chore: pre-release maintenance — fix fuzz crash, update docs#272
Merged
chore: pre-release maintenance — fix fuzz crash, update docs#272
Conversation
- Fix persistent arithmetic_fuzz crash: reduce MAX_ARITHMETIC_DEPTH from 200 to 50 to prevent stack overflow on deeply nested/malformed arithmetic expressions (TM-DOS-026) - Fix threat ID mismatch: code comments cited TM-DOS-025 instead of TM-DOS-026 for arithmetic recursion guard - Update README.md builtin count from 85 to 100+ with newly added commands (pushd/popd/dirs, seq, tac, rev, yes, expr, mktemp, realpath, declare/typeset, let, getopts, trap, caller, shopt, etc.) - Update compatibility.md: move 12 builtins from "Not Implemented" to "Recently Added" section (ln, chown, kill, trap, type, which, command, hash, declare/typeset, let, getopts, caller, shopt, etc.) - Update CHANGELOG.md with 40+ unreleased changes since v0.1.6 - Update 009-implementation-status.md: correct builtin count to 109, remove stale strikethrough entries from "Not Yet Implemented" - Update threat model docs (spec + public) to reflect new depth limit Maintenance checklist results: - Dependencies: all up to date, no CVEs, cargo deny clean - Code quality: fmt and clippy clean - Tests: all pass (186 tests + 67 doc-tests + 14 failpoint tests) - Examples: all compile and run - Nightly CI: 1 ASan flake (non-persistent), fuzz crash fixed - Specs and agent config: verified current https://claude.ai/code/session_01Xeagj4mjdqSXKXKmdMk7Z2
ASan inflates stack frames ~10x, causing the 5s assertion to fail in nightly CI. Use 15s — still proves timeout works, accommodates sanitizer overhead. Fixes nightly.yml failure from 2026-02-25.
chaliy
force-pushed
the
claude/maintenance-pr-So774
branch
from
86d26f9 to
0e649e6
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
MAX_ARITHMETIC_DEPTHfrom 200 to 50, preventing stack overflow on deeply nested/malformed arithmetic expressions. Fuzz CI has been red for 6+ consecutive days due to this.TM-DOS-025(regex backtracking) instead ofTM-DOS-026(arithmetic recursion).threat_cpu_exhaustion_timeoutassertion from 5s to 15s — ASan overhead (~10x) caused the timing assertion to fail in nightly CI.Maintenance Checklist
cargo update(up to date),cargo audit(clean),cargo deny(clean)cargo fmt --checkandcargo clippycleanTest plan
cargo fmt --check— cleancargo clippy --all-targets --all-features -- -D warnings— cleancargo test --all-features— all passcargo test --test threat_model_tests— 93 passjust check-bash-compat— 899/899 matchcargo doc --all-features— no warnings