fix(worldline): attribute each write's "before" correctly across replace and fd reuse

wan9chi · claude · wan9chi · commit 0dc1576dfc7a · 2026-06-02T01:44:39.000+08:00
Hardening from an audit of the capture pipeline, fixing four ways a write's
`before` content could be wrong:

- Rename-over and delete-and-recreate (the write-tmp-then-rename pattern is
  ubiquitous in build tools) resurrected the replaced file's stale content. The
  file's on-disk identity (inode+device, or volume+index on Windows) is now
  tracked, so an empty truncating-open read keeps the prior content only when
  it's the *same* file; a replaced path is treated as fresh (empty `before`).
- Under the seccomp backend (raw_fd == -1) every open of a path shared one slot,
  so a second overlapping write lost its `before`. Pending opens are now a LIFO
  stack per correlation key.
- A descriptor reused for another file (e.g. via dup2, which closes the old
  target without a close callback) could mispair a close with a leaked open of a
  different file. The close now validates the open's path and falls back to the
  file's prior content on a mismatch.

The in-place truncating-rewrite fix (keeping the prior content as `before`) is
preserved. Adds store-level regression tests for each case.

Co-Authored-By: Claude Opus 4.8 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.gitignore b/.gitignore
@@ -8,6 +8,7 @@ dist
 # be embedded in the binary without a Node step in CI.
 !crates/worldline/ui/dist/
 .claude/settings.local.json
+.claude/scheduled_tasks.lock
 *.tsbuildinfo
 .DS_Store
 /.vscode/settings.json
diff --git a/crates/worldline/src/capture/mod.rs b/crates/worldline/src/capture/mod.rs
@@ -6,7 +6,7 @@ mod store;
 use std::sync::Arc;
 
 use fspy::{AccessMode, FileEvent, FileEventKind};
-pub use store::{CapturedData, OpId, Snapshotter, Write, rebuild_frontier};
+pub use store::{CapturedData, FileId, OpId, Snapshotter, Write, rebuild_frontier};
 use vite_path::AbsolutePath;
 
 use crate::ignore::IgnoreSet;
@@ -23,9 +23,10 @@ use crate::ignore::IgnoreSet;
 /// which is write-only for a write open and therefore unreadable. We instead
 /// read the file's content by path: the supervisor process opens it `O_RDONLY`
 /// itself. The traced process is blocked in the open/close hook while we do
-/// this, so the content is a consistent point-in-time read. (For a truncating
-/// open the pre-write content reads as empty — the file's observable state at
-/// that instant.)
+/// this, so the content is a consistent point-in-time read. A truncating open
+/// reads as empty here (it already ran); the store recovers the pre-write
+/// content from the last recorded write, using the file's identity to avoid
+/// resurrecting stale content after a replacement (see [`Snapshotter`]).
 pub fn install_callback(cmd: &mut fspy::Command, snap: Snapshotter, ignore: Arc<IgnoreSet>) {
     cmd.on_file_event(AccessMode::WRITE, move |event: FileEvent<'_>| {
         let Some(path) = event.path.get() else {
@@ -52,10 +53,28 @@ pub fn install_callback(cmd: &mut fspy::Command, snap: Snapshotter, ignore: Arc<
         let Ok(content) = std::fs::read(&canonical) else {
             return;
         };
+        // The file's on-disk identity, to tell an in-place rewrite from a
+        // replacement of the same path (rename-over / delete-and-recreate);
+        // `None` if it can't be determined.
+        #[cfg(unix)]
+        let identity = std::fs::metadata(&canonical).ok().map(|meta| {
+            use std::os::unix::fs::MetadataExt as _;
+            FileId::new(meta.dev(), meta.ino())
+        });
+        #[cfg(windows)]
+        let identity = std::fs::metadata(&canonical).ok().and_then(|meta| {
+            use std::os::windows::fs::MetadataExt as _;
+            // `volume_serial_number`/`file_index` are populated for handle-backed
+            // metadata (which `fs::metadata` uses); fall back to `None` otherwise.
+            match (meta.volume_serial_number(), meta.file_index()) {
+                (Some(vol), Some(idx)) => Some(FileId::new(u64::from(vol), idx)),
+                _ => None,
+            }
+        });
         let (pid, fd) = (event.pid, event.raw_fd);
         match event.kind {
-            FileEventKind::Opened => snap.record_open(pid, fd, path_str, &content),
-            FileEventKind::Closing => snap.record_close(pid, fd, path_str, &content),
+            FileEventKind::Opened => snap.record_open(pid, fd, path_str, &content, identity),
+            FileEventKind::Closing => snap.record_close(pid, fd, path_str, &content, identity),
         }
     });
 }
diff --git a/crates/worldline/src/capture/store.rs b/crates/worldline/src/capture/store.rs
@@ -66,7 +66,10 @@ enum Flavor {
 
