fix(desktop): clamp generation timeout to Node setTimeout int32 cap

hqhq1025 · hqhq1025 · commit e891e93415de · 2026-04-19T16:54:41.000+08:00
Node's setTimeout max delay is 2^31-1 ms (~24.8 days). Larger values
overflow and the timer fires immediately, aborting generation instantly
when the user picks a long timeout.

Clamp the millisecond value to TIMEOUT_MAX_MS before scheduling, and
reject NaN/Infinity/negative values up front with a CodesignError
('PREFERENCES_INVALID_TIMEOUT') instead of silently disabling the
timeout. A value of 0 still means 'disabled'.
diff --git a/apps/desktop/src/main/generation-ipc.test.ts b/apps/desktop/src/main/generation-ipc.test.ts
@@ -132,17 +132,53 @@ describe('armGenerationTimeout', () => {
     );
   });
 
-  it('returns a no-op for non-positive or non-finite timeout values', async () => {
+  it('treats 0 as disabled and does not arm a timeout', async () => {
     const controller = new AbortController();
     const logger = { warn: vi.fn() };
 
-    for (const value of [0, -1, Number.NaN, Number.POSITIVE_INFINITY]) {
-      const clear = await armGenerationTimeout('gen-1', controller, async () => value, logger);
-      vi.advanceTimersByTime(60_000);
-      clear();
-    }
+    const clear = await armGenerationTimeout('gen-1', controller, async () => 0, logger);
+    vi.advanceTimersByTime(60_000);
+    clear();
 
     expect(controller.signal.aborted).toBe(false);
     expect(logger.warn).not.toHaveBeenCalled();
   });
+
+  it('clamps very large timeout values to Node setTimeout int32 cap so the abort does not fire immediately', async () => {
+    const controller = new AbortController();
+    const logger = { warn: vi.fn() };
+    const setTimeoutSpy = vi.spyOn(globalThis, 'setTimeout');
+
+    const clear = await armGenerationTimeout('gen-1', controller, async () => 99_999_999, logger);
+
+    expect(setTimeoutSpy).toHaveBeenCalledTimes(1);
+    const delay = setTimeoutSpy.mock.calls[0]?.[1];
+    expect(delay).toBe(2_147_483_647);
+
+    vi.advanceTimersByTime(1);
+    expect(controller.signal.aborted).toBe(false);
+
+    setTimeoutSpy.mockRestore();
+    clear();
+  });
+
+  it('throws PREFERENCES_INVALID_TIMEOUT when the timeout value is NaN', async () => {
+    const controller = new AbortController();
+    const logger = { warn: vi.fn() };
+
+    await expect(
+      armGenerationTimeout('gen-1', controller, async () => Number.NaN, logger),
+    ).rejects.toMatchObject({ name: 'CodesignError', code: 'PREFERENCES_INVALID_TIMEOUT' });
+    expect(controller.signal.aborted).toBe(false);
+  });
+
+  it('throws PREFERENCES_INVALID_TIMEOUT when the timeout value is negative', async () => {
+    const controller = new AbortController();
+    const logger = { warn: vi.fn() };
+
+    await expect(
+      armGenerationTimeout('gen-1', controller, async () => -1, logger),
+    ).rejects.toMatchObject({ name: 'CodesignError', code: 'PREFERENCES_INVALID_TIMEOUT' });
+    expect(controller.signal.aborted).toBe(false);
+  });
 });
diff --git a/apps/desktop/src/main/generation-ipc.ts b/apps/desktop/src/main/generation-ipc.ts
@@ -34,6 +34,8 @@ export interface GenerationTimeoutLogger {
  * If the prefs read throws, the failure is surfaced (rethrown as
  * `PREFERENCES_READ_FAIL`) rather than silently dropping the timeout — an
  * unbounded LLM call is worse than a visible error the user can act on.
+ * NaN / Infinity / negative values likewise throw `PREFERENCES_INVALID_TIMEOUT`
+ * instead of silently disabling the timeout. A value of `0` means "disabled".
  */
 export async function armGenerationTimeout(
   id: string,
@@ -52,7 +54,19 @@ export async function armGenerationTimeout(
       'PREFERENCES_READ_FAIL',
     );
   }
-  if (!Number.isFinite(timeoutSec) || timeoutSec <= 0) return () => {};
+  if (!Number.isFinite(timeoutSec) || timeoutSec < 0) {
+    logger.warn('generate.timeout.invalid_value', { id, timeoutSec });
+    throw new CodesignError(
+      `Invalid generation timeout: ${String(timeoutSec)} (must be a non-negative finite number).`,
+      'PREFERENCES_INVALID_TIMEOUT',
+    );
+  }
+  if (timeoutSec === 0) return () => {};
+
+  // Node's setTimeout caps delay at int32 (~24.8 days). Larger values overflow
+  // and fire immediately, which would abort generation instantly.
+  const TIMEOUT_MAX_MS = 2_147_483_647;
+  const ms = Math.min(timeoutSec * 1000, TIMEOUT_MAX_MS);
 
   const handle = setTimeout(() => {
     logger.warn('generate.timeout.fired', { id, timeoutSec });
@@ -62,6 +76,6 @@ export async function armGenerationTimeout(
         'GENERATION_TIMEOUT',
       ),
     );
-  }, timeoutSec * 1000);
+  }, ms);
   return () => clearTimeout(handle);
 }
