fix(checker): self-driving stack-depth measurement + CI guard (#37)#80
Merged
Conversation
Closes the one open DoD item on #37: the Windows-CI leg of the stack-budget measurement confirming MAX_EXPR_DEPTH=128 is safe on the 1 MiB msvc main-thread stack. Subtleties 1 & 3 were fixed in #43; the value was left open until that datapoint, and nothing yet ran the probe. - examples/measure_depth.rs: rewrite the single-shot probe into a self-driving measurement. It re-execs itself as worker subprocesses, binary-searches the overflow cliff for the recursive Drop, the guarded checker walk and the iterative teardown, prints per-platform bytes/level, and exits non-zero if MAX_EXPR_DEPTH no longer fits the 1 MiB floor with headroom. One command now produces and asserts the datapoint on any platform (was a probe needing a manual exit-code wrapper). - .github/workflows/stack-depth.yml: run that measurement and the regression test on ubuntu-latest + windows-latest (same pinned actions as checker-scaling.yml), so the Windows datapoint is produced and locked in on every change instead of relying on a manual run. - tests/stack_depth_37.rs: assert the depth-128 guarded walk and a 1e6-deep iterative teardown both survive a 1 MiB stack. - checker.rs: document that the budget is now reconfirmed automatically on both OSes rather than by a one-off manual measurement. https://claude.ai/code/session_013JnrUmkCpMHsABRmhLVyd2
Review of the self-driving measurement flagged that survives() collapsed
both subprocess spawn-failure and any non-zero exit into false ("cliffed"),
with no positive proof the walk ran — an infra failure (or a future path
that exits 0 without doing the work) could skew a measured cliff or risk a
false PASS.
- survives() now distinguishes three outcomes: spawn-failure / exit-0-without-
running-the-walk are fatal (exit 3, never a datapoint); a survived run
requires exit 0 AND the worker's "OK ..." completion line; a non-zero exit
is the genuine overflow cliff signal.
- Document that overflow-aborts-the-process is the cliff mechanism and that
join().is_err() only covers the unwinding-panic path (default panic=unwind;
abort would also exit non-zero, so either strategy is safe).
Driver still PASSes locally (MAX_EXPR_DEPTH=128 safe within 819 KiB of the
1 MiB floor); the binary searches were independently verified correct.
https://claude.ai/code/session_013JnrUmkCpMHsABRmhLVyd2
4 tasks
hyperpolymath
pushed a commit
that referenced
this pull request
May 30, 2026
hyperpolymath
added a commit
that referenced
this pull request
May 30, 2026
https://claude.ai/code/session_013JnrUmkCpMHsABRmhLVyd2 Co-authored-by: Claude <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 96 issues detected
View findings[
{
"reason": "Action perpolymath/standards/.github/workflows/governance-reusable.yml@main\n needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in cflite_batch.yml",
"type": "missing_timeout_minutes",
"file": "cflite_batch.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in cflite_batch.yml",
"type": "missing_timeout_minutes",
"file": "cflite_batch.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in cflite_pr.yml",
"type": "missing_timeout_minutes",
"file": "cflite_pr.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in cflite_pr.yml",
"type": "missing_timeout_minutes",
"file": "cflite_pr.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in checker-scaling.yml",
"type": "missing_timeout_minutes",
"file": "checker-scaling.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql.yml",
"type": "missing_timeout_minutes",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in governance.yml",
"type": "missing_timeout_minutes",
"file": "governance.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in hypatia-scan.yml",
"type": "missing_timeout_minutes",
"file": "hypatia-scan.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in mirror.yml",
"type": "missing_timeout_minutes",
"file": "mirror.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes the one remaining open DoD item on #37: the Windows-CI leg of the stack-budget measurement that confirms
MAX_EXPR_DEPTH = 128is safe on the 1 MiB msvc main-thread stack.Background
Subtleties 1 & 3 of #37 (general iterative AST teardown;
MAX_EXPR_DEPTHre-derived 256 → 128) were fixed in #43. That PR explicitly left #37 open for a single datapoint: "the Windows-CI leg of the stack measurement — needs CI access … Leave #37 open until that datapoint confirms the 128 budget on the msvc toolchain."The blocker was that
examples/measure_depth.rswas a single-shot probe — it ran one walk at one depth/stack and relied on a human reading the exit code across many runs. Nothing in CI drove it, so the Windows number was never produced.What this does
examples/measure_depth.rs— rewritten into a self-driving measurement. A stack overflow aborts the process, so it can't be caught in-process; the example now re-execs itself as worker subprocesses and binary-searches the overflow cliff for each of: recursiveDrop, the guardedcheck_exprwalk, and the iterative teardown. It prints per-platform bytes/level and exits non-zero ifMAX_EXPR_DEPTHno longer fits the 1 MiB floor with headroom. The old worker mode (measure_depth <mode> <depth> <stack_kib>) is preserved as the subprocess entry point..github/workflows/stack-depth.yml— new. Runs the measurement + the regression test onubuntu-latestandwindows-latest(same SHA-pinnedcheckout/rust-toolchainactions aschecker-scaling.yml). The Windows datapoint is now produced and locked in on every change — a future bump that breaks the budget fails CI on the affected OS.crates/my-lang/tests/stack_depth_37.rs— new. Asserts, on a thread pinned to exactly 1 MiB (the Windows budget), that the depth-MAX_EXPR_DEPTHguarded walk and a 1,000,000-deep iterative teardown both survive. This is the OS-portable regression guard.checker.rs— doc update. TheMAX_EXPR_DEPTHdoc-comment now records that the budget is reconfirmed automatically on both OSes, not by a one-off manual run.Verification (Linux, this run)
cargo test -p my-lang --test stack_depth_37 --release→ 2 passed, 0 failed. The Windows leg runs once this lands and thewindows-latestjob executes.DoD status (#37)
MAX_EXPR_DEPTHfrom the measured budget (done in fix(checker): general non-overflowing AST teardown + measured MAX_EXPR_DEPTH (#37) #43; now CI-verified on msvc)Call-shaped AST (extended here to a 1 MiB-stack guard on both OSes)Once the
Stack Depth (#37)workflow goes green onwindows-latest, #37 can close.https://claude.ai/code/session_013JnrUmkCpMHsABRmhLVyd2
Generated by Claude Code