test(ci): probe G — install ProcDump as JIT debugger for silent-kill capture

JohnMcLear · claude · JohnMcLear · commit fcb50dce7668 · 2026-05-27T10:09:24.000+01:00
Probe A (PR #7855) ruled out Defender as the killer: with DisableRealtimeMonitoring + DisableBehaviorMonitoring + DisableIOAVProtection all = True, the silent ELIFECYCLE still fired (run 26470378618, Win without plugins, `pad.ts > Tests > creates a new Pad with empty text`, kill +470 ms post-test-start, exit 255). The captured event logs showed: - Application log: empty (zero entries during test phase) - System log: only pre-test service stops; no SCM TerminateProcess - Defender Operational: only stale 2026-05-18 runner provisioning - Application Error / Hang / WER: zero entries The fixed tasklist sidecar showed the dying Node process (PID 7036) was completely healthy 1 second before death: HandleCount=323 stable, ThreadCount=17 stable, WorkingSetSize ~321 MB stable, KernelModeTime and UserModeTime growing linearly. No anomaly in OS-side process state. Then dead 1 second later with zero entry in any Windows event log. That fingerprint — silent external termination with no event-log trace and no anomaly in OS-side state — matches `__fastfail` (the `int 29h` fast-fail intrinsic). libuv on Windows uses `__fastfail` for certain internal assertion failures in its TCP and pipe paths (uv_win.c, tcp-win.c, pipe-win.c). When triggered, it immediately terminates the process bypassing all user-mode notification including WER. The only standard tool that catches state across __fastfail is a JIT-installed debugger. Install Sysinternals ProcDump as the system JIT debugger: - downloads procdump.zip from sysinternals.com - extracts to C:\procdump - `-i -ma` registers as the AeDebug handler, configured for full memory dumps - dumps land in node-report/dumps/ which the existing failure artifact picks up On the next silent ELIFECYCLE this captures a .dmp file with full call stack across the kill — loadable in WinDbg with "!analyze -v" to see the libuv assertion (or whatever else) that fired the fast-fail. That should be the final word on what's killing the process. Built on top of probe-flake-defender-eventlog-sidecar (#7855) because the event-log capture + sidecar fix are useful baselines even after Defender's ruled out. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/.github/workflows/backend-tests.yml b/.github/workflows/backend-tests.yml
@@ -214,6 +214,33 @@ jobs:
         run: |
           powershell -Command "(gc settings.json.template) -replace '\"max\": 10', '\"max\": 10000' | Out-File -encoding ASCII settings.json.holder"
           powershell -Command "(gc settings.json.holder) -replace '\"points\": 10', '\"points\": 1000' | Out-File -encoding ASCII settings.json"
+      -
+        # PROBE G — install Sysinternals ProcDump as the system Just-In-Time
+        # debugger. When ANY process on the runner crashes, fast-fails (via
+        # int 29h), or hits an unhandled SEH exception, the OS hands it to
+        # the JIT debugger, which writes a full memory dump to the configured
+        # directory. This catches the silent-ELIFECYCLE kill class even when
+        # it bypasses every event-log path: probe A+H (PR #7855) ruled out
+        # Defender AND showed the kill produces NO entry in Application,
+        # System, or Defender Operational logs. That fingerprint matches
+        # __fastfail (int 29h) — used internally by libuv on Windows for
+        # certain TCP/pipe state-corruption assertions. ProcDump as JIT
+        # debugger is the only standard tool that captures user + kernel
+        # state across __fastfail.
+        name: Install ProcDump as JIT debugger (probe G)
+        shell: powershell
+        run: |
+          $ErrorActionPreference = 'Continue'
+          Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
+          Expand-Archive -Path "$env:TEMP\Procdump.zip" -DestinationPath "C:\procdump" -Force
+          New-Item -ItemType Directory -Force -Path "${{ github.workspace }}\node-report\dumps" | Out-Null
+          # -i installs procdump as the system JIT debugger.
+          # -ma writes a full memory dump.
+          # The dump path argument tells procdump where to write the dumps.
+          & "C:\procdump\procdump64.exe" -accepteula -i -ma "${{ github.workspace }}\node-report\dumps"
+          # Sanity: confirm the AeDebug registry key now points at procdump.
+          Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug" -ErrorAction SilentlyContinue | Format-List
+          Get-ItemProperty "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug" -ErrorAction SilentlyContinue | Format-List
       -
         name: Run the backend tests
         shell: bash
@@ -397,6 +424,33 @@ jobs:
         run: |
           powershell -Command "(gc settings.json.template) -replace '\"max\": 10', '\"max\": 10000' | Out-File -encoding ASCII settings.json.holder"
           powershell -Command "(gc settings.json.holder) -replace '\"points\": 10', '\"points\": 1000' | Out-File -encoding ASCII settings.json"
+      -
+        # PROBE G — install Sysinternals ProcDump as the system Just-In-Time
+        # debugger. When ANY process on the runner crashes, fast-fails (via
+        # int 29h), or hits an unhandled SEH exception, the OS hands it to
+        # the JIT debugger, which writes a full memory dump to the configured
+        # directory. This catches the silent-ELIFECYCLE kill class even when
+        # it bypasses every event-log path: probe A+H (PR #7855) ruled out
+        # Defender AND showed the kill produces NO entry in Application,
+        # System, or Defender Operational logs. That fingerprint matches
+        # __fastfail (int 29h) — used internally by libuv on Windows for
+        # certain TCP/pipe state-corruption assertions. ProcDump as JIT
+        # debugger is the only standard tool that captures user + kernel
+        # state across __fastfail.
+        name: Install ProcDump as JIT debugger (probe G)
+        shell: powershell
+        run: |
+          $ErrorActionPreference = 'Continue'
+          Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
+          Expand-Archive -Path "$env:TEMP\Procdump.zip" -DestinationPath "C:\procdump" -Force
+          New-Item -ItemType Directory -Force -Path "${{ github.workspace }}\node-report\dumps" | Out-Null
+          # -i installs procdump as the system JIT debugger.
+          # -ma writes a full memory dump.
+          # The dump path argument tells procdump where to write the dumps.
+          & "C:\procdump\procdump64.exe" -accepteula -i -ma "${{ github.workspace }}\node-report\dumps"
+          # Sanity: confirm the AeDebug registry key now points at procdump.
+          Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug" -ErrorAction SilentlyContinue | Format-List
+          Get-ItemProperty "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug" -ErrorAction SilentlyContinue | Format-List
       -
         name: Run the backend tests
         shell: bash
