Skip to content

cintegration: C harness for libpilot //export surface#2

Merged
TeoSlayer merged 1 commit into
mainfrom
cintegration-harness
May 27, 2026
Merged

cintegration: C harness for libpilot //export surface#2
TeoSlayer merged 1 commit into
mainfrom
cintegration-harness

Conversation

@TeoSlayer
Copy link
Copy Markdown
Contributor

@TeoSlayer TeoSlayer commented May 27, 2026

Summary

Adds a C-side integration harness that drives libpilot's //export surface — code that's literally unreachable from Go test files (Go forbids import \"C\" in _test.go files of packages with //export directives).

  • 29 FFI paths exercised: handle-table edges, NULL pointers, negative lengths, oversized buffers, malformed inputs
  • Coverage instrumentation works via a new build-tag-gated helper (coverflush.go) that exposes runtime/coverage.WriteCountersDir as a //export; the harness calls it before C exit() skips Go's atexit handlers
  • Raises pure-C harness coverage to 20.8% (combined with the prior Go-test PR: ~25% effective)

Audit verification

The iter-3 CRITICAL-2 finding (C.GoBytes panic on negative length) is mostly unreachable from C: PilotConnWrite/PilotSendTo/PilotBroadcast all call loadHandle() first, so a bad handle short-circuits to error JSON before the negative length matters. Real defensive-coding gap, but exploitability downgrades from CRITICAL to MED — needs a valid handle (live daemon connection) PLUS negative dataLen.

Files

  • cintegration/harness.c (503 lines) — 29 test functions, each checks has_error() on the returned JSON and tracks PASS/FAIL
  • cintegration/Makefile — builds the dylib with -tags coverflush -cover -covermode=atomic, links the harness with rpath, runs with GOCOVERDIR set, folds counters to a textfmt profile
  • cintegration/.gitignore — excludes build artifacts
  • coverflush.go — single 38-line file gated by //go:build coverflush; does NOT ship in production builds

How to run

```
cd cintegration && make cover
```

Test plan

  • make cover produces coverage.out with 20.8% of statements (verified locally on darwin/arm64)
  • All 29 harness tests pass (zero panics across NULL/negative/invalid-handle paths)
  • CI passes (Go tests unaffected by the new build tag)

@teovl
cintegration: C harness drives the //export surface beyond Go's reach
b1d2b02 
Go's test toolchain refuses `import "C"` in _test.go files of packages
that already carry //export directives. That leaves ~250 of libpilot's
~290 statements out of reach of `go test -cover` — every PilotXxx
wrapper and its companion helpers (errJSON, okJSON, driverFromHandle)
have C-typed signatures and cannot be called from Go test code.

cintegration/ fills the gap by driving the compiled c-shared library
from C. The harness:

- exercises 29 FFI paths covering handle-table edges (zero / unknown
  handles), parameter-validation (NULL pointers, negative lengths,
  oversized buffers), and error paths for every endpoint that doesn't
  need a live daemon
- runs under -cover instrumentation by building libpilot with
  `-tags coverflush -cover -covermode=atomic -buildmode=c-shared`,
  then calling the new PilotCoverFlush //export before the C exit()
  bypasses Go's atexit handlers
- raises pure-C harness coverage to 20.8% (combined with Go-side
  zz_internal_test.go: ~25% effective)

coverflush.go is build-tag-gated (`coverflush`) so PilotCoverFlush
does NOT ship in production builds — it's purely a coverage escape
hatch.

Audit verification turned up by running the harness: the iter-3
CRITICAL-2 finding "C.GoBytes panic on negative length" is mostly
unreachable from C. PilotConnWrite / PilotSendTo / PilotBroadcast
all call loadHandle() before C.GoBytes; a bad handle short-circuits
to error JSON before negative length matters. To actually trigger
the panic the caller needs a valid handle (live daemon connection)
AND negative dataLen — real defensive-coding gap but the
exploitability is MED, not CRITICAL as originally graded.
@codecov
Copy link
Copy Markdown

codecov Bot commented May 27, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@TeoSlayer TeoSlayer merged commit 77d4c87 into main May 27, 2026
2 checks passed
@TeoSlayer TeoSlayer deleted the cintegration-harness branch May 27, 2026 23:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TeoSlayer @teovl