 /// Correlation key pairing an open with its close. Uses the descriptor when the
 /// backend reports it (`raw_fd >= 0`); otherwise falls back to the path (the
-/// seccomp backend can't report the target's fd).
+/// seccomp backend can't report the target's fd). Several opens can share a key
+/// — the path fallback collapses every open of one path, and a descriptor
+/// number is reused after close — so each key maps to a *stack* of pending
+/// opens, paired LIFO and validated by path on close.
 #[derive(Clone, PartialEq, Eq, Hash)]
 enum FdKey {
     Fd(u32, i64),
@@ -77,14 +80,45 @@ fn fd_key(pid: u32, raw_fd: i64, path: &Str) -> FdKey {
     if raw_fd >= 0 { FdKey::Fd(pid, raw_fd) } else { FdKey::Path(pid, path.clone()) }
 }
 
+/// A file's identity on disk: device + inode on Unix, volume serial + file index
+/// on Windows.
+///
+/// Used to tell an in-place truncating rewrite (same file) apart from a
+/// replacement of the same path — a rename-over or delete-and-recreate (a
+/// *different* file at that path).
+#[derive(Clone, Copy, PartialEq, Eq)]
+pub struct FileId {
+    dev: u64,
+    ino: u64,
+}
+
+impl FileId {
+    /// Construct from a `(device, inode)`-style identity pair.
+    #[must_use]
+    pub const fn new(dev: u64, ino: u64) -> Self {
+        Self { dev, ino }
+    }
+}
+
+/// One pending open awaiting its close: the path it was opened on (to validate
+/// the pairing) and the before-frontier captured for it.
+struct OpenSlot {
+    path: Str,
+    before: Vec<OpId>,
+}
+
 struct State {
     doc: LoroDoc,
     text_files: LoroMap,
     bin_files: LoroMap,
     /// Per-path text/binary classification, to clean up the other map on a flip.
     flavor: FxHashMap<Str, Flavor>,
-    /// Open descriptors awaiting their close: key -> the open's before-frontier.
-    open: FxHashMap<FdKey, Vec<OpId>>,
+    /// Pending opens awaiting their close: key -> a LIFO stack of open slots
+    /// (several opens can share a key; see [`FdKey`]).
+    open: FxHashMap<FdKey, Vec<OpenSlot>>,
+    /// Per-path on-disk identity as of the last recorded write, to tell an
+    /// in-place rewrite from a replacement of the same path.
+    identity: FxHashMap<Str, FileId>,
     writes: Vec<Write>,
     output: Vec<u8>,
     next_seq: u64,
@@ -120,6 +154,7 @@ impl Snapshotter {
                 bin_files,
                 flavor: FxHashMap::default(),
                 open: FxHashMap::default(),
+                identity: FxHashMap::default(),
                 writes: Vec::new(),
                 output: Vec::new(),
                 next_seq: 0,
@@ -145,46 +180,73 @@ impl Snapshotter {
     /// whole-file writes use) has already emptied the file by the time we read
     /// it. To avoid losing the real pre-write content, the open read is only
     /// adopted as the `before` when it is non-empty (a non-truncating open, or a
-    /// pre-existing file); an empty read for a path we've already recorded is
-    /// treated as a truncating open and the last-recorded content is kept.
+    /// pre-existing file). An empty read for a path we've already recorded is
+    /// treated as a truncating open and the last-recorded content is kept —
+    /// unless `id` shows the file was replaced since (rename-over or
+    /// delete-and-recreate), in which case it's treated as a fresh file so stale
+    /// content isn't resurrected.
     ///
     /// # Panics
     ///
     /// Panics if a Loro container operation fails (a corrupted invariant).
-    pub fn record_open(&self, pid: u32, raw_fd: i64, path: &str, content: &[u8]) {
+    pub fn record_open(
+        &self,
+        pid: u32,
+        raw_fd: i64,
+        path: &str,
+        content: &[u8],
+        id: Option<FileId>,
+    ) {
         let mut guard = self.lock();
         let key = Str::from(path);
         let before = if !content.is_empty() {
             // Non-truncating open or a pre-existing file: the read reflects the
             // real current content (including any external modification).
             set_content(&mut guard, path, content)
-        } else if guard.flavor.contains_key(&key) {
-            // Empty read but we already track this path: a truncating open
-            // emptied the file before we could read it. Keep what we last
-            // recorded (the previous write's `after`) as the `before`.
+        } else if guard.flavor.contains_key(&key) && !replaced(&guard, &key, id) {
+            // Empty read of a path we already track whose on-disk identity is
+            // unchanged: a truncating open emptied the file before we could read
+            // it. Keep what we last recorded (the previous write's `after`).
             serialize_frontiers(&guard.doc.state_frontiers())
         } else {
-            // Empty read, never seen before: a genuinely new or empty file.
+            // Empty read of a genuinely new file, or a path whose identity
+            // changed since we last saw it (rename-over / delete-and-recreate):
+            // treat it as fresh rather than resurrecting stale content.
             set_content(&mut guard, path, content)
         };
-        guard.open.insert(fd_key(pid, raw_fd, &key), before);
+        guard
+            .open
+            .entry(fd_key(pid, raw_fd, &key))
+            .or_default()
+            .push(OpenSlot { path: key, before });
     }
 
