roots666
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 7 additions & 3 deletions b/‎.github/workflows/release.yml‎
Lines changed: 7 additions & 3 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 29 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎Makefile‎
Lines changed: 1 addition & 0 deletions b/‎Makefile‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎README.md‎
Lines changed: 8 additions & 2 deletions b/‎README.md‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎ROADMAP.md‎
Lines changed: 11 additions & 2 deletions b/‎ROADMAP.md‎
Lines changed: 11 additions & 2 deletions
diff --git a/‎include/macros.inc‎
Lines changed: 36 additions & 1 deletion b/‎include/macros.inc‎
Lines changed: 36 additions & 1 deletion
diff --git a/‎include/macros_arm64.inc‎
Lines changed: 1 addition & 1 deletion b/‎include/macros_arm64.inc‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎include/syscalls_aarch64.inc‎
Lines changed: 5 additions & 0 deletions b/‎include/syscalls_aarch64.inc‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎include/syscalls_amd64.inc‎
Lines changed: 2 additions & 0 deletions b/‎include/syscalls_amd64.inc‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎scripts/test_diagnostics.sh‎
Lines changed: 39 additions & 0 deletions b/‎scripts/test_diagnostics.sh‎
Lines changed: 39 additions & 0 deletions
@@ -24,9 +24,9 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y nasm make binutils
 
-      - name: Build amd64 binary
+      - name: Build and test amd64
         run: |
-          make build-amd64
+          make test-all
           strip build/mini-init-amd64
 
       - name: Upload amd64 artifact
@@ -47,13 +47,17 @@ jobs:
       - name: Install cross-compile dependencies
         run: |
           sudo apt-get update
-          sudo apt-get install -y nasm make binutils gcc-aarch64-linux-gnu binutils-aarch64-linux-gnu
+          sudo apt-get install -y nasm make binutils gcc-aarch64-linux-gnu binutils-aarch64-linux-gnu qemu-user-static file
 
       - name: Build arm64 binary
         run: |
           make build-arm64
           aarch64-linux-gnu-strip build/mini-init-arm64
 
+      - name: ARM64 fallback smoke (QEMU-user)
+        run: |
+          ARM64_FALLBACK=1 EP_ARM64_FALLBACK=1 bash scripts/test_harness_arm64.sh build/mini-init-arm64
+
       - name: Upload arm64 artifact
         uses: actions/upload-artifact@v4
         with:
 
@@ -0,0 +1,29 @@
+# Changelog
+
+## 0.2.0 - 2025-12-13
+
+### Fixed
+
+- Fix critical PID1 hang: main-child exit could be missed during SIGCHLD storms (now reliably detected/reported on both amd64 and arm64).
+- Fix amd64 restart-mode stack safety when max restarts are reached.
+- Prevent `epoll` fd leakage into the exec’ed child (`epoll_create1(EPOLL_CLOEXEC)`).
+- Avoid SIGKILL escalation to a reused/nonexistent PGID (`kill(-pgid, 0)` probe before escalation).
+- Fix verbose logging writing a NUL byte in timestamps.
+
+### Improved
+
+- More actionable verbose logs: signal number, grace seconds, restart backoff seconds, and restart count.
+- Harden `EP_SIGNALS` parsing:
+  - Trim trailing whitespace per token.
+  - Real-time signals are now bounded to the kernel max (`RT1..RT30`).
+- Numeric env vars are now parsed strictly as decimal digits; invalid/overflow values are ignored (warnings in verbose mode).
+- Timer-related seconds (grace/backoff) are clamped to fit signed 64-bit seconds.
+- `EP_EXIT_CODE_BASE` is now validated as `0..255` (out-of-range values are ignored; default applies).
+- ARM64/QEMU: remove `msub` usage in hot paths; in `EP_ARM64_FALLBACK=1` mode timestamps are omitted to reduce QEMU-user flakiness.
+
+### Tests/Docs
+
+- Add an edge-case test covering “main child exits while many other children are reaped”.
+- Update docs to reflect RT signal bounds and ARM64 fallback timestamp behavior.
+- ARM64/QEMU: in fallback mode, smoke tests now exercise `--version` and the wait4-only path (helper exit propagation) instead of skipping entirely.
+- Clean up `scripts/*` quoting to avoid common ShellCheck warnings (SC2016/SC2086).
@@ -55,6 +55,7 @@ test-all: test-amd64
 	bash scripts/test_edge_cases.sh $(BUILD_DIR)/$(TARGET_AMD64)
 	bash scripts/test_exit_code_mapping.sh $(BUILD_DIR)/$(TARGET_AMD64)
 	bash scripts/test_restart.sh $(BUILD_DIR)/$(TARGET_AMD64)
+	bash scripts/test_diagnostics.sh $(BUILD_DIR)/$(TARGET_AMD64)
 
 $(AMD64_BUILD_DIR):
 	mkdir -p $@
 
@@ -176,14 +176,16 @@ mini-init-{amd64|arm64} [--verbose|-v] [--version|-V] -- <command> [args...]
 
