Completed public release hardening pass#64
Merged
byteshiftlabs merged 54 commits intomainfrom Apr 8, 2026
Merged
Conversation
- Deleted ad hoc UDP networking scripts - Removed temporary network testing guide
- Added top-level VERSION file - Updated Sphinx release metadata - Updated API and test documentation versions
- Released transient VFS nodes consistently - Rejected oversized normalized paths with ERANGE - Preserved specific lookup errno values
- Normalized allocator errno handling - Freed user page tables with the correct allocator - Rolled back partial user mappings on failure
- Enabled built-in kernel tests in scripted TEST_MODE runs - Aligned standalone script behavior with make test
- Added a severity-ranked audit findings ledger - Recorded verified fixes and remaining review surfaces
- Released VMA-backed physical pages during cleanup and munmap - Freed kmalloc-backed user stacks for kernel-mode processes - Rolled back mapped pages when process_map_region fails
- Centralize syscall path-argument validation in syscall.c - Assign deterministic errno values for bad pointers, bad fds, invalid process state, and missing children or target processes - Record the boundary-contract fix in the codebase polishing audit ledger
- Reclassified invalid user buffers in getdents() and getcwd() as THUNDEROS_EFAULT - Routed chdir() and execve() through the shared path validator and rejected oversized argv vectors with THUNDEROS_E2BIG - Cleared stale errno on successful identity and TTY getter/setter syscalls - Recorded the follow-up syscall boundary finding as S9 in the audit ledger - Revalidated the batch with make clean && make -j2 && make test
- Added tracked kernel tests for the audited syscall errno boundary cases - Wired the new test file into the ENABLE_TESTS build and kernel test startup path - Added missing public syscall prototypes used by the regression test coverage - Updated the audit ledger to record the new tracked coverage and the remaining gaps - Revalidated with make ENABLE_TESTS=1 TEST_MODE=1 -j2 and make test
- Updated sys_uname() to report release 0.9.0 and version v0.9.0 Synchronization - Updated the user shell banner to ThunderOS User Shell v0.9.0 - Recorded the remaining runtime version drift as S10 and marked it fixed in the audit ledger - Revalidated with make clean && make -j2 && make test
- Added a top-level run_os.sh script for launching ThunderOS with -bios none - Matched the repo's existing QEMU fallback lookup and modern VirtIO block flags - Validated the script syntax before committing
- Taught the shared VirtIO block request builder to use a two-descriptor chain for zero-payload flush requests - Preserved the existing three-descriptor path for read and write I/O - Validated the change with a clean build and passing test suite
- Reset and re-bound the existing VirtIO block queue before returning a timeout - Reinitialized queue state after device reset so timed-out descriptors are not recycled while buffers are still in use - Validated the change with a clean build and passing test suite
- Stored the virtqueue DMA allocation handles in the block queue state - Added a shared queue cleanup helper for allocation rollback and post-init failure cleanup - Validated the change with a clean build and passing test suite
- Adjusted ext2 block allocation to account for s_first_data_block and stop at the real block count - Validated ext2 block frees against the absolute filesystem block range before clearing bitmap entries - Validated the change with a clean build and passing test suite
- Validated ext2 block pointers and directory entry layouts across read, lookup, readdir, and mutation paths - Preserved real lookup and block-mapping failures instead of translating corruption into sparse reads or ENOENT results - Validated mount geometry and inode-table access before trusting cached group descriptor metadata - Failed partial writes when the existing block contents could not be read - Revalidated with make clean && make -j2 && make test
- Rejected impossible ext2 bitmap geometry and out-of-range inode frees to keep malformed metadata from overrunning bitmap buffers - Fixed negative seek underflow in vfs_seek() and normalized ext2 VFS lookup errno handling on success and failure paths - Registered and enabled the VirtIO block IRQ and mapped the PLIC MMIO range so interrupt setup works after paging is enabled - Revalidated with make clean && make -j2 && make test
- Preserved the real stop signal in wait statuses and avoided re-reporting consumed stop events - Initialized signal state for fresh user and ELF processes and made fork inherit signal handlers and blocked masks explicitly - Removed overlapping process_create_elf cleanup frees so process_free owns rollback teardown - Dequeued stopped processes from the ready queue so the scheduler cannot run them until SIGCONT
- Added a shared blocking helper for sleeping kernel tasks - Ordered wait-queue and generic process sleep transitions against scheduler handoff - Reworked waitpid to block through the shared sleep path instead of ad hoc polling - Kept the audit ledger local by leaving CODEBASE_POLISHING_AUDIT.md unstaged
- Validated non-null waitpid status pointers before writing child state back to userspace - Cleared stale errno on the audited syscall success paths in waitpid, getpid, sbrk, sleep, yield, getppid, and gettime - Revalidated the batch with make clean && make -j2 && make test
- Limited pending signal delivery to trap returns that are headed back to user mode - Added syscall regression coverage for invalid waitpid status pointers and the audited stale-errno success paths - Revalidated the batch with make clean && make -j2 && make test
- Kept debug-first builds at O0 by default while preserving configurable build knobs - Exposed QEMU acceleration and extra runtime flags in the launcher and Makefile - Updated the README to document the opt-in optimized build path and runtime tuning
