Sandbox warning

Sg312 · Sg312 · commit fe2bc50659f3 · 2026-06-02T19:56:37.000-07:00
diff --git a/apps/sim/app/api/function/execute/route.ts b/apps/sim/app/api/function/execute/route.ts
@@ -679,6 +679,37 @@ function resolveCodeVariables(
  * This handles the common case where print() or console.log() adds a trailing \n
  * that users don't expect to see in the output
  */
+/**
+ * Heuristic: did the sandbox die from an infrastructure failure (OOM kill,
+ * timeout, lost connection) rather than a normal code error? Python/JS code
+ * exceptions surface via execution.error; an OOM kill instead makes runCode
+ * throw, often with an empty or cryptic message.
+ */
+function isLikelySandboxKill(error: any): boolean {
+  const msg = `${error?.name ?? ''} ${error?.message ?? ''} ${error?.code ?? ''}`
+    .toLowerCase()
+    .trim()
+  if (!msg) return true
+  return [
+    'out of memory',
+    'oom',
+    'killed',
+    'sigkill',
+    'code 137',
+    'signal 9',
+    'terminated',
+    'econnreset',
+    'epipe',
+    'socket hang up',
+    'connection closed',
+    'connection reset',
+    'websocket',
+    'timed out',
+    'timeout',
+    'deadline',
+  ].some((s) => msg.includes(s))
+}
+
 function cleanStdout(stdout: string): string {
   if (stdout.endsWith('\n')) {
     return stdout.slice(0, -1)
@@ -1833,6 +1864,24 @@ export const POST = withRouteHandler(async (req: NextRequest) => {
       )
     }
 
+    if (isLikelySandboxKill(error)) {
+      const underlying = (error?.message || String(error)).slice(0, 300)
+      logger.warn(`[${requestId}] Sandbox terminated before completion (likely OOM or timeout)`, {
+        executionTime,
+        underlying,
+      })
+      const killResponse = {
+        success: false,
+        error:
+          'The sandbox was terminated before finishing — most likely it ran out of memory or hit the time limit while processing large or combined inputs. Mount and process fewer/smaller files at once (e.g. one file at a time), or stream and aggregate incrementally instead of loading everything into memory. ' +
+          `(underlying: ${underlying || 'no detail; sandbox died'})`,
+        output: { result: null, stdout: cleanStdout(stdout), executionTime },
+      }
+      return routeContext
+        ? functionJsonResponse(killResponse, routeContext, { status: 500 })
+        : NextResponse.json(killResponse, { status: 500 })
+    }
+
     logger.error(`[${requestId}] Function execution failed`, {
       error: error.message || 'Unknown error',
       stack: error.stack,
diff --git a/apps/sim/lib/copilot/generated/tool-catalog-v1.ts b/apps/sim/lib/copilot/generated/tool-catalog-v1.ts
@@ -1126,7 +1126,7 @@ export const FunctionExecute: ToolCatalogEntry = {
                 sandboxPath: {
                   type: 'string',
                   description:
-                    'Optional full sandbox path override. Omit to mount at /home/user/{path}.',
+                    'Full sandbox path to mount at, e.g. /home/user/inputs/data.csv. STRONGLY RECOMMENDED whenever the file name has spaces or special characters: the default mount path is the percent-ENCODED canonical path (e.g. /home/user/files/Q4%20Sales%20(Final).csv), which code using the human-readable name will not find. Set a simple sandboxPath and read exactly that.',
                 },
               },
               required: ['path'],
@@ -1288,7 +1288,7 @@ export const GenerateImage: ToolCatalogEntry = {
                 sandboxPath: {
                   type: 'string',
                   description:
-                    'Optional full sandbox path override. Omit to mount at /home/user/{path}.',
+                    'Full sandbox path to mount at, e.g. /home/user/inputs/data.csv. STRONGLY RECOMMENDED whenever the file name has spaces or special characters: the default mount path is the percent-ENCODED canonical path (e.g. /home/user/files/Q4%20Sales%20(Final).csv), which code using the human-readable name will not find. Set a simple sandboxPath and read exactly that.',
