perf(upgrade): use copy-then-mmap for zero JS heap during delta patching

The old file (running binary) cannot be mmap'd directly — Bun always opens
with O_RDWR, which fails on running executables (macOS: SIGKILL, Linux:
ETXTBSY). PR #343 fixed this with arrayBuffer() (~100 MB JS heap).

Improve: copy the old binary to a temp file first, then mmap the copy.
The copy is a regular file with no running process, so mmap succeeds and
the ~100 MB is kernel-managed (no GC pressure). On CoW-capable filesystems
(btrfs, xfs, APFS) the copy is a metadata-only reflink — near-instant
with zero extra disk I/O.

Falls back to arrayBuffer() if copy or mmap fails for any reason.

Author: BYK

src/lib/bspatch.ts

@@ -5,15 +5,20 @@
  * TRDIFF10 format (produced by zig-bsdiff with `--use-zstd`). Designed for
  * minimal memory usage during CLI self-upgrades:
  *
- * - Old binary: loaded via `Bun.file().arrayBuffer()` (~100 MB heap)
+ * - Old binary: copy-then-mmap for 0 JS heap (CoW on btrfs/xfs/APFS),
+ *   falling back to `arrayBuffer()` (~100 MB heap) if mmap fails
  * - Diff/extra blocks: streamed via `DecompressionStream('zstd')`
  * - Output: written incrementally to disk via `Bun.file().writer()`
  * - Integrity: SHA-256 computed inline via `Bun.CryptoHasher`
  *
- * Total heap usage: ~100 MB for old file + ~1-2 MB for streaming buffers.
- * `Bun.mmap()` is NOT usable here because the old file is the running binary:
- * - macOS: AMFI sends uncatchable SIGKILL (PROT_WRITE on signed Mach-O)
- * - Linux: ETXTBSY from `open()` with write flags on a running executable
+ * `Bun.mmap()` cannot target the running binary directly because it opens
+ * with PROT_WRITE/O_RDWR:
+ * - macOS: AMFI sends uncatchable SIGKILL (writable mapping on signed Mach-O)
+ * - Linux: ETXTBSY from `open()` (kernel blocks write-open on running ELF)
+ *
+ * The copy-then-mmap strategy sidesteps both: the copy is a regular file
+ * with no running process, so mmap succeeds. On CoW-capable filesystems
+ * (btrfs, xfs, APFS) the copy is near-instant with zero extra disk I/O.
  *
  * TRDIFF10 format (from zig-bsdiff):
  * ```
@@ -25,6 +30,10 @@
  * ```
  */
 
+import { copyFileSync, unlinkSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+
 /** TRDIFF10 header magic bytes */
 const TRDIFF10_MAGIC = "TRDIFF10";
 
@@ -210,12 +219,63 @@ function createZstdStreamReader(compressed: Uint8Array): BufferedStreamReader {
   );
 }
 
+/** Result of loading the old binary for patching */
+type OldFileHandle = {
+  /** Memory-mapped or in-memory view of the old binary */
+  data: Uint8Array;
+  /** Cleanup function to call after patching (removes temp copy, if any) */
+  cleanup: () => void;
+};
+
+/**
+ * Load the old binary for read access during patching.
+ *
+ * Strategy: copy to temp file, then mmap the copy. This avoids `Bun.mmap()`
+ * on the running binary (SIGKILL on macOS, ETXTBSY on Linux) while keeping
+ * zero JS heap — the kernel manages the mapped pages. On CoW filesystems
+ * (btrfs, xfs, APFS) the copy is a metadata-only reflink (near-instant).
+ *
+ * Falls back to `Bun.file().arrayBuffer()` (~100 MB heap) if the copy or
+ * mmap fails for any reason (permissions, disk space, unsupported FS).
+ */
+async function loadOldBinary(oldPath: string): Promise<OldFileHandle> {
+  const tempCopy = join(tmpdir(), `sentry-patch-old-${process.pid}`);
+  try {
+    copyFileSync(oldPath, tempCopy);
+    const data = Bun.mmap(tempCopy, { shared: false });
+    return {
+      data,
+      cleanup: () => {
+        try {
+          unlinkSync(tempCopy);
+        } catch {
+          // Best-effort cleanup — OS will reclaim on reboot
+        }
+      },
+    };
+  } catch {
+    // Copy or mmap failed — fall back to reading into JS heap
+    try {
+      unlinkSync(tempCopy);
+    } catch {
+      // May not exist if copyFileSync failed
+    }
+    return {
+      data: new Uint8Array(await Bun.file(oldPath).arrayBuffer()),
+      cleanup: () => {
+        // No temp file to clean up — data is in JS heap
+      },
+    };
+  }
+}
+
 /**
  * Apply a TRDIFF10 binary patch with streaming I/O for minimal memory usage.
  *
- * Reads the old file into memory via `Bun.file().arrayBuffer()`, then streams
- * diff/extra blocks (~16 KB buffers) via `DecompressionStream('zstd')`,
- * writes output via `Bun.file().writer()`, and computes SHA-256 inline.
+ * Copies the old file to a temp path and mmaps the copy (0 JS heap), falling
+ * back to `arrayBuffer()` if mmap fails. Streams diff/extra blocks via
+ * `DecompressionStream('zstd')`, writes output via `Bun.file().writer()`,
+ * and computes SHA-256 inline.
  *
  * @param oldPath - Path to the existing (old) binary file
  * @param patchData - Complete TRDIFF10 patch file contents
@@ -246,12 +306,10 @@ export async function applyPatch(
   );
   const extraReader = createZstdStreamReader(patchData.subarray(extraStart));
 
-  // Bun.mmap() is NOT usable for the old file during self-upgrades because
-  // it always opens with PROT_WRITE, and the old file is the running binary:
-  // - macOS: AMFI sends uncatchable SIGKILL on writable mapping of signed Mach-O
-  // - Linux: open() returns ETXTBSY when opening a running executable for write
-  // Reading into memory costs ~100 MB heap but avoids both platform restrictions.
-  const oldFile = new Uint8Array(await Bun.file(oldPath).arrayBuffer());
+  // Load old binary via copy-then-mmap (0 JS heap) or arrayBuffer fallback.
+  // See loadOldBinary() for why direct mmap of the running binary is impossible.
+  const { data: oldFile, cleanup: cleanupOldFile } =
+    await loadOldBinary(oldPath);
 
   // Streaming output: write directly to disk, no output buffer in memory
   const writer = Bun.file(destPath).writer();
@@ -300,7 +358,11 @@ export async function applyPatch(
       oldpos += seekBy;
     }
   } finally {
-    await writer.end();
+    try {
+      await writer.end();
+    } finally {
+      cleanupOldFile();
+    }
   }
 
   // Validate output size matches header