bazelbuild/bazel

Hermetic linux sandbox (and Bazel-initiated file changes) creates spurious hashing on rebuild

Open

#27226 opened on Oct 10, 2025

View on GitHub
 (24 comments) (0 reactions) (0 assignees)Java (25,384 stars) (4,465 forks)batch import
P3help wantedteam-Local-Exectype: bug

Description

Description of the bug:

If you build something locally with the hermetic linux sandbox, then build it again without changing anything, Bazel will re-hash all of the input files to the action before realizing there is nothing to do. This appears to be because hardlinking the inputs into the sandbox touches ctime without updating Bazel's cache of file information, thus making Bazel think the file might have changed.

The same thing happens with MODULE.bazel.lock, though that may be an actual content change. In general, it seems like if Bazel modifies a file, it should update its own filesystem cache to know that it did so.

Which category does this issue belong to?

Local Execution

What's the simplest, easiest way to reproduce this bug? Please provide a minimal example if possible.

Check out https://github.com/jkeljo/bazel-hermetic-sandbox-diffawareness-bug and follow the instructions in the README

Which operating system are you running Bazel on?

Ubuntu 20.04

What is the output of bazel info release?

release 8.4.2

If bazel info release returns development version or (@non-git), tell us how you built Bazel.

No response

What's the output of git remote get-url origin; git rev-parse HEAD ?

git@github.com:jkeljo/bazel-hermetic-sandbox-diffawareness-bug.git
748c41a99f05bbe659d127d6f6edf153649e70ae

If this is a regression, please try to identify the Bazel commit where the bug was introduced with bazelisk --bisect.

No response

Have you found anything relevant by searching the web?

No response

Any other information, logs, or outputs that you want to share?

No response

Contributor guide

Tech stack
java
Domain
build systemperformance
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
over 1 week
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
active
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Understanding of Bazel build systemFamiliarity with Linux filesystem semanticsKnowledge of Java
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
15
Research direction
The issue describes spurious hashing due to the hermetic sandbox touching ctime. To start, examine the example repository at https://github.com/jkeljo/bazel hermetic sandbox diffawareness bug and follow the README. Look into Bazel's sandbox implementation, specifically how it handles hardlinking and filesystem cache. Relevant files include `src/main/java/com/google/devtools/build/lib/sandbox/` and `src/main/java/com/google/devtools/build/lib/actions/cache/`. The discussion suggests this is related to Bazel not updating its own cache after modifying files. Focus on the code that updates file metadata after an action writes outputs, and how the cache invalidation logic interacts with sandboxed inputs.