn>,
 ) -> Result<u64, WriteOperationError> {
-    if is_network_filesystem(dest) {
+    if is_network_filesystem(source) || is_network_filesystem(dest) {
         log::debug!(
-            "copy_file_with_strategy: using chunked copy for network destination {}",
+            "copy_file_with_strategy: using chunked copy for network path (src={}, dest={})",
+            source.display(),
             dest.display()
         );
         chunked_copy_with_metadata(source, dest, cancelled, progress_callback)
@@ -84,14 +165,8 @@ pub(super) fn copy_file_with_strategy(
     cancelled: &Arc<AtomicBool>,
     progress_callback: Option<ChunkedCopyProgressFn>,
 ) -> Result<u64, WriteOperationError> {
-    let _ = progress_callback; // Unused on this platform
-    if is_network_filesystem(dest) {
-        log::debug!(
-            "copy_file_with_strategy: using chunked copy for network destination {}",
-            dest.display()
-        );
-        chunked_copy_with_metadata(source, dest, cancelled, None)
-    } else if needs_safe_overwrite {
+    let _ = (cancelled, progress_callback); // Unused on this platform
+    if needs_safe_overwrite {
         safe_overwrite_file(source, dest)
     } else {
         fs::copy(source, dest).with_path(source)
diff --git a/apps/desktop/src-tauri/src/file_system/write_operations/macos_copy.rs b/apps/desktop/src-tauri/src/file_system/write_operations/macos_copy.rs
@@ -89,6 +89,8 @@ type CopyfileCallback = extern "C" fn(
 pub struct CopyProgressContext {
     /// Cancellation flag - checked during copy
     pub cancelled: Arc<AtomicBool>,
+    /// Whether we've already logged the cancellation (avoids log spam from repeated callbacks)
+    cancel_logged: AtomicBool,
     /// Callback to report progress (bytes_copied for current file)
     pub on_progress: Option<ProgressCallback>,
     /// Callback when starting a new file
@@ -101,6 +103,7 @@ impl Default for CopyProgressContext {
     fn default() -> Self {
         Self {
             cancelled: Arc::new(AtomicBool::new(false)),
+            cancel_logged: AtomicBool::new(false),
             on_progress: None,
             on_file_start: None,
             on_file_finish: None,
@@ -113,6 +116,7 @@ impl CopyProgressContext {
     pub fn with_cancellation(cancelled: Arc<AtomicBool>) -> Self {
         Self {
             cancelled,
+            cancel_logged: AtomicBool::new(false),
             on_progress: None,
             on_file_start: None,
             on_file_finish: None,
@@ -144,9 +148,12 @@ extern "C" fn copy_progress_callback(
     // SAFETY: ctx is a pointer to CopyProgressContext that we passed in
     let context = unsafe { &*(ctx as *const CopyProgressContext) };
 
-    // Check cancellation
+    // Check cancellation (log only once to avoid spam — macOS may call this hundreds of times
+    // after COPYFILE_QUIT while draining buffers)
     if context.cancelled.load(Ordering::Relaxed) {
-        log::info!("copyfile callback: cancellation detected, returning COPYFILE_QUIT");
+        if !context.cancel_logged.swap(true, Ordering::Relaxed) {
+            log::info!("copyfile callback: cancellation detected, returning COPYFILE_QUIT");
+        }
         return COPYFILE_QUIT;
     }
 
@@ -332,18 +339,21 @@ pub fn copy_file_native(
         copyfile_state_free(state);
     }
 
+    // Check cancellation regardless of result — macOS copyfile(3) can return 0 (success)
+    // even after the callback returned COPYFILE_QUIT, because it may continue draining
+    // buffered I/O (especially common when the source is on a network mount).
+    if let Some(ctx) = context
+        && ctx.cancelled.load(Ordering::Relaxed)
+    {
+        let _ = std::fs::remove_file(destination);
+        return Err(WriteOperationError::Cancelled {
+            message: "Operation cancelled by user".to_string(),
+        });
+    }
+
     if result == 0 {
         Ok(())
     } else {
-        // Check if cancelled
-        if let Some(ctx) = context
-            && ctx.cancelled.load(Ordering::Relaxed)
-        {
-            return Err(WriteOperationError::Cancelled {
-                message: "Operation cancelled by user".to_string(),
-            });
-        }
-
         // Get the actual error
         let err = std::io::Error::last_os_error();
         Err(map_io_error_with_path(err, source, destination))
