Skip to content

Add runtime-available interface bitmap; behavioral-correctness fixes#76

Merged
pavel-kirienko merged 2 commits into
mainfrom
fix/behavioral-review-findings
Jul 2, 2026
Merged

Add runtime-available interface bitmap; behavioral-correctness fixes#76
pavel-kirienko merged 2 commits into
mainfrom
fix/behavioral-review-findings

Conversation

@pavel-kirienko

@pavel-kirienko pavel-kirienko commented Jul 2, 2026

Copy link
Copy Markdown
Member

1. Runtime-available interface bitmap (breaking API change)

udpard_tx_t gains iface_bitmap — a runtime-mutable subset of UDPARD_IFACE_BITMAP_ALL naming the interfaces that exist locally — and udpard_tx_new() gains a matching parameter. Every push intersects the requested iface set with it, so transfer replicas are no longer enqueued for interfaces the application cannot drain (previously they sat queued until they expired). Passing UDPARD_IFACE_BITMAP_ALL is now correct regardless of interface count; 0 means listen-only. Init rejects a bitmap with bits beyond UDPARD_IFACE_BITMAP_ALL.

Tests: test_tx_iface_available_mask, test_tx_listen_only, test_tx_iface_bitmap_extra_bits, plus init-validation cases; all 22 udpard_tx_new call sites updated.

2. Behavioral-correctness fixes (review findings)

Area Fix
TX use-after-free udpard_tx_free() asserts enqueued_frames_count == 0; datagram refs from udpard_tx_refcount_inc() must be released first.
RX use-after-free rx_session_eject() destroys the reassembly slot before on_message(), so a re-entrant push cannot free the in-flight slot.
Queue accounting tx_queue_vacancy() guards the limit - count subtraction against underflow when the limit is lowered below the in-flight count.
NULL robustness udpard_rx_poll() gains a self != NULL guard.
Misc header_serialize() uses UDPARD_ASSERT(); doc fixes (head-only payload validation, inverted now/deadline).

Regression tests: test_rx_reentrant_push_in_callback, test_tx_queue_limit_lowered_below_count, udpard_rx_poll(NULL, …) guard.

Verification

Full suite green across x32/x64 × C99/C11 (Debug, assertions on); static-analysis (clang-tidy, warnings-as-errors) and clang-format clean.

Warning

Breaking: udpard_tx_new() takes a new iface_bitmap argument, and udpard_tx_free() now requires all udpard_tx_refcount_inc() datagram references to be released before the pipeline is discarded.

🤖 Generated with Claude Code

pavel-kirienko and others added 2 commits July 2, 2026 19:24
Address seven findings from a correctness review of the transport core:

- tx_free: assert no datagram references remain outstanding, and document
  that references retained via udpard_tx_refcount_inc() must be released
  before discarding the instance (prevents a use-after-free of the pipeline).
- rx_session_eject: destroy the reassembly slot before invoking on_message()
  so a re-entrant udpard_rx_port_push() cannot evict and free the delivered
  payload (application-facing use-after-free).
- tx_ensure_queue_space: guard the queue-vacancy subtraction against size_t
  underflow when enqueued_frames_limit is lowered below the in-flight count.
- udpard_rx_poll: add a NULL self guard, mirroring udpard_tx_poll.
- header_serialize: use UDPARD_ASSERT instead of raw assert().
- Document that only the head of a scattered TX payload is validated.
- Fix the inverted now/deadline relation in the ejection doc comment.

Add regression tests for the reassembly-reentrancy UAF and the queue-limit
underflow, and a NULL-poll guard check; update test_tx_refcount_retention to
release retained frames before udpard_tx_free().

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add udpard_tx_t.iface_bitmap, a runtime-mutable subset of UDPARD_IFACE_BITMAP_ALL naming the locally available interfaces; udpard_tx_new() gains a matching parameter (breaking change). Each push intersects the requested iface set with it, so transfer replicas are no longer enqueued for interfaces the application cannot drain (where they previously expired silently). Zero means listen-only.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@pavel-kirienko pavel-kirienko changed the title Fix behavioral-correctness findings from library review Add runtime-available interface bitmap; behavioral-correctness fixes Jul 2, 2026
@pavel-kirienko pavel-kirienko merged commit e4f8857 into main Jul 2, 2026
17 checks passed
@pavel-kirienko pavel-kirienko deleted the fix/behavioral-review-findings branch July 2, 2026 21:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant