From 94d1d4aa332121aefcccd81a085d524e47a4d7a2 Mon Sep 17 00:00:00 2001 From: Sam-Si <13261099+Sam-Si@users.noreply.github.com> Date: Sat, 9 May 2026 16:09:03 +0530 Subject: [PATCH 1/4] fix: remove --test_tmpdir that conflicts with --sandbox_tmpfs_path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The --test_tmpdir=/tmp/bazel-test-logs setting conflicts with --sandbox_tmpfs_path=/tmp because the tmpfs overlay mounts a fresh empty filesystem over /tmp inside the sandbox, causing the bind-mount of TEST_TMPDIR to fail with 'No such file or directory'. This was preventing ALL tests from running — they were killed by the sandbox infrastructure before the test binary could even start. Removing --test_tmpdir lets Bazel use its default TEST_TMPDIR handling, which is sandbox-compatible. --- .bazelrc | 1 - 1 file changed, 1 deletion(-) diff --git a/.bazelrc b/.bazelrc index 4b3c31f..72239d1 100755 --- a/.bazelrc +++ b/.bazelrc @@ -47,7 +47,6 @@ build --local_resources=memory=57344 # Linux Sandbox Hardening: Fixes "File exists" and "/dev/null" errors build:linux --sandbox_tmpfs_path=/tmp build:linux --sandbox_add_mount_pair=/dev/null -build:linux --test_tmpdir=/tmp/bazel-test-logs build:linux --dynamic_mode=off build:linux --linkopt=-Wl,--threads=16 From bd0e7a042da1534374f076dba99b60664dca86e2 Mon Sep 17 00:00:00 2001 From: Sam-Si <13261099+Sam-Si@users.noreply.github.com> Date: Sat, 9 May 2026 17:14:56 +0530 Subject: [PATCH 2/4] fix: use /dev/shm as sandbox base to prevent stale 'File exists' errors When a previous build/test is interrupted (Ctrl+C, OOM kill, crash), Bazel's sandbox directories aren't cleaned up. The next run fails with 'Could not copy inputs into sandbox: ... (File exists)'. Using --sandbox_base=/dev/shm places sandbox directories on tmpfs, which is auto-cleaned on container restart and eliminates stale state accumulation. This also improves sandbox I/O performance since /dev/shm is memory-backed. --- .bazelrc | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.bazelrc b/.bazelrc index 72239d1..aa5f04c 100755 --- a/.bazelrc +++ b/.bazelrc @@ -44,9 +44,14 @@ build --jobs=20 build --local_resources=cpu=16 build --local_resources=memory=57344 -# Linux Sandbox Hardening: Fixes "File exists" and "/dev/null" errors +# Linux Sandbox Hardening +# --sandbox_tmpfs_path=/tmp : clean /tmp per action (isolation) +# --sandbox_add_mount_pair : ensures /dev/null is available +# --sandbox_base=/dev/shm : use tmpfs-backed sandbox dirs — prevents +# "File exists" errors from stale state after interrupted builds build:linux --sandbox_tmpfs_path=/tmp build:linux --sandbox_add_mount_pair=/dev/null +build:linux --sandbox_base=/dev/shm build:linux --dynamic_mode=off build:linux --linkopt=-Wl,--threads=16 From 609004285702ef48e521f9d9a7635fa5ded2d195 Mon Sep 17 00:00:00 2001 From: Sam-Si <13261099+Sam-Si@users.noreply.github.com> Date: Sat, 9 May 2026 17:14:56 +0530 Subject: [PATCH 3/4] fix: resolve sandbox 'File exists' errors without /dev/shm The previous approach (--sandbox_base=/dev/shm) failed because Docker containers default to 64MB /dev/shm, which is too small for linking large C++ binaries (Bus error + No space left on device). Instead, handle stale sandbox state by: 1. Purging .bazel/output_base/sandbox in dcodex-setup.sh before builds (instant, preserves disk cache for fast incremental builds) 2. Documenting in .bazelrc why --sandbox_base=/dev/shm must NOT be used This combined with the --test_tmpdir removal (previous commit) fixes all known sandbox infrastructure failures. --- .bazelrc | 7 ++++--- dcodex-setup.sh | 11 +++++++++++ 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/.bazelrc b/.bazelrc index aa5f04c..b776f81 100755 --- a/.bazelrc +++ b/.bazelrc @@ -47,11 +47,12 @@ build --local_resources=memory=57344 # Linux Sandbox Hardening # --sandbox_tmpfs_path=/tmp : clean /tmp per action (isolation) # --sandbox_add_mount_pair : ensures /dev/null is available -# --sandbox_base=/dev/shm : use tmpfs-backed sandbox dirs — prevents -# "File exists" errors from stale state after interrupted builds +# NOTE: Do NOT use --sandbox_base=/dev/shm — Docker containers default +# to 64MB /dev/shm which is too small for linking large binaries. +# Stale sandbox state ("File exists" errors) is handled by cleaning +# .bazel/output_base/sandbox before builds (see dcodex-setup.sh). build:linux --sandbox_tmpfs_path=/tmp build:linux --sandbox_add_mount_pair=/dev/null -build:linux --sandbox_base=/dev/shm build:linux --dynamic_mode=off build:linux --linkopt=-Wl,--threads=16 diff --git a/dcodex-setup.sh b/dcodex-setup.sh index ceb9d5c..e0f0b51 100755 --- a/dcodex-setup.sh +++ b/dcodex-setup.sh @@ -309,6 +309,17 @@ else ok "Skipping bazel clean (incremental build — disk cache preserved)" fi +# Always purge stale sandbox directories. If a previous build was interrupted +# (Ctrl+C, OOM kill, crash), leftover files cause "File exists" errors on the +# next run. This is cheap (~instant) and only removes sandbox working dirs — +# the disk cache and repo cache are untouched. +if [[ -d "${REPO_DIR}/.bazel/output_base/sandbox" ]]; then + rm -rf "${REPO_DIR}/.bazel/output_base/sandbox" + ok "Purged stale sandbox directories" +else + ok "No stale sandbox directories to clean" +fi + timer # ───────────────────────────────────────────────────────────────────────────── From fb0f2f674ca59b858dd6eca207b701b84cbef1a3 Mon Sep 17 00:00:00 2001 From: Sam-Si <13261099+Sam-Si@users.noreply.github.com> Date: Sun, 10 May 2026 00:15:53 +0530 Subject: [PATCH 4/4] fix: remove --sandbox_debug from default test flags Now that sandbox issues are resolved, the per-action debug traces (thousands of lines per build) are no longer needed and drown the actual test output. Can still be passed manually when needed: bazel test --sandbox_debug ... --- dcodex-setup.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/dcodex-setup.sh b/dcodex-setup.sh index e0f0b51..fc60b5a 100755 --- a/dcodex-setup.sh +++ b/dcodex-setup.sh @@ -361,9 +361,11 @@ timer step "6/7 Tests" # Common Bazel test flags for diagnostics — always verbose. +# NOTE: --sandbox_debug is intentionally omitted; it dumps per-action +# traces for every compile/link step, drowning test output. Pass it +# manually if debugging sandbox issues: bazel test --sandbox_debug ... BAZEL_TEST_COMMON=( --verbose_failures - --sandbox_debug --test_output=all --test_env=HOME=/tmp )