 ### Environment variables
 
+Numeric env vars are parsed as **non-negative decimal**. If a value is invalid/overflows, it is ignored (defaults apply); in verbose mode a warning is logged. Timer-related values (grace/backoff seconds) are clamped to fit in signed 64-bit seconds.
+
 - `EP_GRACE_SECONDS`
   Grace period (in seconds) from the *first* forwarded soft signal to `SIGKILL` escalation.
   Default: `10`.
 
 - `EP_SIGNALS`
   CSV of **additional** signal names to monitor/forward (case-sensitive).
-  Supported names: `USR1,USR2,PIPE,WINCH,TTIN,TTOU,CONT,ALRM,RT1,...,RT31`
-  (`RTN` = `SIGRTMIN+N`, 1–31).
+  Supported names: `USR1,USR2,PIPE,WINCH,TTIN,TTOU,CONT,ALRM,RT1,...,RT30`
+  (`RTN` = `SIGRTMIN+N`, 1–30).
   These **augment** the built-in set: `HUP,INT,QUIT,TERM,CHLD` plus default forwarding
   of `USR1,USR2,PIPE,WINCH,TTIN,TTOU,CONT,ALRM`.
   Unknown tokens are ignored with a warning. In verbose mode we only log
@@ -192,12 +194,14 @@ mini-init-{amd64|arm64} [--verbose|-v] [--version|-V] -- <command> [args...]
 - `EP_SUBREAPER`
   If set to `1`, enables `PR_SET_CHILD_SUBREAPER` so that `mini-init-asm` adopts orphaned
   grandchildren. Useful when nested processes need proper reaping.
+  `mini-init-asm` still exits when the main child exits (it does not wait indefinitely for adopted descendants).
   Default: disabled.
 
 - `EP_EXIT_CODE_BASE`
   Base value for mapping “killed by signal” to exit code:
   `exit_code = EP_EXIT_CODE_BASE + signal_number` (default base `128`, like shells).
   For example, `SIGKILL` (9) with base 200 → exit code 209.
+  Valid range: `0..255` (out-of-range values are ignored; default applies).
 
 - `EP_RESTART_ENABLED`
   If set to `1`, enables **restart-on-crash**: when the child is killed by a signal
@@ -219,6 +223,8 @@ mini-init-{amd64|arm64} [--verbose|-v] [--version|-V] -- <command> [args...]
 - `EP_ARM64_FALLBACK` (ARM64/QEMU only)
   If set to `1`, ARM64 builds skip the epoll/signalfd path and use a simpler
   `wait4` loop. Intended as a workaround for QEMU user-mode flakiness in CI smoke tests.
+  This mode does **not** provide the full signal-forwarding/grace-timer behavior; it primarily verifies spawn + exit-code propagation.
+  In fallback mode, verbose logs may omit timestamps to avoid QEMU-user emulation issues.
   Default: `0` (CI jobs typically set this).
 
 ### Examples
 
@@ -4,13 +4,22 @@ This document tracks planned features and improvements for `mini-init-asm`.
 
 ## Short-term (Next Release)
 
+### Possible next steps
+
+- Native ARM64 validation (real hardware or full-system QEMU) for the normal epoll/signalfd path.
+- Consider optional `EP_SUBREAPER_WAIT=1` (wait for adopted children after main child exit) and document tradeoffs.
+- Consider `EP_RESTART_ON_NONZERO_EXIT=1` (opt-in) if restart-on-crash should include nonzero normal exits.
+- Clamp `EP_MAX_RESTARTS` to a sane upper bound to avoid pathological loops.
+- Continue improving diagnostics while keeping pure-syscall design (e.g., log child PGID, kill/escalation decisions).
+
 ### Arm64 tests on linux
 
-- QEMU user-mode remains flaky: ARM64 binary hangs/SIGILLs under `qemu-aarch64-static` right after startup (even with fallback mode).
+- QEMU user-mode remains flaky: ARM64 binary hangs/SIGILLs under `qemu-aarch64-static` right after startup (historically even with fallback mode).
 - Helpers (`helper-exit42`, `helper-sleeper`) run fine under QEMU; issue is specific to `mini-init-arm64` user-mode emulation.
 - Instrumentation shows execution reaches `get_timestamp_ptr`/epoll setup, then no further syscalls; QEMU SIGILL is likely emulator-specific.
 - Added `EP_ARM64_FALLBACK`/`ARM64_FALLBACK` env to skip the QEMU smoke in CI while keeping native behavior unchanged.
-- Next: validate on native ARM64 hardware or full-system QEMU; try newer QEMU user-mode or replace `udiv`/`msub` in `get_timestamp_ptr` with a simpler divide loop if emulation keeps failing.
+- Implemented a safer path: removed `msub` usage and made `EP_ARM64_FALLBACK=1` omit timestamp formatting to avoid QEMU-user issues.
+- Next: validate on native ARM64 hardware or full-system QEMU; try newer QEMU user-mode if emulation still fails.
 
