makiri 0.4.0-x86_64-linux → 0.5.0-x86_64-linux

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 80f4b2b7459af8f421bdd5ffa526c70aaca8fcd5bdbfca64bd01f240487b2347
-  data.tar.gz: 28eeacf29507338f372622e73d8921ef99fd390975f9fba666608e9087eab467
+  metadata.gz: 64d3fbdbe21dbbfddf413832c97e9f5f32dc020ff0c3f01efb75232fca32085c
+  data.tar.gz: 37990c3d0d3032aa088240d76edfcfeb4a4f598d87e770aef7a21a19a7de5446
 SHA512:
-  metadata.gz: d8d70b1e3e4e4f94f0d4f3fd34e28677d2b87908a0c7e9b7ff34cef14d5a5dd318d8de473afbc5a10cc3f54f0f30945778f256fc3a303cffc734e02c7b9c6509
-  data.tar.gz: 2c97c8f1d5deb67e9a37ffd87dbca033c3788507890d6f8be14facf205aa584448cc4c9b12f0ce81989b6dffbdea82631cbf9b7b9de513d05fc5f2e0f8bf566d
+  metadata.gz: 933fcc0d10a4923c0c1f1541845a6a46b60dc8091cbe54fcd8edd85e7d17321decff9d080f294997a2c21608ae948557e94cc971514c37f6c72de751fa9d4b23
+  data.tar.gz: b3159878da760a16387247bd0e32a6c15e84d85dac066bb334397b27e9ba98429c73144c8ae0a35b513420826aebbc24b5a74b19988857274dfa72afea69b714

data/.github/workflows/valgrind.yml

@@ -1,9 +1,18 @@
 name: Valgrind + GC.compact
 
 on:
-  # Nightly: these jobs are heavy (Valgrind is ~10-50x slower, GC.stress is ~10x
-  # slower) and check structural properties that do not vary by day-to-day code
-  # churn, so run them on a schedule rather than on every push/PR.
+  # Valgrind memcheck ALSO runs on push to main: it is the only check without a
+  # frequency threshold (any "definitely lost" / uninitialised-value use fails,
+  # unlike the PR-level macOS leak gate, which only flags stacks repeated >=30x),
+  # so a leak on a rarely-hit error path slips past the PR gates and would
+  # otherwise surface only on the next nightly. Running it post-merge catches such
+  # regressions within ~30 min without adding ~20 min to every PR. (It is gated to
+  # main only, not pull_request, to keep PR latency low.)
+  #
+  # The GC.stress job stays nightly-only (see its `if:` below): it is heavy and
+  # checks structural properties that do not vary by day-to-day churn.
+  push:
+    branches: [main, master]
   schedule:
     - cron: "0 2 * * *"
   workflow_dispatch:
@@ -61,32 +70,44 @@ jobs:
       - name: Run spec suite under Valgrind (ruby_memcheck)
         run: bundle exec rake spec:valgrind
 
