Merge remote-tracking branch 'detsys/main' into sync-2.34

Author: edolstra

.version-determinate

@@ -1 +1 @@
-3.18.0
+3.18.1

doc/manual/source/SUMMARY.md.in

@@ -148,6 +148,7 @@
   - [Contributing](development/contributing.md)
 - [Determinate Nix Release Notes](release-notes-determinate/index.md)
   - [Changes between Nix and Determinate Nix](release-notes-determinate/changes.md)<!-- next -->
+  - [Release 3.18.1 (2026-04-23)](release-notes-determinate/v3.18.1.md)
   - [Release 3.18.0 (2026-04-20)](release-notes-determinate/v3.18.0.md)
   - [Release 3.17.3 (2026-04-07)](release-notes-determinate/v3.17.3.md)
   - [Release 3.17.2 (2026-03-27)](release-notes-determinate/v3.17.2.md)

doc/manual/source/release-notes-determinate/changes.md

@@ -1,6 +1,6 @@
 # Changes between Nix and Determinate Nix
 
-This section lists the differences between upstream Nix 2.33 and Determinate Nix 3.18.0.<!-- differences -->
+This section lists the differences between upstream Nix 2.33 and Determinate Nix 3.18.1.<!-- differences -->
 
 * In Determinate Nix, flakes are stable. You no longer need to enable the `flakes` experimental feature.
 
@@ -183,3 +183,6 @@ This section lists the differences between upstream Nix 2.33 and Determinate Nix
 * Determinate Nix can upload crash info to Sentry. [DeterminateSystems/nix-src#418](https://github.com/DeterminateSystems/nix-src/pull/418)
 
 * Determinate Nix provides the pre-build hook with a JSON serialization of the derivation. [DeterminateSystems/nix-src#424](https://github.com/DeterminateSystems/nix-src/pull/424)
+
+<!-- Determinate Nix version 3.18.1 -->
+

doc/manual/source/release-notes-determinate/v3.18.1.md

@@ -0,0 +1,23 @@
+# Release 3.18.1 (2026-04-23)
+
+* Based on [upstream Nix 2.33.4](../release-notes/rl-2.33.md).
+
+## What's Changed
+
+### Sentry integration improvements
+
+This release includes fixes for a couple of issues with the Sentry integration:
+
+* Ensures the chroot helper starts before the Sentry thread, allowing chroot stores to work again
+* Resets Mach exception ports on macOS, so that exec'd programs do not communicate with Determinate Nix's `crashpad_handler`
+
+Additionally, Determinate Nix now includes the Nix command and subcommand to Sentry reports to make it easier to discern where an issue happened.
+Not that this does _not_ include any command-line arguments other than the command (such as `nix-daemon` and `nix`) and subcommand (such as `flake show`).
+
+PRs:
+* [DeterminateSystems/nix-src#433](https://github.com/DeterminateSystems/nix-src/pull/433)
+* [DeterminateSystems/nix-src#432](https://github.com/DeterminateSystems/nix-src/pull/432)
+* [DeterminateSystems/nix-src#436](https://github.com/DeterminateSystems/nix-src/pull/436)
+
+
+**Full Changelog**: [v3.18.0...v3.18.1](https://github.com/DeterminateSystems/nix-src/compare/v3.18.0...v3.18.1)

maintainers/upload-debug-info-to-sentry.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env nix
-#!nix shell --inputs-from . nixpkgs#sentry-cli --command python3
+#!nix shell --inputs-from . nixpkgs#sentry-cli nixpkgs#python3 nixpkgs#binutils --command python3
 
 import argparse
 import json
@@ -130,7 +130,8 @@ def main():
         for lib in libs:
             build_id = get_build_id(lib)
             if build_id is None:
-                print(f"  {lib} (no build ID)", file=sys.stderr)
+                print(f"  {lib} (no build ID, uploading binary)", file=sys.stderr)
+                debug_files.append(lib)
                 continue
 
             local = find_debug_file_in_dirs(build_id, args.debug_dir)
@@ -141,7 +142,8 @@ def main():
 
             debuginfo = fetch_debuginfo(build_id)
             if debuginfo is None:
-                print(f"  {lib} ({build_id}, no debug info in cache)", file=sys.stderr)
+                print(f"  {lib} ({build_id}): no separate debug info, uploading binary", file=sys.stderr)
+                debug_files.append(lib)
                 continue
             print(f"  {lib} ({build_id}): member={debuginfo['member']}", file=sys.stderr)
             nar_path = download_nar(build_id, debuginfo["archive"])

packaging/sentry-native.nix

@@ -49,4 +49,6 @@ stdenv.mkDerivation rec {
     "out"
     "dev"
   ];
+
+  separateDebugInfo = true;
 }

src/libutil/current-process.cc

@@ -12,6 +12,7 @@
 
 #ifdef __APPLE__
 #  include <mach-o/dyld.h>
+#  include <mach/mach.h>
 #endif
 
 #ifdef __linux__
@@ -116,6 +117,15 @@ void restoreProcessContext(bool restoreMounts)
         }
     }
 #endif
+
+#ifdef __APPLE__
+    /* Reset the Mach exception ports. Otherwise, if a crashpad_handler is attached to this process, it will be
+       inherited across execve() and receive spurious crash reports from unrelated programs (e.g. in `nix run`).
+       FIXME: it would be better to have Sentry tell crashpad_handler to quit, but it doesn't appear to have an API for
+       that. */
+    task_set_exception_ports(
+        mach_task_self(), EXC_MASK_ALL | EXC_MASK_CRASH, MACH_PORT_NULL, EXCEPTION_DEFAULT, THREAD_STATE_NONE);
+#endif
 }
 