 ---
 
 
@@ -29,7 +29,7 @@
     je %%done
     call get_timestamp_ptr
     mov rax, SYS_write
-    mov rdx, 19
+    mov rdx, 18
     mov rdi, 2
     mov rsi, rax
     syscall
@@ -86,3 +86,38 @@ parse_u64_dec:
     jmp .loop
   .done:
     ret
+
+; strict parse decimal u64 (digits only, non-empty, full-string)
+; in:  rsi = ptr to NUL-terminated string
+; out: rax = value (undefined if rdx=0), rdx = 1 if valid else 0
+parse_u64_dec_checked:
+    xor rax, rax
+    xor r11, r11              ; ok=0
+    mov r8b, [rsi]
+    test r8b, r8b
+    je .bad
+.loop_checked:
+    mov r8b, [rsi]
+    test r8b, r8b
+    je .ok
+    cmp r8b, '0'
+    jb .bad
+    cmp r8b, '9'
+    ja .bad
+    mov r11, 1
+    mov rcx, 10
+    mul rcx                   ; rdx:rax = rax*10
+    test rdx, rdx
+    jne .bad
+    movzx rcx, r8b
+    sub rcx, '0'
+    add rax, rcx
+    jc .bad
+    inc rsi
+    jmp .loop_checked
+.ok:
+    mov rdx, r11
+    ret
+.bad:
+    xor rdx, rdx
+    ret
@@ -27,7 +27,7 @@
     bl get_timestamp_ptr
     mov x1, x0
     mov x0, #2
-    mov x2, #19
+    mov x2, #18
     SYSCALL SYS_write
     mov x0, #2
     adrp x1, \msg_ptr
 
@@ -25,6 +25,7 @@
 // epoll/op flags
 .equ EPOLL_CTL_ADD, 1
 .equ EPOLLIN,       1
+.equ EPOLL_CLOEXEC, 02000000
 
 // sigprocmask how
 .equ SIG_BLOCK,     0
@@ -57,6 +58,10 @@
 .equ SIGRTMIN, 34
 .equ SIGRTMAX, 64
 
+// errno subset
+.equ ESRCH, 3
+.equ EINTR, 4
+
 // timerfd/signalfd flags
 .equ TFD_CLOEXEC,   02000000
 .equ TFD_NONBLOCK,  00004000
 
@@ -23,6 +23,7 @@
 ; epoll/op flags
 %define EPOLL_CTL_ADD 1
 %define EPOLLIN       1
+%define EPOLL_CLOEXEC  02000000o
 
 ; sigprocmask how
 %define SIG_BLOCK     0
@@ -56,6 +57,7 @@
 %define SIGRTMAX 64
 
 ; errno subset
+%define ESRCH         3
 %define EINTR         4
 
 ; timerfd/signalfd flags (octal per manpages)
 
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+BIN="${1:-./build/mini-init-amd64}"
+
+echo "[test] Diagnostics/verbose logging checks"
+
+tmp="$(mktemp)"
+tmp2="$(mktemp)"
+cleanup() {
+  rm -f "$tmp" "$tmp2"
+}
+trap cleanup EXIT
+
+echo "[test] 1) Logs include signal and grace_seconds"
+EP_GRACE_SECONDS=2 "$BIN" -v -- /bin/bash scripts/fixtures/trap_exit0.sh 2>"$tmp" &
+pid=$!
+sleep 0.5
+kill -TERM "$pid"
+set +e
+wait "$pid"
+wait_rc=$?
+set -e
+echo "[test] rc=$wait_rc"
+test "$wait_rc" -eq 0
+grep -q "DEBUG: signal=" "$tmp"
+grep -q "DEBUG: grace_seconds=" "$tmp"
+
+echo "[test] 2) Logs include restart_count on restart"
+set +e
+EP_RESTART_ENABLED=1 EP_MAX_RESTARTS=1 EP_RESTART_BACKOFF_SECONDS=0 \
+  "$BIN" -v -- /bin/sh -c "kill -SEGV \$\$" 2>"$tmp2"
+wait_rc=$?
+set -e
+echo "[test] rc=$wait_rc"
+test "$wait_rc" -eq 139
+grep -q "DEBUG: restart_count=" "$tmp2"
+
+echo "[test] Diagnostics tests passed"