-  # GC.auto_compact + GC.stress run of the full spec suite.  This structurally
-  # tests the borrowed-pointer discipline under the condition that Ruby Strings
-  # actually move (compaction) and that every allocation triggers a full GC
-  # cycle (stress).  Failures here are typically use-after-move or stale
+  # GC.auto_compact + GC.stress over the GC-sensitive examples.  This
+  # structurally tests the borrowed-pointer discipline under the condition that
+  # Ruby Strings actually move (compaction) and that every allocation triggers a
+  # full GC cycle (stress).  Failures here are typically use-after-move or stale
   # pointer bugs in the C extension or bridge layer.
   #
-  # THREADING is deliberately OFF here.  The :threading suite (spec/threading_spec.rb)
-  # is 8 threads x tens of iterations, and forcing the job-level GC.stress onto it
-  # means a full GC per allocation across every thread - which made this job run
-  # for 30+ minutes without finishing.  It also adds little: that suite already
-  # runs in ci.yml (ubuntu/3.4), and its GC-sensitive examples opt into GC.stress
-  # themselves via their own `around` hook, so cross-thread interactions are
-  # covered there.  This job's unique value is the *single-threaded* full suite
-  # under stress+compaction, which catches use-after-move across every code path.
+  # Scope: only the examples tagged `:gc_compact` (the `memory safety` blocks in
+  # css/xpath/serialize/mutation/source_location/xpath_handler/api_compat2 +
+  # attribute's lazy-index example).  Those are the examples written to exercise
+  # the borrowed-pointer paths.  `GC_COMPACT_STRESS=1` makes spec_helper set
+  # `GC.auto_compact = true` process-wide and wrap every example in `GC.stress`,
+  # so each allocation inside a tagged example triggers a *compacting* GC - the
+  # strongest form of the use-after-move test.  The high-volume churn loops
+  # (parse/drop cycles) scale their iteration count down under stress
+  # (`gc_churn_iters` / `GC_COMPACT_ITERS`) because each stressed iteration is
+  # orders of magnitude heavier; `GC_COMPACT_ITERS` below tunes the total runtime
+  # (~6-9 min on CI at 200).  An earlier version forced GC.stress onto the
+  # *entire* suite (~800 examples): it ran 1h40m+ and never finished, while
+  # testing borrowed-pointer discipline on hundreds of examples that have none.
+  # The rest of the suite still runs in ci.yml.
+  #
+  # THREADING is deliberately OFF here.  The :threading suite is 8 threads x tens
+  # of iterations; it runs in ci.yml and its GC-sensitive examples opt into
+  # GC.stress themselves, so cross-thread interactions are covered there.
   gc-compact-stress:
-    # Temporarily disabled, too long
-    if: false
+    # Nightly / on-demand only - not on push (the valgrind job is the post-merge
+    # gate; GC.stress is heavy and structural, so it does not need per-push runs).
+    if: github.event_name != 'push'
     name: GC.auto_compact + GC.stress (Ruby ${{ matrix.ruby }})
     runs-on: ubuntu-latest
-    timeout-minutes: 360
+    timeout-minutes: 30
     env:
-      # As in the Valgrind job: GC.stress (a full GC per allocation) makes the
-      # 300-iteration PBT sweep run for hours, and these jobs check memory
-      # discipline rather than the property space, so trim the iteration count.
-      PBT_COUNT: "15"
-      CSS_PBT_COUNT: "15"
+      GC_COMPACT_STRESS: "1"
+      # Per-iteration cost under per-allocation compacting GC is ~1000x normal, so
+      # the churn loops run this many iterations (vs their normal 200-1000). Tunes
+      # the job's runtime; raise for more coverage, lower if it approaches the
+      # timeout.
+      GC_COMPACT_ITERS: "200"
     strategy:
       fail-fast: false
       matrix:
@@ -110,26 +131,8 @@ jobs:
       - name: Compile the extension
         run: bundle exec rake compile
 
-      # GC.stress is scoped to each example via an around hook rather than set
-      # process-wide: under a global GC.stress, even requiring the 88 spec files
-      # runs a full GC per allocation, so loading alone took tens of minutes and
-      # the job never reached the first example.  auto_compact stays global so
-      # objects actually move during those stressed examples (the point of the
-      # job), while loading/collection runs at normal speed.
-      - name: Run spec suite under GC.auto_compact + GC.stress
-        run: |
-          bundle exec ruby -Ilib -e '
-            GC.auto_compact = true
-            require "rspec/core"
-            RSpec.configure do |c|
-              c.around(:each) do |example|
-                GC.stress = true
-                begin
-                  example.run
-                ensure
-                  GC.stress = false
-                end
-              end
-            end
-            exit RSpec::Core::Runner.run(ARGV)
-          ' spec
+      # GC_COMPACT_STRESS=1 (set in env above) makes spec_helper enable
+      # auto_compact globally and wrap each example in GC.stress; --tag gc_compact
+      # limits the run to the borrowed-pointer examples.
+      - name: Run GC-sensitive examples under GC.auto_compact + GC.stress
+        run: bundle exec rspec --tag gc_compact spec

