fix(fuzz): prevent abort on stack overflow and OOM

Author: dylan-sutton-chavez

compiler/src/bin/fuzz.rs

@@ -90,11 +90,13 @@ const BOUNDARIES: [i64; 13] = [
 
 fn boundary_int(rng: &mut Rng) -> i64 { BOUNDARIES[rng.usize_in(BOUNDARIES.len())] }
 
+/* 25% boundary values; rest are full-range random i64 */
 fn rand_int(rng: &mut Rng) -> String {
     if rng.usize_in(4) == 0 { boundary_int(rng).to_string() }
     else { (rng.next() as i64).to_string() }
 }
 
+/* Picks one of ten mutation strategies at uniform random */
 fn mutate(src: &str, corpus: &[String], rng: &mut Rng) -> String {
     match rng.usize_in(10) {
         0 => byte_flip(src, rng),
@@ -119,12 +121,14 @@ fn byte_flip(src: &str, rng: &mut Rng) -> String {
     String::from_utf8_lossy(&bytes).into_owned()
 }
 
+/* Splits into lines, applies f in place, rejoins; shared by drop/duplicate */
 fn with_lines(src: &str, f: impl FnOnce(&mut Vec<&str>)) -> String {
     let mut lines: Vec<&str> = src.lines().collect();
     f(&mut lines);
     lines.join("\n")
 }
 
+/* Injects a keyword snippet at a random line; exercises keywords in unexpected positions */
 fn insert_keyword(src: &str, rng: &mut Rng) -> String {
     let kw = rand_keyword(rng);
     let name = rand_name(rng);
@@ -153,6 +157,7 @@ fn duplicate_line(src: &str, rng: &mut Rng) -> String {
     with_lines(src, |lines| { let idx = rng.usize_in(lines.len()); lines.insert(idx, lines[idx]); })
 }
 
+/* Cross-seeds two corpus entries to produce novel program shapes */
 fn splice(src: &str, corpus: &[String], rng: &mut Rng) -> String {
     if corpus.is_empty() { return src.to_string(); }
     let other = &corpus[rng.usize_in(corpus.len())];
@@ -165,6 +170,7 @@ fn splice(src: &str, corpus: &[String], rng: &mut Rng) -> String {
     out.join("\n")
 }
 
+/* Replaces the first numeric literal with a NaN-box boundary value */
 fn inject_boundary(src: &str, rng: &mut Rng) -> String {
     let boundary = boundary_int(rng).to_string();
     let bytes = src.as_bytes();
@@ -220,6 +226,7 @@ fn indent_bomb(rng: &mut Rng) -> String {
     out
 }
 
+/* Injects a comment line to exercise lexer comment skipping */
 fn add_comment(src: &str, rng: &mut Rng) -> String {
     let comment = format!("# {}", rand_int(rng));
     let mut lines: Vec<&str> = src.lines().collect();
@@ -278,10 +285,11 @@ impl Perf {
 
 enum Outcome { Crash, ParseErr, VmErr, Timeout, Clean(u128, Duration, Duration, Duration) }
 
+/* Runs lex→parse→VM in an isolated thread; catches panics and enforces VM_TIMEOUT */
 fn run_once(src: &str) -> Outcome {
     let src = if src.len() > MAX_LEN { src[..MAX_LEN].to_string() } else { src.to_string() };
     let (tx, rx) = mpsc::channel();
-    thread::spawn(move || {
+    thread::Builder::new().stack_size(8 * 1024 * 1024).spawn(move || {
         let outcome = match panic::catch_unwind(panic::AssertUnwindSafe(|| {
             let t0 = Instant::now();
             let (tokens, _) = lex(&src);
@@ -309,6 +317,7 @@ fn run_once(src: &str) -> Outcome {
     rx.recv_timeout(VM_TIMEOUT).unwrap_or(Outcome::Timeout)
 }
 
