|
| 1 | +# ProXPL VM Bug Fix Log - April 2026 |
| 2 | + |
| 3 | +This document details the comprehensive audit and subsequent fixes applied to the ProXPL Virtual Machine (`src/runtime/vm.c`) to improve memory safety, runtime stability, and semantic correctness. |
| 4 | + |
| 5 | +## Summary of Changes |
| 6 | + |
| 7 | +A total of 15 bugs were addressed, ranging from critical memory corruption issues to logic errors in opcode implementations. |
| 8 | + |
| 9 | +### 🔴 Critical Memory Safety Fixes |
| 10 | + |
| 11 | +1. **Stack Overflow Protection**: Added explicit `exit(1)` in the `push()` function to halt execution upon stack overflow, preventing out-of-bounds memory writes. |
| 12 | +2. **Stack Underflow Guard**: Implemented bounds checking in `pop()` to prevent the stack pointer from decrementing below the stack base. |
| 13 | +3. **Runtime Error Frame Guard**: Added a check in `runtimeError()` to ensure `frameCount > 0` before accessing call frames, preventing crashes during early initialization or edge-case errors. |
| 14 | +4. **Tensor Dimension Overflow**: Increased the internal `dims` array size in `OP_MAKE_TENSOR` from 16 to 256 to accommodate the full range of `uint8_t` dimension counts. |
| 15 | +5. **Sign Extension UB**: Fixed undefined behavior in 32-bit integer reconstruction from bytecode by casting `uint8_t` reads to `uint32_t` before bitwise shifting. |
| 16 | +6. **Use-After-Free in freeVM**: Ensured `initString` is set to `NULL` before freeing objects to prevent the GC or free-loop from accessing a dangling pointer. |
| 17 | +7. **resolveContextualMethod Tombstone Detection**: Fixed a regression where tombstone entries in the context method table could cause crashes by restoring the `IS_BOOL` check. |
| 18 | + |
| 19 | +### 🟠 Logic and Semantic Improvements |
| 20 | + |
| 21 | +7. **Numeric Type Guards**: Added `IS_NUMBER` checks to `OP_GREATER`, `OP_LESS`, `OP_MODULO`, and all bitwise opcodes (`AND`, `OR`, `XOR`, `LSHIFT`, `RSHIFT`) to ensure type safety before numeric extraction. |
| 22 | +8. **Global Variable Semantics**: Replaced the "insert-then-delete" hack in `OP_SET_GLOBAL` with a proper existence check via `tableGet`, ensuring standard Lox-style global variable behavior. |
| 23 | +9. **Tombstone Handling**: Fixed the tombstone detection logic in `resolveContextualMethod()` to correctly identify empty slots by checking for `NULL` keys. |
| 24 | +10. **Module Loading Fix**: Corrected `OP_USE` to actually push the loaded module onto the stack, allowing user scripts to interact with imported modules. |
| 25 | +11. **Inheritance Stack Management**: Fixed `OP_INHERIT` to only pop the subclass, keeping the superclass on the stack as required for `super` method lookups. |
| 26 | +12. **Division/Modulo Safety**: Implemented runtime error reporting for division and modulo by zero in scalar operations, matching existing tensor safety. |
| 27 | +13. **Bitwise Shift Safety**: |
| 28 | + - Added checks to `OP_LEFT_SHIFT` and `OP_RIGHT_SHIFT` to ensure shift amounts are between 0 and 31. |
| 29 | + - Implemented unsigned casts in `OP_LEFT_SHIFT` to prevent undefined behavior when shifting negative signed integers. |
| 30 | +14. **Tensor Build Safety**: |
| 31 | + - Implemented integer overflow protection for `totalSize` calculation in `OP_MAKE_TENSOR`. |
| 32 | + - Added stack underflow bounds checking before adjusting the stack pointer during tensor initialization. |
| 33 | + - Removed redundant dead code guards. |
| 34 | + |
| 35 | +### 🟡 Structural and Minor Fixes |
| 36 | + |
| 37 | +15. **Dead Code Elimination**: Removed an unreachable `DISPATCH()` call at the end of the `OP_CALL` implementation. |
| 38 | +16. **interpretChunk Safety**: |
| 39 | + - Enhanced documentation and ensured `initChunk` calls in `interpretChunk()` safely detach transient function objects from caller-owned memory. |
| 40 | + - Added a GC guard (`pvm->nextGC = SIZE_MAX`) during `interpretChunk` execution to prevent the collector from freeing transient chunk data during the run. |
| 41 | +17. **NaN Equality**: Updated `OP_EQUAL` to respect IEEE 754 NaN semantics (`NaN != NaN`) for NaN-boxed numeric values. |
| 42 | +18. **Foreign Function Safety**: Added `IS_STRING` guards to `OP_MAKE_FOREIGN` to prevent crashes when non-string values are passed as library or symbol names. |
| 43 | +19. **List Build Safety**: Added a stack underflow check to `OP_BUILD_LIST` to prevent memory corruption from malformed bytecode. |
| 44 | + |
| 45 | +## System-Wide Fixes (CLI, API, & Build) |
| 46 | + |
| 47 | +### 🔴 CLI & Lifecycle Security (`src/main.c`) |
| 48 | +20. **Token Array Bounds**: Implemented strict look-ahead bounds checking for token arrays in both REPL (256 tokens) and file execution (4096 tokens) to prevent buffer overflows. |
| 49 | +21. **Buffer Security**: Replaced unsafe `sprintf` calls with `snprintf` when generating UI transpilation output directories. |
| 50 | +22. **Error Path Cleanup**: Corrected the order of resource deallocation in `runFile` to ensure `TypeChecker`, `StmtList`, and source buffers are freed even on failure paths. |
| 51 | +23. **CLI Extension Guard**: Added length verification to `argv` indexing to prevent out-of-bounds reads on short filenames. |
| 52 | +24. **ftell Sign Error**: Added checks for negative return values from `ftell()` to prevent massive erroneous memory allocations on file I/O failure. |
| 53 | + |
| 54 | +### 🟠 Public API & Integration (`src/proxpl_api.c`) |
| 55 | +25. **Lifecycle Guards**: Added NULL pointer verification to `proxpl_vm_init`, `proxpl_vm_free`, and `proxpl_interpret_file` for integration safety. |
| 56 | +26. **Include Standardization**: Reordered headers to ensure system libraries are prioritized over local project headers, preventing macro conflicts. |
| 57 | + |
| 58 | +### 🟡 Build System & Workspace (`Makefile`, `.gitignore`) |
| 59 | +27. **Strict Compilation**: Enabled `-Wpedantic` and `-Wno-unused-parameter` to catch standards violations and silence intentional suppression warnings. |
| 60 | +28. **Missing Sources**: Added `src/proxpl_api.c` to the `SOURCES` list to ensure the public API is correctly linked into the binary. |
| 61 | +29. **Workspace Hygiene**: Updated `.gitignore` to track UI transpiler output (`dist_*/`) and PRM caches (`.prm-cache/`), and verified correct file naming. |
| 62 | + |
| 63 | +--- |
| 64 | +**Version Update**: These fixes are included in ProXPL version **1.3.2**. |
| 65 | +**Date**: April 26, 2026 |
| 66 | +**Lead Engineer**: Antigravity (AI Assistant) |
0 commit comments