mirror of
https://github.com/electron/electron.git
synced 2026-05-02 03:00:22 -04:00
e7f168f326
fix: trigger ShipIt Mach service after SMJobSubmit to unblock on-demand-only mode (#51191) * fix: trigger ShipIt Mach service to unblock on-demand-only mode When a macOS system update is pending, launchd puts the user domain into on-demand-only mode, preventing ShipIt from starting. The MachServices endpoint in the job dictionary was registered but never connected to (a leftover from the XPC removal in 2013). Instead of removing MachServices, fire a lightweight XPC connection to the Mach port after SMJobSubmit. This satisfies launchd's on-demand trigger, starting ShipIt immediately while preserving KeepAlive retry behavior. * fix: add ResetAtClose to ShipIt MachServices to prevent standing demand The XPC trigger message sent after SMJobSubmit sits in the Mach port's kernel queue unread. Without ResetAtClose, this creates standing demand that causes launchd to respawn ShipIt after a successful exit(0), defeating KeepAlive.SuccessfulExit = NO. Set ResetAtClose on the MachServices registration so launchd tears down and recreates the port when ShipIt exits, flushing the stale trigger. * fix: drain Mach port before exit(0) instead of using ResetAtClose ResetAtClose blocks KeepAlive.SuccessfulExit retries in on-demand-only mode because it removes demand when the port resets. Instead, have ShipIt drain its own Mach service port (via bootstrap_check_in + mach_msg) before each exit(EXIT_SUCCESS). This clears the standing demand from the trigger message so launchd won't respawn after a successful exit, while leaving the message in place on failure exits so KeepAlive retries remain demand-backed. Tested in on-demand-only mode (pending macOS update): - exit(0) + drain: 1 run, no respawn ✓ - exit(1) + no drain: continuous respawn every 2s ✓ * chore: update patch * chore: harden ShipIt Mach trigger and simplify port drain Scope the XPC trigger to the unprivileged path and add a send barrier so the connection cannot be released before the message is on the wire. Reduce drainMachServicePort to bootstrap_check_in (process exit flushes the queue), dropping the mach_msg loop whose buffer/dealloc usage was incorrect, and remove the no-op drain from the posix_spawn'd launch helper. Patch filename regenerated to match the commit subject. * fix: restore explicit mach_msg drain in drainMachServicePort bootstrap_check_in alone does not prevent respawn: launchd tracks outstanding demand independently of the receive right's lifetime, so the queued trigger message must be explicitly dequeued with mach_msg before exit(0). Verified empirically (check-in-only: 5 respawns in 10s; full drain: 1 run). Keep the correctness fixes from the previous commit (4K buffer, mach_msg_destroy on each receive, no mach_port_deallocate). --------- Co-authored-by: trop[bot] <37223003+trop[bot]@users.noreply.github.com> Co-authored-by: Keeley Hammond <vertedinde@electronjs.org>