- Removed stale wait-queue entries after blocked sleeps return through signal-driven state changes - Cleared obsolete stop metadata before SIGCONT resumes a stopped process
- Wired SYS_SIGNAL, SYS_SIGACTION, and SYS_SIGRETURN through the syscall dispatcher - Added minimal safe signal and handler-only sigaction implementations with user-pointer validation - Added syscall regression coverage for signal handler registration through the dispatch path
- Closed lost-wakeup windows across mutex, semaphore, condvar, and rwlock blocking paths - Hardened sync-object ownership and destroy semantics plus pipe state-transition ordering - Fixed process helper errno contracts and expanded kernel regression coverage for the new boundary checks
- Sorted VMA insertion with overlap rejection in process_add_vma - Full-length gap search in sys_mmap to prevent partial overlaps - Exact VMA match enforcement in sys_munmap - Cross-VMA cursor walk in process_validate_user_ptr - Added ELF class, endianness, and phentsize validation - Added segment overflow and kernel-address-space rejection - Fixed elf_exec_replace to use translate_phys_to_virt - Added errno to process_create_elf and process_map_region paths - Stored GPU framebuffer DMA region handle for proper shutdown cleanup - Added regression tests for VMA ordering, mmap gaps, and munmap
- Removed standalone AI_USAGE.md (superseded by ai-dev-prompts repository) - Updated CONTRIBUTING.md AI Usage Policy section to reference ai-dev-prompts
- Removed freeze banner and FREEZE.md link from Check current status section
- Deleted build-audit/ and build-docker-shell-soak/ local directories (never committed) - Added build-*/ pattern to .gitignore to prevent future accidental commits
- Updated build, test, static-analysis, and documentation paths to external/userland - Enabled recursive submodule checkout in GitHub Actions workflows - Restored scripted verification and release-surface consistency after the submodule move
- Updated docs/source/introduction.rst to use --recurse-submodules - Kept the published setup path aligned with the current submodule-based repo layout
- Required mkfs.ext2 before starting the build - Failed fast when build_userland.sh is missing or the userland build fails - Verified fs.img exists before reporting build success
- Replaced removed test_user_mode.sh documentation entries with test_kernel.sh - Kept README and Sphinx testing guidance aligned with the current test script set
- Made build_os.sh incremental by default for the common development path - Added an explicit --clean option for full rebuilds - Updated the development guide to document the new build and run commands
- Updated the ROADMAP v0.9.0 status date to December 4, 2025 - Kept the roadmap aligned with the changelog and release commit history
- Compiled the dormant virtual terminal test file into ENABLE_TESTS builds - Ran memory isolation coverage in the built-in kernel test batch - Updated the v0.7.0 test code to the current vterm API and boot order
- Uploaded the aggregated test_results.log produced by make test - Removed legacy artifact paths that are not generated by the current test runner
- Set THUNDEROS_ENOMEM when alloc_page_table cannot allocate a page - Preserved allocator errno in create_user_page_table - Cleared stale errno after successful user page table creation
- Rejected out-of-range free-list and used-ring descriptor indices - Added bounds checks while traversing descriptor chains - Propagated queue corruption as I/O errors instead of risking out-of-bounds access
- Checked VirtIO queue state before acknowledging interrupts and handled device reset requests - Removed the remaining interrupt-handler TODO by making the IRQ path explicitly quiesce synchronous completions - Rejected deleted or orphaned ext2 inodes during VFS lookup and stopped freeing inodes after failed tombstone writes
- Moved file descriptor tables out of the global VFS state and into each process - Added lightweight VFS node and pipe reference tracking so fork and dup2 no longer free shared handles prematurely - Cloned and released per-process file tables during process lifecycle to stop cross-process close side effects
- Split object output paths by optimization, debug, test, and test-mode settings - Stopped stale test objects from poisoning the default build and causing unresolved symbols - Verified both a clean default build and the full test suite after the change
- Corrected the interactive shell version strings to match ThunderOS v0.9.0 - Replaced stale syscall and errno snippets with source-backed literalinclude sections - Fixed the syscall and ELF loader docs to describe the current code and build cleanly under Sphinx
- Synchronized internals docs with live source excerpts\n- Hardened syscall, console, ext2, and release-gate behavior\n- Recorded the published thunderos-userland update for shell and kill fixes
byteshiftlabs
added
code-refactor
byteshiftlabs
added
code-refactor
- Removed audit ledger from tracking and added to .gitignore - Updated .gitmodules to HTTPS URL for anonymous public cloning - Updated README clone command to HTTPS URL - Simplified CI workflows to use standard recursive submodule checkout - Updated signals documentation to reflect handler-only sigaction implementation
- Corrected broken and stale reStructuredText references across the docs - Simplified API entries that conflicted with generated declarations - Filtered intentional duplicate C declaration warnings and unsupported lexer noise
- Switched Sphinx edit links to the current repository owner - Pointed the roadmap issues link at byteshiftlabs/thunderos
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary:
Completed the ThunderOS public release hardening pass needed before merging code-refactor/codebase-polishing to main.
Changes:
Testing:
Companion PRs: