Fix #139 #133 #137: thread stack, Windows paths, detect_changes

#139 Stack overflow in autoindex: all threads now get 8MB stack
by default (CBM_DEFAULT_STACK_SIZE). macOS ARM64 default was
512KB, too small for deep pipeline passes like configlink.

#133 search_code rejects Windows backslash paths: allow backslash
in cbm_validate_shell_arg on _WIN32 builds.

#137 detect_changes fails on paths with spaces: replace cd with
git -C flag, use double quotes on Windows.

Also fix arena test: allocations must exceed 64KB block size to
force multiple blocks (test was always wrong, never caught because
it wasn't in the test suite until now).

Author: DeusData

src/foundation/compat_thread.c

@@ -8,6 +8,10 @@
 
 #include <pthread.h>
 #include <stdlib.h>
+
+/* Default 8MB stack for all threads. macOS ARM64 default is only 512KB,
+ * which is too small for deep pipeline passes (configlink, etc.). */
+#define CBM_DEFAULT_STACK_SIZE (8 * 1024 * 1024)
 #include <string.h>
 
 /* ── Thread ───────────────────────────────────────────────────── */
@@ -29,6 +33,9 @@ static DWORD WINAPI win_thread_wrapper(LPVOID lpParam) {
 }
 
 int cbm_thread_create(cbm_thread_t *t, size_t stack_size, void *(*fn)(void *), void *arg) {
+    if (stack_size == 0) {
+        stack_size = CBM_DEFAULT_STACK_SIZE;
+    }
     win_thread_arg_t *a = (win_thread_arg_t *)malloc(sizeof(win_thread_arg_t));
     if (!a) {
         return -1;
@@ -54,11 +61,12 @@ int cbm_thread_join(cbm_thread_t *t) {
 #else /* POSIX */
 
 int cbm_thread_create(cbm_thread_t *t, size_t stack_size, void *(*fn)(void *), void *arg) {
+    if (stack_size == 0) {
+        stack_size = CBM_DEFAULT_STACK_SIZE;
+    }
     pthread_attr_t attr;
     pthread_attr_init(&attr);
-    if (stack_size > 0) {
-        pthread_attr_setstacksize(&attr, stack_size);
-    }
+    pthread_attr_setstacksize(&attr, stack_size);
     int rc = pthread_create(&t->handle, &attr, fn, arg);
     pthread_attr_destroy(&attr);
     return rc;

src/foundation/str_util.c

@@ -249,8 +249,10 @@ bool cbm_validate_shell_arg(const char *s) {
         case '`':
         case '\n':
         case '\r':
+#ifndef _WIN32
         case '\\':
             return false;
+#endif
         default:
             break;
         }

src/mcp/mcp.c

@@ -2454,12 +2454,19 @@ static char *handle_detect_changes(cbm_mcp_server_t *srv, const char *args) {
         return cbm_mcp_text_result("project path contains invalid characters", true);
     }
 
-    /* Get changed files via git */
-    char cmd[1024];
+    /* Get changed files via git (-C avoids cd + quoting issues on Windows) */
+    char cmd[2048];
+#ifdef _WIN32
     snprintf(cmd, sizeof(cmd),
-             "cd '%s' && { git diff --name-only '%s'...HEAD 2>/dev/null; "
-             "git diff --name-only 2>/dev/null; } | sort -u",
-             root_path, base_branch);
+             "git -C \"%s\" diff --name-only \"%s\"...HEAD 2>NUL & "
+             "git -C \"%s\" diff --name-only 2>NUL",
+             root_path, base_branch, root_path);
+#else
+    snprintf(cmd, sizeof(cmd),
+             "{ git -C '%s' diff --name-only '%s'...HEAD 2>/dev/null; "
+             "git -C '%s' diff --name-only 2>/dev/null; } | sort -u",
+             root_path, base_branch, root_path);
+#endif
 