data/CHANGELOG.md

@@ -5,6 +5,72 @@ All notable changes to this project will be documented in this file.
 The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.5.0] - 2026-06-14
+
+### Fixed
+
+* Use-after-free when an XPath custom-function handler mutated the same
+  `XPathContext` (`register_*` / `node=`) mid-`evaluate`: such re-entrant context
+  mutation is now refused instead of invalidating the running evaluation's state.
+
+* `Node#name=` now invalidates the element-name index, so a later `//tag` query
+  reflects the rename instead of seeing a stale bucket.
+
+* XML processing-instruction targets now follow XML 1.0 §2.6: a PITarget is a
+  `Name`, not an NCName, so a colon is permitted (`<?a:b ...?>` parses, and
+  `create_processing_instruction("a:b", ...)` succeeds). Only the reserved `xml`
+  (any case) is still rejected. Previously a colon in a PI target was rejected as
+  not-well-formed, which was stricter than the spec (a PI target is not subject to
+  namespace processing).
+
+* Memory leaks of the internal XPath evaluation context on error / edge paths: a
+  `Makiri::XML` `#css` / `#xpath` / `#at_xpath` whose selector or expression failed
+  the text-input contract leaked the context (it is now verified BEFORE the context
+  is allocated), and a context could leak if building the Ruby result raised (it is
+  now freed before conversion).
+
+### Added
+
+* `ProcessingInstruction#target` on the XML node (the PI's target name).
+
+* Cross-kind `Document#import_node(node, deep = false)`. `import_node` now
+  translates a subtree across representations: `Makiri::XML::Document#import_node`
+  (newly added) imports an HTML (Lexbor) node by translating it to the XML node
+  representation, and `Makiri::HTML::Document#import_node` likewise translates an
+  XML node to HTML. Same-representation imports keep working (HTML to HTML via
+  Lexbor, XML to XML via the arena deep/shallow copy). The result is a detached
+  copy owned by the target document; the source is untouched. Elements (with
+  attributes), text, comment, and processing-instruction nodes translate both
+  ways, and an HTML `<template>`'s contents (which HTML keeps in a separate
+  fragment) are carried across rather than silently dropped; an XML CDATA section
+  has no HTML counterpart, so translating one into an HTML document fails closed
+  (`Makiri::Error`). Namespaces are preserved across the translation: HTML->XML
+  synthesizes the xmlns declarations needed to reproduce each node's namespace
+  (so e.g. an inline `<svg>` stays in the SVG namespace and HTML elements in the
+  XHTML namespace), and XML->HTML maps the namespace URI back to a Lexbor
+  namespace id, interning any URI (not only the ones Lexbor knows by default) so
+  custom namespaces survive too. An HTML-namespaced `<template>`'s content is
+  placed in its content fragment (HTMLTemplateElement.content), like a parsed
+  template. The other node-argument mutators
+  (`add_child`/`before`/`after`/`replace`/`fragment`) still reject a foreign-kind
+  node; `import_node` is the one sanctioned crossing point.
+
+* `set_attribute_ns(namespace, qualified_name, value)` and
+  `remove_attribute_ns(namespace, local_name)` on `Makiri::XML` elements - the DOM
+  setAttributeNS / removeAttributeNS, keyed on the (explicit namespace, local name)
+  pair so two attributes with the same qualified name in different namespaces
+  coexist (a null/"" namespace is the null namespace).
+
+* `Makiri::Lexbor::CSS.parse_stylesheet(text)`, a thin binding over Lexbor's
+  CSS stylesheet parser that returns the parsed rules as plain Ruby primitives
+  (`{type: :style, selectors: [{text:, specificity: [a,b,c]}, ...],
+  declarations: [{name:, value:, important:}, ...]}` and nested
+  `{type: :media, condition:, rules: [...]}`, in source order). Selector
+  specificity and value normalization come from Lexbor; `css-syntax-3` error
+  recovery means a broken stylesheet yields its valid rules instead of raising.
+  Hosts the new `Makiri::Lexbor::*` namespace (the unabstracted lexbor-native
+  surface, distinct from the Nokogiri-compatible `Makiri::*`).
+
 ## [0.4.0] - 2026-06-12
 
 ### Added
@@ -296,7 +362,8 @@ libxml2 / libxslt dependency at any layer**.
   domxpath, CSS differential vs `Nokogiri::HTML5`). GitHub Actions CI across
   Ruby 3.2–4.0 × Ubuntu/macOS plus a sanitizer job.
 
-[Unreleased]: https://github.com/takahashim/makiri/compare/v0.4.0...HEAD
+[Unreleased]: https://github.com/takahashim/makiri/compare/v0.5.0...HEAD
+[0.5.0]: https://github.com/takahashim/makiri/compare/v0.4.0...v0.5.0
 [0.4.0]: https://github.com/takahashim/makiri/compare/v0.3.0...v0.4.0
 [0.3.0]: https://github.com/takahashim/makiri/compare/v0.2.0...v0.3.0
 [0.2.0]: https://github.com/takahashim/makiri/compare/v0.1.0...v0.2.0

data/README.md

@@ -141,6 +141,14 @@ XML subtrees can be built with `Document#create_element` and related node factor
 then inserted with `#add_child`, `#before`, `#after`, or `#replace`;
 namespaces are resolved at insertion time, and cross-document nodes are deep-copied.
 