                 },
               },
               required: ['path'],
diff --git a/apps/sim/lib/copilot/generated/tool-schemas-v1.ts b/apps/sim/lib/copilot/generated/tool-schemas-v1.ts
@@ -921,7 +921,7 @@ export const TOOL_RUNTIME_SCHEMAS: Record<string, ToolRuntimeSchemaEntry> = {
                   sandboxPath: {
                     type: 'string',
                     description:
-                      'Optional full sandbox path override. Omit to mount at /home/user/{path}.',
+                      'Full sandbox path to mount at, e.g. /home/user/inputs/data.csv. STRONGLY RECOMMENDED whenever the file name has spaces or special characters: the default mount path is the percent-ENCODED canonical path (e.g. /home/user/files/Q4%20Sales%20(Final).csv), which code using the human-readable name will not find. Set a simple sandboxPath and read exactly that.',
                   },
                 },
                 required: ['path'],
@@ -1078,7 +1078,7 @@ export const TOOL_RUNTIME_SCHEMAS: Record<string, ToolRuntimeSchemaEntry> = {
                   sandboxPath: {
                     type: 'string',
                     description:
-                      'Optional full sandbox path override. Omit to mount at /home/user/{path}.',
+                      'Full sandbox path to mount at, e.g. /home/user/inputs/data.csv. STRONGLY RECOMMENDED whenever the file name has spaces or special characters: the default mount path is the percent-ENCODED canonical path (e.g. /home/user/files/Q4%20Sales%20(Final).csv), which code using the human-readable name will not find. Set a simple sandboxPath and read exactly that.',
                   },
                 },
                 required: ['path'],
diff --git a/apps/sim/lib/copilot/tools/handlers/function-execute.ts b/apps/sim/lib/copilot/tools/handlers/function-execute.ts
@@ -94,16 +94,24 @@ async function resolveInputFiles(
       }
       const record = findWorkspaceFileRecord(allFiles, alias?.backingPath ?? filePath)
       if (!record) {
-        logger.warn('Input file not found', { fileRef })
-        continue
+        if (filePath.startsWith('uploads/')) {
+          throw new Error(
+            `Cannot mount "${filePath}": uploads/ files are not mountable into the sandbox. Use materialize_file to save it to a files/... path first, then mount that canonical path.`
+          )
+        }
+        throw new Error(
+          `Input file not found: "${filePath}". Pass the exact canonical VFS path copied from glob/read (e.g. "files/Reports/data.csv").`
+        )
       }
       if (record.size > MAX_FILE_SIZE) {
-        logger.warn('Input file exceeds size limit', { fileId: record.id, size: record.size })
-        continue
+        throw new Error(
+          `Input file "${filePath}" is ${Math.round(record.size / 1024 / 1024)}MB, over the ${MAX_FILE_SIZE / 1024 / 1024}MB per-file mount limit.`
+        )
       }
       if (totalSize + record.size > MAX_TOTAL_SIZE) {
-        logger.warn('Total input size limit reached')
-        break
+        throw new Error(
+          `Mounting "${filePath}" would exceed the ${MAX_TOTAL_SIZE / 1024 / 1024}MB total mount limit. Mount fewer or smaller files.`
+        )
       }
       const buffer = await fetchWorkspaceFileBuffer(record)
       totalSize += buffer.length
@@ -249,8 +257,9 @@ async function resolveInputFiles(
       if (!tableId) continue
       const table = await resolveTableRef(tableId, tablePathLookup)
       if (!table || table.workspaceId !== workspaceId) {
-        logger.warn('Input table not found', { tableId })
-        continue
+        throw new Error(
+          `Input table not found: "${tableId}". Pass the table id (tbl_...) from tables/{name}/meta.json, or a tables/{name}/meta.json path.`
+        )
       }
       const rows = await queryRows(table, {}, 'copilot-fn-exec')
 