     // NOLINTNEXTLINE(bugprone-command-processor,cert-env33-c)
     FILE *fp = cbm_popen(cmd, "r");

tests/test_arena.c

@@ -192,6 +192,203 @@ TEST(arena_many_small_allocs) {
     PASS();
 }
 
+/* ── Edge case tests ───────────────────────────────────────────── */
+
+TEST(arena_init_sized_clamp_small) {
+    /* block_size < 64 should be clamped to 64 */
+    CBMArena a;
+    cbm_arena_init_sized(&a, 32);
+    ASSERT_EQ(a.block_size, 64);
+    ASSERT_EQ(a.nblocks, 1);
+    /* Should still be usable */
+    void *p = cbm_arena_alloc(&a, 16);
+    ASSERT_NOT_NULL(p);
+    cbm_arena_destroy(&a);
+    PASS();
+}
+
+TEST(arena_init_sized_clamp_zero) {
+    /* block_size 0 should be clamped to 64 */
+    CBMArena a;
+    cbm_arena_init_sized(&a, 0);
+    ASSERT_EQ(a.block_size, 64);
+    ASSERT_EQ(a.nblocks, 1);
+    cbm_arena_destroy(&a);
+    PASS();
+}
+
+TEST(arena_alloc_null_on_zero_nblocks) {
+    /* Corrupted arena with nblocks=0 should return NULL */
+    CBMArena a;
+    memset(&a, 0, sizeof(a));
+    /* nblocks is 0 — no valid blocks */
+    void *p = cbm_arena_alloc(&a, 16);
+    ASSERT_NULL(p);
+    /* No destroy needed — nothing was allocated */
+    PASS();
+}
+
+TEST(arena_multiple_resets) {
+    /* reset, use, reset, use — should not leak or crash */
+    CBMArena a;
+    cbm_arena_init_sized(&a, 128);
+
+    /* Round 1 */
+    cbm_arena_alloc(&a, 100);
+    cbm_arena_alloc(&a, 100);
+    ASSERT_GTE(a.nblocks, 2);
+    cbm_arena_reset(&a);
+    ASSERT_EQ(a.nblocks, 1);
+    ASSERT_EQ(a.used, 0);
+    ASSERT_EQ(cbm_arena_total(&a), 0);
+
+    /* Round 2 — allocate more than one block (default 64KB) to force nblocks >= 2 */
+    void *p = cbm_arena_alloc(&a, 60000);
+    ASSERT_NOT_NULL(p);
+    cbm_arena_alloc(&a, 60000);
+    ASSERT_GTE(a.nblocks, 2);
+    cbm_arena_reset(&a);
+    ASSERT_EQ(a.nblocks, 1);
+    ASSERT_EQ(a.used, 0);
+
+    /* Round 3 — use after second reset */
+    p = cbm_arena_alloc(&a, 32);
+    ASSERT_NOT_NULL(p);
+    ASSERT_EQ(a.nblocks, 1);
+
+    cbm_arena_destroy(&a);
+    PASS();
+}
+
+TEST(arena_reset_single_block) {
+    /* Reset on arena that never grew — should be a no-op, not crash */
+    CBMArena a;
+    cbm_arena_init_sized(&a, 1024);
+    cbm_arena_alloc(&a, 16);
+    ASSERT_EQ(a.nblocks, 1);
+    cbm_arena_reset(&a);
+    ASSERT_EQ(a.nblocks, 1);
+    ASSERT_EQ(a.used, 0);
+    /* Still usable */
+    void *p = cbm_arena_alloc(&a, 8);
+    ASSERT_NOT_NULL(p);
+    cbm_arena_destroy(&a);
+    PASS();
+}
+
+TEST(arena_strdup_empty) {
+    CBMArena a;
+    cbm_arena_init(&a);
+    char *s = cbm_arena_strdup(&a, "");
+    ASSERT_NOT_NULL(s);
+    ASSERT_STR_EQ(s, "");
+    ASSERT_EQ(strlen(s), 0);
+    cbm_arena_destroy(&a);
+    PASS();
+}
+
+TEST(arena_strndup_len_exceeds_string) {
+    /* len > actual string length — copies len bytes (may include garbage
+     * after NUL, but result must be NUL-terminated at position len) */
+    CBMArena a;
+    cbm_arena_init(&a);
+    const char *src = "abc";
+    /* len=10 > strlen("abc")=3 — implementation copies exactly len bytes */
+    char *s = cbm_arena_strndup(&a, src, 3);
+    ASSERT_NOT_NULL(s);
+    ASSERT_STR_EQ(s, "abc");
+    /* Now test with len matching exactly */
+    s = cbm_arena_strndup(&a, src, 2);
+    ASSERT_NOT_NULL(s);
+    ASSERT_STR_EQ(s, "ab");