+`Document#import_node(node, deep = false)` brings a node into a document as a
+detached copy, and works **across representations**: importing a `Makiri::HTML`
+node into a `Makiri::XML::Document` (or vice versa) translates the subtree between
+the two node representations, preserving namespaces (e.g. an inline `<svg>` keeps
+the SVG namespace, HTML elements the XHTML namespace; custom namespaces are
+preserved across both directions). An XML CDATA section has no HTML counterpart,
+so importing one into an HTML document raises.
+
 ```ruby
 doc   = Makiri::XML(%(<feed xmlns="urn:a" xmlns:dc="urn:dc"/>))
 entry = doc.create_element("entry")
@@ -226,6 +234,12 @@ Detailed, test-backed notes live in `spec/conformance/README.md`.
     markup string straight to `#add_child` is unsupported (parse it into a fragment
     first). (`#to_xml` serialization is supported; HTML serialization - `to_html`
     / `inner_html` / `outer_html` - is not.)
+* A colon in a processing-instruction target is well-formed (`<?a:b ...?>` parses).
+  * XML 1.0 §2.6: a `PITarget` is a `Name`, not an NCName, and Namespaces in XML
+    1.0's normative conformance section constrains only element/attribute names
+    (QNames), never PI targets. Nokogiri/libxml2 rejects it (`colons are forbidden
+    from PI names`); Makiri follows the normative text. Only the reserved `xml`
+    (any case) target is rejected.
 * Otherwise the parsed tree is byte-identical to `Nokogiri::XML`'s (verified by
   the property-based differential), including namespaces, prolog/epilog comments
   and PIs, and adjacent-CDATA coalescing.

data/Rakefile

@@ -59,6 +59,19 @@ task default: %i[compile spec]
 # *our* code: a real uninit/invalid access in mkr_*/Lexbor still has a makiri frame
 # and is still reported.
 #
+# BUT the binary-touch filter is too coarse for one residual class: when a GC
+# cycle fires *inside* one of our allocations (or marks through our mark
+# callback), CRuby's conservative collector legitimately reads uninitialised
+# words (machine-stack scan reading stale frames, incremental mark/sweep reading
+# not-yet-written RVALUE flags) while a makiri frame sits on the stack - so ~190
+# of these pure-Ruby-GC false positives pass the filter. The gem's bundled
+# ruby.supp only covers `each_location*` under Addr8, not the Cond/Value8 reads
+# we hit. `suppressions/ruby.supp` (auto-loaded by ruby_memcheck: it globs
+# `<dir>/<ruby-version>.supp`, and the bare `ruby.supp` matches every version)
+# suppresses exactly those GC-driver-anchored uninit reads, plus the VM
+# method-cache id_table the interpreter never frees before exit. A real uninit
+# read in our code does not descend from a GC driver, so it still fails.
+#
 # Guarded: ruby_memcheck lives in the optional :valgrind bundler group, so a
 # normal `bundle exec rake` (without that group) must not fail to load.
 begin

data/lib/makiri/html/document.rb

@@ -55,12 +55,7 @@ module Makiri
       # @param text [String]
       # @return [String]
       def title=(text)
-        t = at_css("title")
-        unless t
-          t = Element.new("title", self)
-          (head || root).add_child(t)
-        end
-        t.content = text
+        ensure_in_head("title", "title").content = text
         text
       end
 
@@ -93,14 +88,18 @@ module Makiri
       # @param value [String]
       # @return [String]
       def meta_encoding=(value)
-        meta = at_css("meta[charset]")
-        unless meta
-          meta = Element.new("meta", self)
-          (head || root).add_child(meta)
-        end
-        meta["charset"] = value
+        ensure_in_head("meta[charset]", "meta")["charset"] = value
         value
       end
+
+      private
+
+      # The first node matching +css_query+, or a freshly created <+tag+>
+      # appended to <head> (or the root when the document has no head). Shared by
+      # #title= and #meta_encoding=, which then set content / attributes on it.
+      def ensure_in_head(css_query, tag)
+        at_css(css_query) || Element.new(tag, self).tap { |el| (head || root).add_child(el) }
+      end
     end
   end
 end

data/lib/makiri/html/node_methods.rb

@@ -10,7 +10,6 @@ module Makiri
       alias_method :attr, :[]
       alias_method :get_attribute, :[]
       alias_method :has_attribute?, :key?
-      alias_method :remove_attribute, :delete
       alias_method :node_name, :name
       alias_method :node_name=, :name=
       alias_method :type, :node_type

data/lib/makiri/node_set.rb

