Skip to content

Make profiler-cli work in sandboxed environments#6003

Merged
canova merged 2 commits into
firefox-devtools:mainfrom
canova:pq-sandoxed
May 11, 2026
Merged

Make profiler-cli work in sandboxed environments#6003
canova merged 2 commits into
firefox-devtools:mainfrom
canova:pq-sandoxed

Conversation

@canova

@canova canova commented May 7, 2026
edited
Loading

Copy link
Copy Markdown
Member

There were two things that prevented us from having a working cli in the sandboxed environments:

  1. HTTP(S) proxy needs to be used
    • All network request must go through some proxy, so the sandboxed environment can choose to allow or block the requests per domain. If it doesn't use this proxy, the requests are usually blocked automatically without a way to allow. It seemed a bit sketchy to me at first but then I realized that this is the default behavior on many places like curl, python, go, and node is considering enabling this by default.
  2. Signaling a process is not allowed
    • process.kill(pid, 0); isn't allowed in sandboxed environments, so this can't be used to check if the process is still alive. Instead, I converted that isProcessRunning to isDaemonReachable and used the existing sockets to check if the daemon is still listening that socket (for example with ECONNREFUSED).

Also please see the individual commit messages.

I tested both on macOS and Linux, and they seem to work (with some additional config depending on what you use for sandboxing)

@codecov

codecov Bot commented May 7, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.82%. Comparing base (5783a76) to head (fede2a3).
⚠️ Report is 20 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #6003   +/-   ##
=======================================
  Coverage   83.82%   83.82%           
=======================================
  Files         328      328           
  Lines       34254    34254           
  Branches     9572     9479   -93     
=======================================
  Hits        28712    28712           
  Misses       5114     5114           
  Partials      428      428

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@canova canova marked this pull request as ready for review May 7, 2026 09:44
@canova canova requested a review from mstange May 7, 2026 09:44
canova added 2 commits May 11, 2026 13:23
@canova
Use --use-env-proxy in the daemon process
0d0242f 
Daemon process is the one that does all the network requests, and it
looks like all the sandboxed environments use an environment proxy for
allowed/disallowed domains using `HTTP_PROXY/HTTPS_PROXY`.

I was a bit suspicious at first thinking that maybe this is not great
security-wise, but then learned that this is the deafult behavior pretty
much everywhere except for node, and node is considering about turning
it on by default. For example, this is the default in curl, python, go,
and in popular rust packages like reqwest. The rationale is that, if
they have access to your machine, setting this env vars is the least of
your concern.

For example, see the curl documentation:
https://curl.se/docs/tutorial.html#:~:text=SPNEGO%29%2E-,Environment%20Variables
@canova
Replace PID signal check with a socket connection check instead
fede2a3 
Previously, isProcessRunning used `kill(pid, 0)`, to check daemon is
still alive, which returns EPERM in sandboxed environments regardless of
whether the process actually exists. This commit replaces this check
with a socket connection attempt. A connection failure (either ENOENT or
ECONNREFUSED) successfully indicates a dead daemon on all platforms
without requiring any signal permission.


Also it replaces waitForProcessExit with waitForSocketClose, which polls
the same connect probe. Updates validateSession to be async and use the
new check, collapsing the separate PID and socket-file-existence checks
into a single socket connect attempt.
@canova canova merged commit 002d589 into firefox-devtools:main May 11, 2026
23 checks passed
@canova canova mentioned this pull request May 26, 2026
Merged
canova added a commit that referenced this pull request May 26, 2026
@canova
Deploy May 26, 2026 (#6061)
92cd06c 
Changes:

[fatadel] Remove unused dependencies from package.json (#6010)
[Nazım Can Altınova] Make profiler-cli work in sandboxed environments
(#6003)
[Markus Stange] Make profiler-edit run profile compacting before writing
out the file (#6015)
[Markus Stange] Migrate from prettier to oxfmt (#5986)
[Markus Stange] Add a --symbolicate-wasm arg to profiler-edit. (#6008)
[Markus Stange] Build and upload the cli artifact in PRs (#6020)
[Markus Stange] Use @streamparser/json if the input is too large to fit
in a V8 string (#6016)
[Nazım Can Altınova] Print also the status output right after cli `load`
command (#6019)
[Nicolas Chevobbe] Update devtools-reps to 0.27.7 (#6030)
[Nazım Can Altınova] Include `--search` option in `pq filter push`
(#6026)
[Nazım Can Altınova] Update all Yarn dependencies (2026-05-20) (#6033)
[fatadel] Translate URL track-index state through profile sanitization
(#6000)
[Markus Stange] Make withSize use a wrapper element so that it can stop
calling findDOMNode (#5988)
[Markus Stange] Fix dhat importer (#6036)
[Nazım Can Altınova] Annotate inlined frames in CLI call trees and
stacks (#6041)
[Nazım Can Altınova] Use proper types in cli tests instead of custom
inline types (#6038)
[Nazım Can Altınova] Fix text truncation for frames named after
Object.prototype methods (#6044)
[Nazım Can Altınova] Add missing key props to CodeErrorOverlay error
list items (#6047)
[depfu[bot]] ⬆️ Update oxfmt to version 0.51.0 (#6054)
[Nazım Can Altınova] 🔃 Sync: l10n -> main (May 26, 2026) (#6058)
[Nazım Can Altınova] Use URL-state symbol server for `profiler-cli
function annotate` (#6051)
[Nazım Can Altınova] Bump profiler-cli version to 0.2.0 (#6059)

And special thanks to our localizers:

fr: YD
sr: Марко Костић (Marko Kostić)
tr: Ali Demirtaş
zh-CN: Olvcpr423
zh-CN: wxie
@canova canova mentioned this pull request May 27, 2026
Merged
canova added a commit that referenced this pull request May 27, 2026
@canova
Pass --use-env-proxy only when the node version is >= 24 (#6064)
bdfa55d 
See also individual commit messages.
`--use-env-proxy` was added in Node.js 24, and I added that in #6003 to
make sandboxed anvironments work. But the cli now stopped working for
the users who has node version that's below 24. This PR adds this flag
conditionally if the node version is above that.

Note that sandboxed environments might not work for node < 24. But I
added a warning log to the users explaining that.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mstange mstange mstange approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@canova @mstange