add stack overflow guards

Author: Asmod4n

README.md

@@ -19,9 +19,45 @@
 | **Streaming** | `CBOR.stream` for CBOR sequence reading |
 | **Performance** | ~30% faster than msgpack; 1.3–3× faster than simdjson for selective access |
 
-### ⚠️ Limitations
+### ⚠️ Limitations & Design Decisions
 
-- No indefinite-length item support (RFC 8949 Section 4.2.1)
+| Limitation | Reason |
+|-----------|--------|
+| No indefinite-length items | Use CBOR.stream mode instead. |
+
+**Determinism Guarantees:**
+- Encoding is deterministic *within a single mruby build*
+- Hash field order follows insertion order (per mruby hash impl)
+- Float width (16/32/64) is compile-time fixed via `MRB_USE_FLOAT32`
+- Symbol encoding strategy is global; don't mix `no_symbols` / `symbols_as_string` / `symbols_as_uint32` in the same program
+- **Not deterministic across builds** if you rebuild mruby with different CFLAGS or config
+
+**Recursion Depth Limits:**
+Default `CBOR_MAX_DEPTH` depends on mruby profile:
+- `MRB_PROFILE_MAIN` / `MRB_PROFILE_HIGH`: 512
+- `MRB_PROFILE_BASELINE`: 64
+- Constrained / other: 32
+
+Exceeding this raises `RuntimeError: "CBOR nesting depth exceeded"`. Override by setting `CBOR_MAX_DEPTH` at compile time.
+
+---
+
+## 📊 Performance Notes
+
+- **Encoding:** ~30% faster than msgpack (SBO + incremental writes)
+- **Lazy decoding:** 1.3–3× faster than simdjson for selective access
+- **Shared refs:** Tags 28/29 deduplication is O(1) amortized
+- **Float encoding:** No overhead; width selection happens once per value at encode time
+
+**When to use lazy decoding:**
+- Decoding large payloads where you only access a subset of fields
+- Streaming/telemetry where you care about specific fields
+- Network protocols where you validate before deserializing
+
+**When to use eager decoding:**
+- Small payloads
+- You need the full object in memory instantly
+- Simplicity over optimization
 
 ---
 
@@ -47,7 +83,7 @@ lazy["hello"][1].value  # => 2 (constant-time after first access)
 
 ### CBOR::Lazy – On-Demand Access
 
-`decode_lazy` returns a `CBOR::Lazy` object wrapping the raw buffer **without decoding**. Navigate with `[]` or `dig`, then call `.value` when you need the actual value.
+`decode_lazy` returns a `CBOR::Lazy` object wrapping the raw buffer **without decoding the value**. Navigate with `[]` or `dig`, then call `.value` when you need the actual value.
 ```ruby
 lazy = CBOR.decode_lazy(big_payload)
 
@@ -159,21 +195,41 @@ Convenience Types:
 ### Symbol Handling
 
 Three strategies for encoding Ruby symbols:
+
 ```ruby
-# 1. Default: convert to strings (no tag)
+# 1. Default: strip symbols (no tag, no round-trip)
 CBOR.no_symbols
+sym = :hello
+encoded = CBOR.encode(sym)  # Encodes as plain string "hello"
+decoded = CBOR.decode(encoded)  # => "hello" (not a symbol!)
 
-# 2. Use tag 39 + string
+# 2. Use tag 39 + string (RFC 8949, interoperable)
 CBOR.symbols_as_string
+sym = :hello
+encoded = CBOR.encode(sym)
+decoded = CBOR.decode(encoded)  # => :hello (symbol preserved)
 