 //////////////////////////////////////////////////////////////////////

src/nix/main.cc

@@ -387,6 +387,15 @@ void mainWrapped(int argc, char ** argv)
 {
     savedArgv = argv;
 
+    /* The chroot helper needs to be run before any threads have been
+       started (including Sentry's worker thread). */
+#ifndef _WIN32
+    if (argc > 0 && argv[0] == chrootHelperName) {
+        chrootHelper(argc, argv);
+        return;
+    }
+#endif
+
     bool sentryEnabled = false;
 
 #if HAVE_SENTRY
@@ -411,6 +420,7 @@ void mainWrapped(int argc, char ** argv)
         sentry_options_set_auto_session_tracking(options, false);
         sentry_options_set_handler_path(options, CRASHPAD_HANDLER_PATH);
         sentry_init(options);
+        sentry_set_tag("nix_command", argc > 0 ? std::string(baseNameOf(argv[0])).c_str() : "");
         sentryEnabled = true;
     }
 
@@ -423,15 +433,6 @@ void mainWrapped(int argc, char ** argv)
     if (!sentryEnabled)
         registerCrashHandler();
 
-    /* The chroot helper needs to be run before any threads have been
-       started. */
-#ifndef _WIN32
-    if (argc > 0 && argv[0] == chrootHelperName) {
-        chrootHelper(argc, argv);
-        return;
-    }
-#endif
-
     /* Set the build hook location
 
        For builds we perform a self-invocation, so Nix has to be
@@ -581,16 +582,17 @@ void mainWrapped(int argc, char ** argv)
 
     printTalkative("Nix %s", version());
 
+    std::vector<std::string> subcommand;
+    MultiCommand * command = &args;
+    while (command) {
+        if (command && command->command) {
+            subcommand.push_back(command->command->first);
+            command = dynamic_cast<MultiCommand *>(&*command->command->second);
+        } else
+            break;
+    }
+
     if (args.helpRequested) {
-        std::vector<std::string> subcommand;
-        MultiCommand * command = &args;
-        while (command) {
-            if (command && command->command) {
-                subcommand.push_back(command->command->first);
-                command = dynamic_cast<MultiCommand *>(&*command->command->second);
-            } else
-                break;
-        }
         showHelp(subcommand, args);
         return;
     }
@@ -627,6 +629,11 @@ void mainWrapped(int argc, char ** argv)
         evalSettings.pureEval = false;
     }
 
+#if HAVE_SENTRY
+    if (sentryEnabled)
+        sentry_set_tag("nix_subcommand", concatStringsSep(" ", subcommand).c_str());
+#endif
+
     try {
         args.command->second->run();
     } catch (eval_cache::CachedEvalError & e) {

tests/functional/sentry.sh

@@ -15,15 +15,36 @@ if ! [[ -d $sentryDir ]]; then
     skipTest "not built with sentry support"
 fi
 
+waitForCrashDump() {
+    local i
+    for ((i = 0; i < 10; i++)); do
+        envelopes=("$sentryDir"/pending/*.dmp)
+        if [[ -e "${envelopes[0]}" ]]; then
+            return 0
+        fi
+        sleep 0.1
+    done
+    return 1
+}
+
 for type in segfault assert logic-error; do
     if [[ $type = logic-error && $(uname) = Darwin ]]; then continue; fi
 
     rm -rf "$sentryDir"
 
     (! nix __crash "$type")
 
-    envelopes=("$sentryDir"/pending/*.dmp)
-    if [[ ! -e "${envelopes[0]}" ]]; then
+    if ! waitForCrashDump; then
         fail "No crash dump found in $sentryDir after crash"
     fi
 done
+
+rm -rf "$sentryDir"
+
+if nix shell --file ./simple.nix --command bash -c 'kill -SEGV $$'; then
+    fail "Command did not segfault"
+fi
+
+if waitForCrashDump; then
+    fail "Unexpected crash dump"
+fi

tests/functional/shell.sh

@@ -65,6 +65,7 @@ path=$(nix eval --raw -f shell-hello.nix hello)
 
 # Note: we need the sandbox paths to ensure that the shell is
 # visible in the sandbox.
+export NIX_SENTRY_ENDPOINT=file://$TEST_ROOT/sentry-endpoint # test whether Sentry is disabled in the chroot helper
 nix shell --sandbox-build-dir /build-tmp \
     --sandbox-paths '/nix? /bin? /lib? /lib64? /usr?' \
     --store "$TEST_ROOT/store0" -f shell-hello.nix hello -c hello | grep 'Hello World'