V: enable stack usage guard

[masatake]

Fixes #4369 (CVE-2026-2641)
Fixes #4409

GHSA-69fg-c96p-c6fq

Author: Masatake YAMATO [email protected]
Date: Fri Feb 20 04:23:04 2026 +0900

V: enable stack usage guard

Enable the stack usage guard in the V parser.

Partially fixes: #4369
Partially addresses: CVE-2026-2641

The default stack limit is 4MB.
It may need adjustment on platforms with smaller default
stack sizes. (WIP)

Signed-off-by: Masatake YAMATO <[email protected]>

Author: Masatake YAMATO [email protected]
Date: Fri Feb 20 04:22:45 2026 +0900

main: add stack usage guard

Introduce a stack usage guard to prevent stack overflow
in deeply nested input.
as
The default stack limit is currently 4MB.
It can be adjusted with the --stack-limit=<bytes> option.

This change adds the infrastructure in the main part.
Individual parsers must explicitly enable the guard
to benefit from stack protection.

Signed-off-by: Masatake YAMATO <[email protected]>

TODO:

• update the man page
• write about how to enable the stack guard for a parser in the hacking guide
• add test cases
  • for JavaScript
  • for V
• add NEWS entry
• adjust the default value of the limit (getrlimit() may give us the hint).
• add code for Windows
• limit the automatic scope builder (JavaScript parser can crash or exhaust memory with deeply nested functions #4409)
• verify the portability of %zu format spec

[codecov]

Codecov Report

❌ Patch coverage is 79.16667% with 30 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.97%. Comparing base (76e4cc2) to head (f253e51).

Files with missing lines	Patch %	Lines
main/stackguard.c	88.46%	9 Missing ⚠️
parsers/jscript.c	25.00%	9 Missing ⚠️
main/options.c	80.00%	5 Missing ⚠️
parsers/v.c	28.57%	5 Missing ⚠️
main/entry.c	50.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4387      +/-   ##
==========================================
- Coverage   85.98%   85.97%   -0.02%     
==========================================
  Files         255      256       +1     
  Lines       63884    64023     +139     
==========================================
+ Hits        54931    55042     +111     
- Misses       8953     8981      +28     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Enables an opt-in stack usage guard to mitigate stack overflows during parsing (notably for the V parser), and adds a CLI option to configure the guard’s limit.

Changes:

• Add stack guard infrastructure (main/stackguard.c, main/stackguard_p.h) and wire it into the parse loop via per-parser discardInput.
• Enable the guard in the V parser and expose --stack-limit=<bytes> plus diagnostics (verbose + totals).
• Update build files (make + VS project) and adjust expected outputs for updated diagnostics.

Reviewed changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
win32/ctags_vs2013.vcxproj.filters	Adds stackguard sources/headers to VS filters for building on Windows.
win32/ctags_vs2013.vcxproj	Includes stackguard source/header in the VS project build.
source.mak	Adds stackguard source/header to the build lists for non-Windows builds.
parsers/v.c	Enables stack guard checks in an expression list parse path; provides parser-specific EOF discard function.
main/stats.c	Prints observed peak stack usage in totals output.
main/stackguard_p.h	Declares the stack guard API used by main/options/parse/stats.
main/stackguard.c	Implements stack tracking, limit handling, and peak usage tracking.
main/parse_p.h	Declares the query function for stack-guard support (typo present).
main/parse.h	Adds discardInputFn hook and exposes stackGuardCheck to parsers.
main/parse.c	Prepares/releases stack guard around parser execution; adds support query function (typo present).
main/options.c	Adds --stack-limit option and prints “stack guard supported/unsupported” in language description; updates some error messages.
main/main.c	Logs the computed stack limit in verbose mode.
configure.ac	Detects sys/resource.h for getrlimit-based default limit computation.
Tmain/versioning.d/stdout-expected.txt	Updates expected “describe language” output for “stack guard” line.
Tmain/broken-tagname.d/stderr-expected.txt	Updates expected verbose output to include stack limit line.
Tmain/broken-tagname.d/run.sh	Adds --stack-limit=8192 to stabilize verbose output and adjusts sed formatting.
Tmain/broken-tagname-in-ectags-format.d/stderr-expected.txt	Updates expected verbose output to include stack limit line.
Tmain/broken-tagname-in-ectags-format.d/run.sh	Adds --stack-limit=8192 to stabilize verbose output.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This introduces new control-flow behavior (early return + EOF discard) when the stack limit is exceeded, but the PR description lists 'add test cases' as TODO and the current diffs only stabilize verbose output tests. Add an integration test that forces deep nesting in V input (or a dedicated selftest parser case) to assert: (1) a NOTICE is emitted about exceeding the limit, and (2) parsing terminates safely without crashing/hanging.

