fix(cron): atomic write, kill child on timeout, add timeout test

超渡法師 · 超渡法師 · commit f1ea0fd7b3c0 · 2026-05-17T17:44:41.000Z
- update_usercron_job: write to .toml.tmp then rename (atomic on POSIX)
- check_disable_on_success: use spawn() + wait_with_output() to retain
  child handle; explicitly kill on timeout to prevent orphan processes
- Add disable_on_success_kills_child_on_timeout test (sleep 999 + 1s timeout)
diff --git a/src/cron.rs b/src/cron.rs
@@ -751,24 +751,45 @@ async fn check_disable_on_success(
     marker: &str,
 ) -> DisableOnSuccessResult {
     let timeout_secs = job.disable_on_success_timeout_secs.max(1);
-    let mut child = shell_command(command);
+    let mut cmd = shell_command(command);
     if let Some(dir) = non_empty_opt(job.disable_on_success_working_dir.as_deref()) {
-        child.current_dir(dir);
+        cmd.current_dir(dir);
     }
+    cmd.stdout(std::process::Stdio::piped());
+    cmd.stderr(std::process::Stdio::piped());
 
-    let output = match timeout(std::time::Duration::from_secs(timeout_secs), child.output()).await
+    let mut child = match cmd.spawn() {
+        Ok(child) => child,
+        Err(e) => {
+            warn!(
+                id = job.id.as_deref().unwrap_or(""),
+                command,
+                error = %e,
+                "disable_on_success command failed to start"
+            );
+            return DisableOnSuccessResult::NotAchieved("command failed to start");
+        }
+    };
+
+    let output = match timeout(
+        std::time::Duration::from_secs(timeout_secs),
+        child.wait_with_output(),
+    )
+    .await
     {
         Ok(Ok(output)) => output,
         Ok(Err(e)) => {
             warn!(
                 id = job.id.as_deref().unwrap_or(""),
                 command,
                 error = %e,
-                "disable_on_success command failed to start"
+                "disable_on_success command wait failed"
             );
             return DisableOnSuccessResult::NotAchieved("command failed to start");
         }
         Err(_) => {
+            // Timeout — kill the child to avoid orphan processes.
+            let _ = child.kill().await;
             warn!(
                 id = job.id.as_deref().unwrap_or(""),
                 command,
@@ -839,7 +860,10 @@ fn update_usercron_job(
         anyhow::bail!("usercron job id {:?} not found", id);
     }
 
-    std::fs::write(path, doc.to_string())?;
+    // Atomic write: write to temp file then rename to avoid corruption on crash.
+    let tmp = path.with_extension("toml.tmp");
+    std::fs::write(&tmp, doc.to_string())?;
+    std::fs::rename(&tmp, path)?;
     Ok(())
 }
 
@@ -1451,6 +1475,18 @@ message = "a"
         ));
     }
 
+    #[tokio::test]
+    async fn disable_on_success_kills_child_on_timeout() {
+        let mut job = test_cron_job();
+        job.disable_on_success_timeout_secs = 1;
+
+        let result = check_disable_on_success(&job, "sleep 999", "SUCCESS").await;
+        assert!(matches!(
+            result,
+            DisableOnSuccessResult::NotAchieved("command timed out")
+        ));
+    }
+
     fn test_cron_job() -> CronJobConfig {
         CronJobConfig {
             id: Some("goal".into()),
