fix(pool): guard the grow_pool growth-size product against size_t overflow#100
Merged
Merged
Conversation
…rflow BUG-0004 (low/latent): grow_pool computed `total * (grow_factor_ - 1)` before any overflow check, then validated `add * block_size_` — so the first multiplication could wrap size_t and feed the downstream guard an already-wrapped value. Add a would_overflow_product guard on the growth-count product first, mirroring the create-path guard; on overflow the pool falls back to fixed-mode exhaustion (returns false). Not runtime-reachable through the public API (RAM exhausts long before `total` nears the overflow boundary), so no test is added — it is a correctness/consistency gap closed by inspection. Recorded as BUG-0004 (fixed-in v1.1.2) in the bug ledger. Verified: clang-format / clang-tidy clean on memory_pool.cpp, consistency lint + markdownlint green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
danielPoloWork
added a commit
that referenced
this pull request
Jun 15, 2026
## Summary Cuts the **v1.1.2** maintenance release — a **PATCH** bundling the four verified bug fixes (BUG-0001…0004, the first real use of the in-repo bug ledger) and the documentation work accumulated since `v1.1.1`. The library's public surface is unchanged (no API/ABI change). Full notes: [`docs/releases/v1.1.2.md`](docs/releases/v1.1.2.md). ## Motivation SemVer PATCH per the [maintenance decision tree](docs/workflow/maintenance.md) (no public-surface change). Mechanics per [`docs/workflow/release.md`](docs/workflow/release.md). ## Changes - **`version.hpp`** — PATCH `1 → 2`, STRING `"1.1.1" → "1.1.2"`; `pool_smoke` version `TEST_CASE` updated. - **`CHANGELOG.md`** — `[Unreleased]` rolled into the immutable [`docs/changelog/v1/v1.1.2.md`](docs/changelog/v1/v1.1.2.md) (links re-based), `Unreleased` reset, index row added, compare link → `v1.1.2...HEAD`. - **`docs/releases/v1.1.2.md`** — draft GitHub Release notes. - **`README.md`** — status badge → `v1.1.2` + a new `v1.1.2` status paragraph. - **i18n** — the two README translation rows marked `stale` (English README changed); the `zh-Hans`/`ja` re-sync is a follow-up. The `i18n-freshness` lint skips `stale` rows, so the gate stays green. ## Release contents **Fixed:** BUG-0001 (InstrumentedPool growth-counter data race), BUG-0002 (`live_` underflow + header doc), BUG-0003 (move-assign `destroyed` event), BUG-0004 (`grow_pool` overflow guard). **Removed:** the `docs-site` README badge. **Changed:** `zh-Hans`/`ja` README re-synced to v1.1.1. ADR total stays 40. ## Design Patterns - None — release bookkeeping. ## Verification - [x] `python tools/consistency_lint.py` — OK (version-lockstep sees `version.hpp`/CHANGELOG/README badge/release notes all at `1.1.2`; `i18n-freshness` green) - [x] `markdownlint-cli2` + `clang-format` clean - [ ] CI build matrix + ASan/UBSan/TSan — validated on this PR (the bug fixes themselves landed and passed CI in #99/#100) ## Documentation Impact - [x] README badge + paragraph; CHANGELOG rolled; release notes added - [x] ROADMAP — N/A (maintenance PATCH, no milestone change) - [x] PR metadata set — assignee, `chore` label, `v1.1.2` milestone (§6.4 / ADR-0040) ## After merge The agent tags `v1.1.2` from `master` ([ADR-0008](docs/adr/0008-delegate-tag-creation-and-push-to-the-agent.md)); `release.yml` produces a **draft** GitHub Release; the maintainer clicks *Publish*. Then a follow-up PR re-syncs the `zh-Hans`/`ja` README translations to `v1.1.2` and closes the `v1.1.2` milestone. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the latent
size_toverflow ingrow_pool's growth-size computation (BUG-0004) — the last of the four verified third-party-reported defects. Core-only, no API change.Motivation
grow_poolcomputedtotal * (grow_factor_ - 1)before any overflow check, then validatedadd * block_size_— so the first multiplication could wrapsize_tand feed the downstream guard an already-wrapped value. Inconsistent with the meticulous overflow handling on the create path (ADR-0009 §3). Record: BUG-0004.Changes
memory_pool.cpp(grow_pool) — addwould_overflow_product(total, grow_factor_ - 1)guard before computingadd; on overflow the pool falls back to fixed-mode exhaustion, exactly as the existing guards do.fixed,fixed-in: v1.1.2) + index;CHANGELOGFixedentry.Design Patterns
Verification
clang-format+clang-tidyclean onmemory_pool.cpp(grow_poolcompiles under the default build)python tools/consistency_lint.py— OK;markdownlint-cli2cleantotalnears the boundary); the record documents whyDocumentation Impact
CHANGELOGFixedfixlabel,v1.1.2milestone (§6.4 / ADR-0040)Context
Second and final fix PR for the four reported defects (PR #99 covered the three
InstrumentedPoolissues). After this merges,v1.1.2is ready to cut whenever you choose.🤖 Generated with Claude Code