You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Squashed the R16–R32 branch-isolated reviewer loop. Each round ran
six reviewers in parallel (allocators / containers / std-core /
sys+parsers / tests+bench+fuzz / cross-cutting) on private git
worktrees, then merged back into r16-base. Anti-skim framing from
R24 onward turned up convention drift the earlier rounds missed;
bug-hunt framing from R32 turned up real safety bugs.
Highlights of substantive code work folded in:
Stats accounting (R32-allocators)
- bytes_in_use was bumped by user-requested at alloc but drawn
down by the effective reservation (slot / page-rounded /
padded bump) at free. Every alloc+free pair under-counted by
the padding overhead; dealloc-side clamp-to-zero masked it.
Heap / Page / Arena / Slab / Budget all updated to track
effective bytes at alloc; XL mremap now adjusts by the page-
count delta on kernel-resize.
Parser safety (R32-sysparser)
- Dns: VecPushBackR failure now deinits the partially-built
DnsRecord instead of leaking name/target/rdata Strs.
- JSON: signed-overflow UB in JReadNumber's negate path (would
have fired on a future ZstrToI64 returning INT64_MIN).
- Pdb: three u32 wraps on attacker sizes (div_ceil_u32,
walk_publics cursor, load_section_table allocation).
- Pe: pe_decode_optional was writing u32 through a u64*,
tripping strict aliasing and yielding the wrong half on BE.
Std-core parser safety (R32-stdcore)
- read_chars_internal: OOB read on truncated `\xNN` input.
- ZstrProcessEscape: same shape on the quoted-string decoder
used by the JSON-style readers.
- ZstrToF64: signed-overflow UB in the exponent loop on
attacker-controlled digit count.
Container safety (R32-containers)
- StrToF64: signed-overflow UB in the exponent loop (mirrors
the Zstr fix above).
- list_sort: allocation-size overflow + downstream OOB memcpy
on long lists.
- remove_range_list / BitVecRemoveRange / BitVecContainsAt:
additive overflow in bounds checks.
- map_set_only: payload leak when the re-insert hit the probe
budget — temp_entry holds deep-copied keys/values that now
get key_copy_deinit / value_copy_deinit on failure.
Build-config bugs (R31 + R32 crosscut)
- meson.build evaluated `opt_map = ... or opt_alloc_debug`
before the `opt_alloc_debug = opt_alloc_debug and
opt_sys_backtrace` clip — so `map` could auto-enable from an
already-clipped `alloc_debug`. Same ordering bug bit
sys_dns vs parser_dns; both reordered.
- Tests/Dwarf.Stripped raced against objcopy via missing
meson `depends:`.
- Std/Log.c LogWrite FATAL path called CaptureStackTrace
unconditionally, breaking `-Dsys_backtrace=false`. Gated
and the Backtrace.h include moved behind the same flag.
Fuzz harness memory safety (R31 testsbench, ASan-confirmed)
- VecCharPtr push/insert/merge paths leaked the caller's
malloc'd Zstr (char_ptr_copy_init ZstrDup's into the vec's
allocator).
- VecCharPtr RESIZE-grow-fill assigned malloc'd ptrs directly
into Vec slots, leaving heap_allocator_deallocate to see a
foreign pointer on FuzzState teardown.
- VecStr VecInitClone double-freed: copy_init=NULL fell back
to MemCopy, aliasing Str.data between source and dest slots.
Convention sweeps (R16–R30, plus R24–R30 anti-skim)
- Public docs no longer name private snake_case backends or
private headers (os_page_*, test_abort_handler, prng_internal,
etc.).
- Libc vocabulary in comments, error messages, and design
prose reframed in in-tree vocabulary (strlen → ZstrLen,
memcpy → MemCopy, "libc strtoll" → in-tree, dropped "no
libc backtrace()" framing in Backtrace.h, etc.).
- SUCCESS/FAILURE doc blocks added to every public macro and
function that wasn't an exempt single-field accessor; Debug.h
alone had 6 missing.
- Container key types ship canonical `*_hash` (`const void *,
u32`) and `*_compare` (`const void *, const void *`) shapes;
added `bitvec_compare` to complete the set.
- Iter / StrIter direct-field reads converted to public
accessor macros across Parsers/* and Tests/Std/*.
- Cross-namespace `.data` / `.length` / `.allocator` reaches
replaced with the corresponding `*Begin` / `*Len` / `*Allocator`
macros; new accessors added where none existed (ElfBuf,
MachoBuf, BitVecAllocator, IntAllocator, FloatAllocator,
PeCodeView, PdbInfoStream, MachoUuid).
- `(void)0, ptr->field` lvalue-rejecting macro shape adopted
throughout the accessor surface; deleted the function-shaped
*GetAllocator getters.
- `_Generic` arms inlined at every site (no helper wrappers
that hide the dispatch); typed allocator entry points stop
taking `Allocator *` and casting.
- `BENCHMARK_FILTERS` doc and Heap.c's class-layout note
rewritten in present-tense; "what we used to do" history
narratives removed.
- 7 deadweight Graph alias-wrapper macros deleted; bodies
promoted to PascalCase first-class functions.
- Naked-asm SetJmp/LongJmp in Tests/Util/TestRunner.c — fixes
the STATUS_BAD_STACK on clang-cl + UCRT for deadend tests.
- Heap XL slot lookup rewritten from sorted-array + bsearch +
memmove to an open-addressed hash table; Heap XL realloc
grows in place via the Linux direct-syscall mremap path
with MREMAP_MAYMOVE.
- HeapAllocator stats moved onto `base.stats` so the typed and
dyn paths can't disagree; `Allocator` carries an inline
`footprint_bytes` counter updated by the internal page-map
shim.
- Stack-init API surface (`StrInitStack`, `VecInitStack`,
`BufInitStack`, …) carries the documented stack-init carve-out
from CODING-CONVENTIONS.md.
Bench harness
- Bench-Perf/ dropped; Benchmark/ already covers it.
- Bench tier split: heap_validate_full=true vs false reported
side-by-side so the safety overhead is visible.
- misra-arena reports n/a for backends that have no bulk
reset; the bench harness no longer pretends a per-pointer
free is a reset.
Tests: 104/104 on local Linux (Nix gcc 15.2), 99/99 on Mac SSH
(arm64 Apple clang). Full suite green under
`-Db_sanitize=address,undefined` as well. Bench refreshed in
Benchmark/README.md with 10 reps per backend.
0 commit comments