-# 3. Use tag 39 + uint32 (mruby-to-mruby only)
+# 3. Use tag 39 + uint32 (mruby presym only, fastest)
 CBOR.symbols_as_uint32
 sym = :hello
 encoded = CBOR.encode(sym)
-decoded = CBOR.decode(encoded)  # => :hello
+decoded = CBOR.decode(encoded)  # => :hello (symbol preserved, same mruby only)
 ```
 
-> **⚠️ Warning:** `symbols_as_uint32` is mruby instance–specific. Only use it when both encoder and decoder run on the same mruby executable and when all symbols are interned at compile time, see https://github.com/mruby/mruby/blob/master/doc/guides/symbol.md#preallocate-symbols
+**Mode Comparison:**
+
+| Mode | Encoding | Interop | Round-trip | Speed |
+|------|----------|---------|-----------|-------|
+| `no_symbols` | Plain string | ✅ All | ❌ No | Fast |
+| `symbols_as_string` | Tag 39 + string | ✅ All | ✅ Yes | Good |
+| `symbols_as_uint32` | Tag 39 + uint32 | ❌ mruby only | ✅ Yes | Fastest |
+
+> **⚠️ Warning:** `symbols_as_uint32` requires:
+> - **Same mruby build** — encoder and decoder must use the same mruby executable (same `libmruby.a`)
+> - **Compile-time symbols** — all symbols must be interned at build time (see [presym docs](https://github.com/mruby/mruby/blob/master/doc/guides/symbol.md#preallocate-symbols))
+> - **No runtime symbol creation** — decoding fails if the symbol ID doesn't exist in the decoder's presym table
+>
+> Use only for internal mruby-to-mruby IPC on the same build. For external/user data, use `symbols_as_string`.
 
 ---
 
@@ -208,6 +264,20 @@ rake test
 
 ---
 
+## ⚠️ Error Handling
+
+| Error | When | Example |
+|-------|------|---------|
+| `ArgumentError` | Invalid encode options | `CBOR.encode(obj, bad_option: true)` |
+| `RangeError` | Integer out of bounds | Encoding a Bigint larger than uint64 |
+| `RuntimeError` | Nesting depth exceeded | Deeply nested structures beyond `CBOR_MAX_DEPTH` |
+| `RuntimeError` | Truncated/invalid CBOR | `CBOR.decode(incomplete_buffer)` |
+| `TypeError` | Type mismatch in registered tags | Field marked as String gets an Array |
+| `KeyError` | Lazy access to missing key | `lazy["nonexistent"]` (use `.dig` to get nil instead) |
+| `NotImplementedError` | Presym on non-presym mruby | `CBOR.symbols_as_uint32` on build without presym |
+
+---
+
 ## 🔗 Specification
 
 - **CBOR (RFC 8949):** https://tools.ietf.org/html/rfc8949
@@ -217,4 +287,4 @@ rake test
 
 ## 📄 License
 
-Apache License 2.0
+Apache License 2.0

src/mrb_cbor.c

@@ -101,6 +101,9 @@ typedef struct {
      mrb_undef_value() = disabled
      mrb_hash         = obj -> share_idx mapping */
   mrb_value seen;
+
+  /* Recursion depth counter to prevent stack overflow */
+  mrb_int depth;
 } CborWriter;
 
 /* Forward declarations */
@@ -816,6 +819,7 @@ cbor_writer_init(CborWriter *w, mrb_state *mrb)
   w->arena_index = mrb_gc_arena_save(mrb);
 
   w->seen       = mrb_undef_value();
+  w->depth      = 0;
 }
 
 static size_t next_pow2(size_t x)
@@ -1253,8 +1257,16 @@ static void
 encode_value(CborWriter* w, mrb_value obj)
 {
   mrb_state* mrb = w->mrb;
+
+  if (likely(w->depth < CBOR_MAX_DEPTH)) {
+    w->depth++;
+  } else {
+    mrb_raise(mrb, E_RUNTIME_ERROR, "CBOR nesting depth exceeded");
+  }
+
   if (!mrb_undef_p(w->seen)) {
       if (!mrb_immediate_p(obj) && encode_check_shared(w, obj)) {
+          w->depth--;
           return;
       }
   }
@@ -1309,6 +1321,8 @@ encode_value(CborWriter* w, mrb_value obj)
       }
     } break;
   }
+
+  w->depth--;
 }
 
 
@@ -1472,6 +1486,45 @@ mrb_cbor_register_tag(mrb_state *mrb, mrb_value self)
 
 static void encode_value(CborWriter *w, mrb_value obj); /* forward */
 
+/* Map Ruby type to CBOR major type for schema validation */
+static uint8_t
+cbor_type_major(mrb_state *mrb, mrb_value val)
+{
+  switch (mrb_type(val)) {
+    case MRB_TT_INTEGER:
+      return mrb_integer(val) >= 0 ? 0 : 1;
+    case MRB_TT_STRING:
+      return mrb_str_is_utf8(val) ? 3 : 2;
+    case MRB_TT_ARRAY:
+      return 4;
+    case MRB_TT_HASH:
+      return 5;
+    case MRB_TT_FALSE:
+    case MRB_TT_TRUE:
+#ifndef MRB_NO_FLOAT
+    case MRB_TT_FLOAT:
+#endif
+      return 7;
+#ifdef MRB_USE_BIGINT
+    case MRB_TT_BIGINT:
+      if (mrb_bint_size(mrb, val) <= 8) {
+        return mrb_bint_sign(mrb, val) >= 0 ? 0 : 6;
+      }
+      return 6;
+#endif
+    case MRB_TT_SYMBOL: {
+      mrb_value mode = cbor_sym_strategy(mrb);
+      if (mrb_cmp(mrb, mode, mrb_fixnum_value(2)) == 0) {
+        return 6;
+      }
+      mrb_value str = mrb_sym2str(mrb, mrb_symbol(val));
+      return mrb_str_is_utf8(str) ? 3 : 2;
+    }
+    default:
+      return 6;
+  }
+}
+
 typedef struct {
   CborWriter *w;
   mrb_value   obj;
@@ -1490,66 +1543,21 @@ encode_registered_tag_foreach(mrb_state *mrb, mrb_value sym, mrb_value mask, voi
 
   mrb_value val = mrb_iv_get(mrb, obj, mrb_symbol(sym));
 
-  if (mrb_integer_p(mask)) {
-    /* actual_major is an internal bitmask index, not a CBOR value — uint8_t is correct here */
-    uint8_t actual_major = 6;
-
-    switch (mrb_type(val)) {
-      case MRB_TT_INTEGER: {
-        mrb_int i = mrb_integer(val);
-        actual_major = (i >= 0) ? 0 : 1;
-        break;
-      }
-      case MRB_TT_STRING: {
-        actual_major = mrb_str_is_utf8(val) ? 3 : 2;
-        break;
-      }
-      case MRB_TT_ARRAY:
-        actual_major = 4;
-        break;
-      case MRB_TT_HASH:
-        actual_major = 5;
-        break;
-      case MRB_TT_FALSE:
-      case MRB_TT_TRUE:
-#ifndef MRB_NO_FLOAT
-      case MRB_TT_FLOAT:
-#endif
-        actual_major = 7;
-        break;
-#ifdef MRB_USE_BIGINT
-      case MRB_TT_BIGINT:
-        if (mrb_bint_size(mrb, val) <= 8) {
-          actual_major = (mrb_bint_sign(mrb, val) >= 0) ? 0 : 1;
-        } else {
-          actual_major = 6;
-        }
-        break;
-#endif
-      case MRB_TT_SYMBOL: {
-        mrb_value mode = cbor_sym_strategy(mrb);
-        if (mrb_cmp(mrb, mode, mrb_fixnum_value(2)) == 0) {
-          actual_major = 6;
-        } else {
-          mrb_value str = mrb_sym2str(mrb, mrb_symbol(val));
-          actual_major = mrb_str_is_utf8(str) ? 3 : 2;
-        }
-        break;
-      }
-      default:
-        actual_major = 6;
-    }
-
+  if (likely(mrb_integer_p(mask))) {
+    uint8_t actual_major = cbor_type_major(mrb, val);
     mrb_int allowed = mrb_integer(mask);
-    if (unlikely(!((allowed >> actual_major) & 1))) {
+    if (likely(((allowed >> actual_major) & 1))) {
+      encode_len(w, 3, (uint64_t)slen);
+      cbor_writer_write(w, (const uint8_t*)sname, (size_t)slen);
+      encode_value(w, val);
+    } else {
       mrb_raisef(mrb, E_TYPE_ERROR,
         "CBOR tag field type mismatch for ivar %v", sym);
     }
+  } else {
+    mrb_raise(mrb, E_TYPE_ERROR, "mask is not a Integer");
   }
 
-  encode_len(w, 3, (uint64_t)slen);
-  cbor_writer_write(w, (const uint8_t*)sname, (size_t)slen);
-  encode_value(w, val);
   return 0;
 }
 
@@ -1594,65 +1602,21 @@ decode_registered_tag_foreach(mrb_state *mrb, mrb_value sym, mrb_value mask, voi
   mrb_value map_key = mrb_str_new_static(mrb, sname, slen);
   mrb_value val = mrb_hash_fetch(mrb, ctx->payload, map_key, mrb_undef_value());
 
-  if (!mrb_undef_p(val) && mrb_integer_p(mask)) {
-    uint8_t actual_major = 6;
-
-    switch (mrb_type(val)) {
-      case MRB_TT_INTEGER: {
-        mrb_int i = mrb_integer(val);
-        actual_major = (i >= 0) ? 0 : 1;
-        break;
-      }
-      case MRB_TT_STRING: {
-        actual_major = mrb_str_is_utf8(val) ? 3 : 2;
-        break;
-      }
-      case MRB_TT_ARRAY:
-        actual_major = 4;
-        break;
-      case MRB_TT_HASH:
-        actual_major = 5;
-        break;
-      case MRB_TT_FALSE:
-      case MRB_TT_TRUE:
-#ifndef MRB_NO_FLOAT
-      case MRB_TT_FLOAT:
-#endif
-        actual_major = 7;
-        break;
-#ifdef MRB_USE_BIGINT
-      case MRB_TT_BIGINT:
-        if (mrb_bint_size(mrb, val) <= 8) {
-          actual_major = (mrb_bint_sign(mrb, val) >= 0) ? 0 : 1;
-        } else {
-          actual_major = 6;
-        }
-        break;
-#endif
-      case MRB_TT_SYMBOL: {
-        mrb_value mode = cbor_sym_strategy(mrb);
-        if (mrb_cmp(mrb, mode, mrb_fixnum_value(2)) == 0) {
-          actual_major = 6;
-        } else {
-          mrb_value str = mrb_sym2str(mrb, mrb_symbol(val));
-          actual_major = mrb_str_is_utf8(str) ? 3 : 2;
-        }
-        break;
+  if (!mrb_undef_p(val)) {
+    if (likely(mrb_integer_p(mask))) {
+      uint8_t actual_major = cbor_type_major(mrb, val);
+      mrb_int allowed = mrb_integer(mask);
+      if (likely(((allowed >> actual_major) & 1))) {
+        mrb_iv_set(mrb, ctx->obj, mrb_symbol(sym), val);
+      } else {
+        mrb_raisef(mrb, E_TYPE_ERROR,
+          "CBOR tag field type mismatch for ivar %v", sym);
       }
-      default:
-        actual_major = 6;
-    }
-
-    mrb_int allowed = mrb_integer(mask);
-    if (unlikely(!((allowed >> actual_major) & 1))) {
-      mrb_raisef(mrb, E_TYPE_ERROR,
-        "CBOR tag field type mismatch for ivar %v", sym);
+    } else {
+      mrb_raise(mrb, E_TYPE_ERROR, "mask is not a Integer");
     }
   }
 
-  mrb_iv_set(mrb, ctx->obj, mrb_symbol(sym),
-             mrb_undef_p(val) ? mrb_nil_value() : val);
-
   return 0;
 }