fix: hang on macOS due to overflow/underflow of durations

[gdamore]

We also ensure that we won't overflow the msec timer on other POSIX systems.

Summary by CodeRabbit

• Bug Fixes
  • Improved timeout handling in I/O operations by adding duration constraints and clamping to prevent potential overruns. Timeout values are now bounded to ensure reliable behavior across different system configurations.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Timeout handling in terminal I/O read operations was refined by adding duration bounds clamping in both select and poll code paths. Duration values are now constrained to valid ranges—10 microseconds to 1 hour for select operations, and up to 24 hours for poll operations—with updated calculations to prevent overflow and ensure correct type casting.

Changes

Cohort / File(s)

Summary

Timeout bounds enforcement in termio source/dcell/termio.d

Modified UseSelect path to narrow duration condition (treating only Duration.max as "no wait"), added clamping to 10 microseconds–1 hour range with bounds assertion, and updated timeout calculations with explicit type casting. Modified UsePoll path to clamp non-max durations to 24-hour maximum before millisecond conversion. Added std.algorithm import and documentation comments for duration constraints.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Single file with localized changes focused on duration clamping logic
• Changes are repetitive in nature (applying similar bounds-checking pattern in two paths)
• Timeout handling is security-sensitive and warrants careful verification of:
  • Clamping ranges (10 µs–1 hr for select, 24 hrs for poll) and their correctness
  • Overflow prevention in millisecond/microsecond conversions
  • Type casting accuracy with explicit parentheses

Possibly related PRs

• fix: address possible overflow with duration max #37 — Directly modifies timeout handling in the same file's select/poll read paths, adjusting Duration.max treatment and conversion logic.

Poem

🐰 Hop and bound, dear timing flows,
No overflow where milliseconds grow,
Ten micros to an hour we clamp,
Poll at twenty-four—no timeout cramp!
Fixed and safe, your timeouts now stay,
All thanks to bounds that save the day! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main purpose of the changeset: fixing a hang on macOS caused by overflow/underflow of durations, which aligns with the code changes that add duration clamping to prevent timer overflows.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch gdamore/fix-max-hang

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

source/dcell/termio.d (2)

14-14: Remove the redundant local import on line 232.

The top-level import of std.algorithm makes the local selective import on line 232 (import std.algorithm : max;) redundant.

Apply this diff to remove the redundant import:

        import std.algorithm : max;

-        int num = select(max(fd, sigRfd) + 1, &readFds, null, null, tvp);
+        int num = select(max(fd, sigRfd) + 1, &readFds, null, null, tvp);

Actually, simply remove line 232:

-        import std.algorithm : max;
-
         int num = select(max(fd, sigRfd) + 1, &readFds, null, null, tvp);

---

283-285: Consider adding minimum duration clamping for consistency.

The 24-hour maximum clamp prevents overflow (86,400,000 ms fits well within int range). However, unlike the UseSelect path which clamps to a minimum of 10µs, this path doesn't enforce a minimum. A negative or zero non-max duration will result in dly = 0, which is valid but inconsistent with the select path's behavior.

Consider applying this diff for consistency:

         else
         {
-            // clip to a day to prevent overrun
-            dur = min(hours(24), dur);
+            // clip between 10us and a day to prevent overrun
+            dur = min(hours(24), max(dur, usecs(10)));
             dly = cast(int)(dur.total!"msecs");
         }

This ensures both paths treat zero/negative durations consistently.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c00263b and 542ec85.

📒 Files selected for processing (1)

• source/dcell/termio.d (3 hunks)