     /// Record the post-write snapshot taken just before `path` is closed on
     /// descriptor `raw_fd` of process `pid`, emitting a [`Write`]. Its `before`
     /// is the matching open's snapshot (or the file's prior content if the open
-    /// wasn't observed).
+    /// wasn't observed). `id` is the file's on-disk identity, remembered to
+    /// detect a later replacement of this path.
     ///
     /// # Panics
     ///
     /// Panics if a Loro container operation fails (a corrupted invariant).
-    pub fn record_close(&self, pid: u32, raw_fd: i64, path: &str, content: &[u8]) {
+    pub fn record_close(
+        &self,
+        pid: u32,
+        raw_fd: i64,
+        path: &str,
+        content: &[u8],
+        id: Option<FileId>,
+    ) {
         let path_key = Str::from(path);
         let mut guard = self.lock();
         // The file's content before this close, for the fallback `before`.
         let prior = serialize_frontiers(&guard.doc.state_frontiers());
         let after = set_content(&mut guard, path, content);
-        let before = guard.open.remove(&fd_key(pid, raw_fd, &path_key)).unwrap_or(prior);
+        if let Some(id) = id {
+            guard.identity.insert(path_key.clone(), id);
+        }
+        let before = pop_open(&mut guard, pid, raw_fd, &path_key).unwrap_or(prior);
         let seq = guard.next_seq;
         guard.next_seq += 1;
         let output_offset = guard.output.len();
@@ -207,6 +269,29 @@ impl Snapshotter {
     }
 }
 
+/// Whether the file at `key` has been replaced since we last recorded it — its
+/// on-disk identity differs from the stored one. Unknown identities (either side
+/// `None`) are treated as "not replaced", so the truncating-rewrite heuristic
+/// still applies when identity is unavailable.
+fn replaced(state: &State, key: &Str, current: Option<FileId>) -> bool {
+    matches!((state.identity.get(key), current), (Some(old), Some(new)) if *old != new)
+}
+
+/// Pop the most recent pending open for this `(pid, raw_fd/path)` key whose path
+/// matches the closing `path`, returning its before-frontier. A mismatched top
+/// slot — a descriptor reused for a different file (e.g. via `dup2`) — is
+/// discarded so it can't be mispaired. `None` means no matching open was
+/// observed, and the caller falls back to the file's prior content.
+fn pop_open(state: &mut State, pid: u32, raw_fd: i64, path: &Str) -> Option<Vec<OpId>> {
+    let key = fd_key(pid, raw_fd, path);
+    let stack = state.open.get_mut(&key)?;
+    let slot = stack.pop()?;
+    if stack.is_empty() {
+        state.open.remove(&key);
+    }
+    (slot.path == *path).then_some(slot.before)
+}
+
 /// Set `path`'s content in the doc, committing, and return the new frontier.
 /// Identical content is a no-op (Loro dedups), so the frontier is unchanged.
 fn set_content(state: &mut State, path: &str, content: &[u8]) -> Vec<OpId> {
diff --git a/crates/worldline/src/serve/data.rs b/crates/worldline/src/serve/data.rs
@@ -149,22 +149,40 @@ fn read_content(doc: &LoroDoc, path: &str) -> (Str, Blob) {
 
 #[cfg(test)]
 mod tests {
-    use super::reconstruct;
+    use super::{ApiData, reconstruct};
     use crate::{
-        capture::Snapshotter,
+        capture::{FileId, Snapshotter},
         run::{Captured, Meta},
     };
 
+    /// Reconstruct a snapshotter's writes into the served payload.
+    fn api_of(snap: &Snapshotter) -> ApiData {
+        reconstruct(&Captured {
+            meta: Meta { argv: vec!["p".into()], cwd: "/w".into(), exit_code: Some(0) },
+            data: snap.finish(),
+        })
+    }
+
+    /// The (UTF-8) before-content of write `i`.
+    fn before(api: &ApiData, i: usize) -> &str {
+        api.blobs[api.writes[i].before.as_str()].data.as_str()
+    }
+
+    /// The (UTF-8) after-content of write `i`.
+    fn after(api: &ApiData, i: usize) -> &str {
+        api.blobs[api.writes[i].after.as_str()].data.as_str()
+    }
+
     #[test]
     fn reconstructs_writes_with_before_after() {
         let snap = Snapshotter::new();
         snap.append_output(b"out");
         // First write to a.txt: created empty, closed with "hello".
-        snap.record_open(1, 3, "/w/a.txt", b"");
-        snap.record_close(1, 3, "/w/a.txt", b"hello");
+        snap.record_open(1, 3, "/w/a.txt", b"", None);
+        snap.record_close(1, 3, "/w/a.txt", b"hello", None);
         // Second write to a.txt: opened with "hello", closed with "hello world".
-        snap.record_open(1, 3, "/w/a.txt", b"hello");
-        snap.record_close(1, 3, "/w/a.txt", b"hello world");
+        snap.record_open(1, 3, "/w/a.txt", b"hello", None);
+        snap.record_close(1, 3, "/w/a.txt", b"hello world", None);
 
         let captured = Captured {
             meta: Meta { argv: vec!["p".into()], cwd: "/w".into(), exit_code: Some(0) },
@@ -185,4 +203,85 @@ mod tests {
         // "hello" is shared between write 0's after and write 1's before.
         assert_eq!(api.writes[0].after.as_str(), api.writes[1].before.as_str());
     }
+
+    /// A truncating in-place rewrite (same on-disk identity) keeps the file's
+    /// prior content as `before`; a replacement of the path (different identity
+    /// — rename-over or delete-and-recreate) is treated as a fresh file so stale
+    /// content isn't resurrected. (Empty open reads model an `O_TRUNC` open,
+    /// which `writeFileSync` uses.)
+    #[test]
+    fn identity_distinguishes_rewrite_from_replacement() {
+        let (x, y) = (FileId::new(1, 100), FileId::new(1, 200));
+
+        // In-place rewrite: same identity across both writes -> keep "v1".
+        let snap = Snapshotter::new();
+        snap.record_open(1, -1, "/w/a.txt", b"", Some(x));
+        snap.record_close(1, -1, "/w/a.txt", b"v1", Some(x));
+        snap.record_open(1, -1, "/w/a.txt", b"", Some(x));
+        snap.record_close(1, -1, "/w/a.txt", b"v2", Some(x));
+        let api = api_of(&snap);
+        assert_eq!(before(&api, 1), "v1", "in-place rewrite keeps prior content");
+        assert_eq!(after(&api, 1), "v2");
+
+        // Replacement: identity changes on the second write -> fresh, before "".
+        let snap = Snapshotter::new();
+        snap.record_open(1, -1, "/w/a.txt", b"", Some(x));
+        snap.record_close(1, -1, "/w/a.txt", b"v1", Some(x));
+        snap.record_open(1, -1, "/w/a.txt", b"", Some(y));
+        snap.record_close(1, -1, "/w/a.txt", b"v2", Some(y));
+        let api = api_of(&snap);
+        assert_eq!(before(&api, 1), "", "a replaced file shows an empty before, not stale content");
+        assert_eq!(after(&api, 1), "v2");
+    }
+
+    /// Under the seccomp backend (`raw_fd == -1`) several opens of one path
+    /// collapse to the same correlation key. Their before-frontiers must be
+    /// stacked, not overwritten, so two overlapping writes to one path each get
+    /// their own `before` rather than the second falling back to the first
+    /// close's after.
+    #[test]
+    fn seccomp_stacked_opens_keep_distinct_befores() {
+        let snap = Snapshotter::new();
+        snap.record_open(1, -1, "/w/a.txt", b"", None);
+        snap.record_close(1, -1, "/w/a.txt", b"base", None); // write 0: "" -> "base"
+        // Two overlapping opens (both saw "base"), then two closes.
+        snap.record_open(1, -1, "/w/a.txt", b"base", None);
+        snap.record_open(1, -1, "/w/a.txt", b"base", None);
+        snap.record_close(1, -1, "/w/a.txt", b"X1", None); // write 1
+        snap.record_close(1, -1, "/w/a.txt", b"Y1", None); // write 2
+        let api = api_of(&snap);
+        assert_eq!(before(&api, 1), "base");
+        assert_eq!(
+            before(&api, 2),
+            "base",
+            "the second overlapping close must not fall back to the first close's after"
+        );
+    }
+
+    /// A descriptor reused for a different file (e.g. via `dup2`, which closes
+    /// the old target without a close callback, leaking that open) must not
+    /// mispair: the close validates the open's path and falls back to the file's
+    /// prior content on a mismatch, instead of adopting a stale `before` from the
+    /// leaked open of another file.
+    #[test]
+    fn reused_fd_does_not_mispair() {
+        let snap = Snapshotter::new();
+        // fd 5 opened for a.txt ("AAA"); its close is never observed.
+        snap.record_open(1, 5, "/w/a.txt", b"AAA", None);
+        // fd 6 opened + closed for b.txt normally.
+        snap.record_open(1, 6, "/w/b.txt", b"BBB", None);
+        snap.record_close(1, 6, "/w/b.txt", b"BBB2", None);
+        // fd 5 now aliases b.txt (after a dup2) and is closed.
+        snap.record_close(1, 5, "/w/b.txt", b"BBB3", None);
+        let api = api_of(&snap);
+        for i in 0..api.writes.len() {
+            if api.writes[i].path.as_str().ends_with("b.txt") {
+                assert_ne!(
+                    before(&api, i),
+                    "AAA",
+                    "a b.txt close on a reused fd must not adopt a.txt's leaked before"
+                );
+            }
+        }
+    }
 }
diff --git a/crates/worldline/src/serve/mod.rs b/crates/worldline/src/serve/mod.rs
@@ -183,8 +183,8 @@ mod tests {
     async fn serves_endpoints_and_assets() {
         let snap = Snapshotter::new();
         snap.append_output(b"hello-output");
-        snap.record_open(1, 3, "/w/a.txt", b"");
-        snap.record_close(1, 3, "/w/a.txt", b"content");
+        snap.record_open(1, 3, "/w/a.txt", b"", None);
+        snap.record_close(1, 3, "/w/a.txt", b"content", None);
         let captured = Captured {
             meta: Meta { argv: vec!["prog".into()], cwd: "/w".into(), exit_code: Some(0) },
             data: snap.finish(),