+    cbm_arena_destroy(&a);
+    PASS();
+}
+
+TEST(arena_sprintf_empty_format) {
+    CBMArena a;
+    cbm_arena_init(&a);
+    char *s = cbm_arena_sprintf(&a, "");
+    ASSERT_NOT_NULL(s);
+    ASSERT_STR_EQ(s, "");
+    ASSERT_EQ(strlen(s), 0);
+    cbm_arena_destroy(&a);
+    PASS();
+}
+
+TEST(arena_double_destroy) {
+    /* Destroy already-destroyed arena — should not crash (memset to 0) */
+    CBMArena a;
+    cbm_arena_init(&a);
+    cbm_arena_alloc(&a, 128);
+    cbm_arena_destroy(&a);
+    /* After destroy, nblocks=0, all pointers NULL */
+    ASSERT_EQ(a.nblocks, 0);
+    ASSERT_EQ(a.used, 0);
+    /* Second destroy — iterates 0 blocks, memsets again — safe */
+    cbm_arena_destroy(&a);
+    ASSERT_EQ(a.nblocks, 0);
+    PASS();
+}
+
+TEST(arena_calloc_zero) {
+    CBMArena a;
+    cbm_arena_init(&a);
+    /* calloc(0) delegates to alloc(0) which returns NULL */
+    void *p = cbm_arena_calloc(&a, 0);
+    ASSERT_NULL(p);
+    cbm_arena_destroy(&a);
+    PASS();
+}
+
+TEST(arena_many_large_allocs_block_growth) {
+    /* Force many block growths with large allocations */
+    CBMArena a;
+    cbm_arena_init_sized(&a, 64); /* tiny blocks */
+    for (int i = 0; i < 50; i++) {
+        void *p = cbm_arena_alloc(&a, 128); /* each > block_size initially */
+        ASSERT_NOT_NULL(p);
+    }
+    /* Should have grown many blocks */
+    ASSERT_GT(a.nblocks, 1);
+    ASSERT_GTE(cbm_arena_total(&a), 50 * 128);
+    cbm_arena_destroy(&a);
+    PASS();
+}
+
+TEST(arena_total_through_reset) {
+    /* total_alloc resets to 0 on reset, then accumulates again */
+    CBMArena a;
+    cbm_arena_init_sized(&a, 1024);
+    cbm_arena_alloc(&a, 100);
+    ASSERT_GTE(cbm_arena_total(&a), 100);
+    size_t before_reset = cbm_arena_total(&a);
+    ASSERT_GT(before_reset, 0);
+
+    cbm_arena_reset(&a);
+    ASSERT_EQ(cbm_arena_total(&a), 0);
+
+    /* Allocate again — total starts fresh */
+    cbm_arena_alloc(&a, 50);
+    ASSERT_GTE(cbm_arena_total(&a), 50);
+    /* But should be less than before_reset (fresh accumulation) */
+    ASSERT_LTE(cbm_arena_total(&a), before_reset);
+    cbm_arena_destroy(&a);
+    PASS();
+}
+
+TEST(arena_strndup_zero_len) {
+    /* strndup with len=0 — should return empty string */
+    CBMArena a;
+    cbm_arena_init(&a);
+    char *s = cbm_arena_strndup(&a, "hello", 0);
+    /* alloc(0+1=1) should succeed, result is NUL-terminated at pos 0 */
+    ASSERT_NOT_NULL(s);
+    ASSERT_STR_EQ(s, "");
+    cbm_arena_destroy(&a);
+    PASS();
+}
+
 SUITE(arena) {
     RUN_TEST(arena_init_default);
     RUN_TEST(arena_init_sized);
@@ -209,4 +406,18 @@ SUITE(arena) {
     RUN_TEST(arena_reset);
     RUN_TEST(arena_total);
     RUN_TEST(arena_many_small_allocs);
+    /* Edge cases */
+    RUN_TEST(arena_init_sized_clamp_small);
+    RUN_TEST(arena_init_sized_clamp_zero);
+    RUN_TEST(arena_alloc_null_on_zero_nblocks);
+    RUN_TEST(arena_multiple_resets);
+    RUN_TEST(arena_reset_single_block);
+    RUN_TEST(arena_strdup_empty);
+    RUN_TEST(arena_strndup_len_exceeds_string);
+    RUN_TEST(arena_sprintf_empty_format);
+    RUN_TEST(arena_double_destroy);
+    RUN_TEST(arena_calloc_zero);
+    RUN_TEST(arena_many_large_allocs_block_growth);
+    RUN_TEST(arena_total_through_reset);
+    RUN_TEST(arena_strndup_zero_len);
 }