[masatake]

The DTS parser looks broken.
When processing the Linux source tree, 32, the limit defined in 7a35227 causes many notice messages.

[masatake]

ulimit based test may not work on Windows.

[masatake]

Cygwin:

/home/runner/work/ctags/ctags/Tmain/stack-guard-option.d/stdout-diff.txt

	--- ./Tmain/stack-guard-option.d/stdout-expected.txt	2026-05-07 19:40:59.220998901 +0000
	+++ /home/runner/work/ctags/ctags/Tmain/stack-guard-option.d/stdout-actual.txt	2026-05-07 19:42:54.339347000 +0000
	@@ -3,2 +2,0 @@
	-Notice: call stack exceeds the limit (LIMIT) during processing input: input.v
	-qnCmeoduen	input.v	/^moluleptt b); assi9223372036854775n b const qnCmeoduen=$/;"	c
	@@ -11,2 +8,0 @@
	-Notice: call stack exceeds the limit (LIMIT) during processing input: input.v
	-qnCmeoduen	input.v	/^moluleptt b); assi9223372036854775n b const qnCmeoduen=$/;"	c
	@@ -19 +14,0 @@
	-Warning: don't specify stack limit larger than default: 32769 > 32768
	@@ -22,0 +18,4 @@
	+# ulimit(HELP): 64, no option
	+  --stack-limit=<bytes>
	+       Limit the stack usage while parsing, in bytes [18446744073709518847].
	+
	@@ -24,2 +22,0 @@
	-Notice: call stack exceeds the limit (LIMIT) during processing input: input.js
	-f0	input.js	/^var f0 = function(LIMIT) {$/;"	f

/home/runner/work/ctags/ctags/Tmain/stack-guard-option.d/stderr-diff.txt

	--- ./Tmain/stack-guard-option.d/stderr-expected.txt	2026-05-07 19:40:59.220998901 +0000
	+++ /home/runner/work/ctags/ctags/Tmain/stack-guard-option.d/stderr-actual.txt	2026-05-07 19:42:54.339376000 +0000
	@@ -0,0 +1,3 @@
	+Segmentation fault (core dumped)
	+Segmentation fault (core dumped)
	+Segmentation fault (core dumped)

FreeBSD:

	--- ./Tmain\stack-guard-option.d/stdout-expected.txt	2026-05-07 19:41:48.388036100 +0000
	+++ D:/a/ctags/ctags/Tmain/stack-guard-option.d/stdout-actual.txt	2026-05-07 19:48:39.894513000 +0000
	@@ -19 +18,0 @@
	-Warning: don't specify stack limit larger than default: 32769 > 32768
	@@ -21,0 +21,4 @@
	+
	+# ulimit(HELP): 64, no option
	+  --stack-limit=<bytes>
	+       Limit the stack usage while parsing, in bytes [2048000].

ctags on both platforms use getrlimit.

[masatake]

The way to handle RLIM_INFINITY is completely wrong.
If a user specifies RLIM_INFINITY (via ulimit -s), ctags should disable the stack usage guard.