+/* Coverage-guided seed pool; retains inputs that reach new opcodes */
 struct Corpus { entries: Vec<String>, seen: u128 }
 
 impl Corpus {
@@ -324,6 +333,7 @@ impl Corpus {
     }
 }
 
+/* Run counters and start time for the periodic progress display */
 struct Stats { iters: u64, crashes: u64, adds: u64, timeouts: u64, start: Instant }
 
 impl Stats {

compiler/src/modules/parser/mod.rs

@@ -61,6 +61,7 @@ pub struct Parser<'src, I: Iterator<Item = Token>> {
     // `true=for` (PopIter on break), false=while; parallels loop_starts/loop_breaks.
     pub(super) loop_kinds: Vec<bool>,
     pub(super) expr_depth: usize,
+    pub(super) block_depth: usize,
     pub(super) saw_newline: bool,
     /* True inside f-string brace expr; disables `=` assignment so `f"{x=}"` parses as debug form. */
     pub(super) in_fstring_expr: bool,
@@ -459,6 +460,7 @@ impl<'src, I: Iterator<Item = Token>> Parser<'src, I> {
             saw_newline: false,
             in_fstring_expr: false,
             expr_depth: 0,
+            block_depth: 0,
             last_line: 0,
             last_end: 0,
             bracket_stack: Vec::new(),

compiler/src/modules/parser/stmt.rs

@@ -1,7 +1,7 @@
 use crate::s;
 
 use super::Parser;
-use super::types::OpCode;
+use super::types::{OpCode, MAX_BLOCK_DEPTH};
 
 use crate::modules::lexer::{Token, TokenType};
 
@@ -331,6 +331,15 @@ impl<'src, I: Iterator<Item = Token>> Parser<'src, I> {
 
     /* Compiles Indent/Dedent block; is_body=true stops after ReturnValue to skip dead code. */
     fn compile_block_inner(&mut self, is_body: bool) {
+        if self.block_depth >= MAX_BLOCK_DEPTH {
+            self.errors.push(crate::modules::parser::types::Diagnostic {
+                msg: crate::s!("nesting too deep"),
+                start: self.tokens.peek().map_or(0, |t| t.start),
+                end: self.tokens.peek().map_or(0, |t| t.end),
+            });
+            return;
+        }
+        self.block_depth += 1;
         let indented = self.eat_if(TokenType::Indent);
         loop {
             while self.eat_if(TokenType::Semi) {}
@@ -349,6 +358,7 @@ impl<'src, I: Iterator<Item = Token>> Parser<'src, I> {
                 if just_returned || !matches!(self.peek(), Some(TokenType::Semi)) { break; }
             } else if !matches!(self.peek(), Some(TokenType::Semi)) { break; }
         }
+        self.block_depth -= 1;
     }
 
     /* Name-led statement: assign, augmented-op, attr, index, call, or tuple unpack. */

compiler/src/modules/parser/types.rs

@@ -5,6 +5,7 @@ use crate::modules::vm::types::ExternFn;
 use alloc::{string::{String, ToString}, vec, vec::Vec};
 
 pub(crate) const MAX_EXPR_DEPTH: usize = 200;
+pub(crate) const MAX_BLOCK_DEPTH: usize = 80;
 pub(crate) const MAX_INSTRUCTIONS: usize = 65_535;
 
 #[derive(Debug, Clone, Copy, PartialEq)]

compiler/src/modules/vm/handlers/builtin_methods/string.rs

@@ -235,7 +235,7 @@ pub fn rpartition(vm: &mut VM, recv: Val, pos: &[Val]) -> Result<(), VmErr> {
 pub fn center(vm: &mut VM, recv: Val, pos: &[Val]) -> Result<(), VmErr> {
     let s = recv_str(vm, recv)?;
     if !pos[0].is_int() { return Err(cold_type("center() width must be an integer")); }
-    let width = pos[0].as_int() as usize;
+    let width = pos[0].as_int().clamp(0, 1 << 20) as usize;
     let fill = if pos.len() > 1 {
         val_to_str(vm, pos[1])?.chars().next().unwrap_or(' ')
     } else { ' ' };
@@ -251,7 +251,7 @@ pub fn center(vm: &mut VM, recv: Val, pos: &[Val]) -> Result<(), VmErr> {
 pub fn zfill(vm: &mut VM, recv: Val, pos: &[Val]) -> Result<(), VmErr> {
     if !pos[0].is_int() { return Err(cold_type("zfill() requires an integer argument")); }
     let s = recv_str(vm, recv)?;
-    let width = pos[0].as_int() as usize;
+    let width = pos[0].as_int().clamp(0, 1 << 20) as usize;
     let nchars = s.chars().count();
     let out = if nchars >= width {
         s