@@ -48,17 +48,13 @@ module Makiri
     # Run a CSS selector against every node and return the unioned matches.
     # @return [Makiri::NodeSet]
     def css(selector)
-      return self if empty?
-
-      map { |node| node.css(selector) }.reduce(:|)
+      union_query(:css, selector)
     end
 
     # Run an XPath expression against every node and union the node-set results.
     # @return [Makiri::NodeSet]
     def xpath(expr)
-      return self if empty?
-
-      map { |node| node.xpath(expr) }.reduce(:|)
+      union_query(:xpath, expr)
     end
 
     # First node matching the CSS selector across the set, or nil.
@@ -77,9 +73,7 @@ module Makiri
     # CSS- or XPath-detecting query against every node (see {Node#search}).
     # @return [Makiri::NodeSet]
     def search(path)
-      return self if empty?
-
-      map { |node| node.search(path) }.reduce(:|)
+      union_query(:search, path)
     end
 
     # Remove the named attribute from every node in the set.
@@ -109,5 +103,16 @@ module Makiri
     def inspect
       "#<#{self.class.name} length=#{length}>"
     end
+
+    private
+
+    # Run +method+(+arg+) on every node in the set and union the per-node
+    # results. An empty set returns self unchanged, so it stays a NodeSet (the
+    # shared shape behind #css / #xpath / #search).
+    def union_query(method, arg)
+      return self if empty?
+
+      map { |node| node.public_send(method, arg) }.reduce(:|)
+    end
   end
 end

data/lib/makiri/processing_instruction.rb

@@ -14,5 +14,13 @@ module Makiri
     def self.new(document, target, content)
       Makiri::Document.coerce!(document).create_processing_instruction(target, content)
     end
+
+    # DOM `ProcessingInstruction#target` — the PI's target name. Defined once on
+    # the shared base so both backends expose it: the XML node reaches it here
+    # (its target IS its node name), while the HTML node overrides it with a
+    # native implementation earlier in the ancestor chain.
+    def target
+      name
+    end
   end
 end

data/lib/makiri/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Makiri
-  VERSION = "0.4.0"
+  VERSION = "0.5.0"
 end

data/lib/makiri/xml/builder.rb

@@ -30,7 +30,7 @@ module Makiri
     #
     # Tag names that collide with a Ruby/Kernel method (or with one of this
     # builder's own helpers below - +text+, +cdata+, +comment+, +doc+, +parent+,
-    # +to_xml+, +to_s+) must be written with a trailing underscore, which is
+    # +to_xml+, +to_s+, +descend+) must be written with a trailing underscore, which is
     # stripped: +xml.id_("9")+ produces +<id>9</id>+. This matches Nokogiri.
     #
     # A namespace prefix is selected for the next element with +[]+:
@@ -137,6 +137,22 @@ module Makiri
         true
       end
 
+      # Run +block+ with +node+ as the current parent, restoring the previous
+      # parent afterward (even if the block raises) and returning the block's
+      # value. The single place +@parent+ is pushed/popped - shared by #insert and
+      # by {NodeBuilder}'s nested-block chain, so neither manipulates the parent
+      # state directly. Public so NodeBuilder (a separate class) can reuse it
+      # without reaching into a private method.
+      def descend(node, &block)
+        previous = @parent
+        @parent = node
+        begin
+          run(&block)
+        ensure
+          @parent = previous
+        end
+      end
+
       private
 
       # Translate the Nokogiri-style trailing arguments (a Hash is attributes,
@@ -177,21 +193,6 @@ module Makiri
         NodeBuilder.new(node, self)
       end
 
-      # Run +block+ with +node+ as the current parent, restoring the previous
-      # parent afterward (even if the block raises) and returning the block's
-      # value. The single place the parent is pushed/popped - shared by #insert and
-      # NodeBuilder's nested-block chain, so neither manipulates the parent state
-      # directly.
-      def descend(node, &block)
-        previous = @parent
-        @parent = node
-        begin
-          run(&block)
-        ensure
-          @parent = previous
-        end
-      end
-
       # Run a DSL block, choosing instance_eval vs yield once (from the first
       # block seen), the same way Nokogiri does, so the form is consistent
       # throughout a build.
@@ -239,17 +240,15 @@ module Makiri
           when /\A(.*)=\z/
             @node[Regexp.last_match(1)] = args.first
           else
-            @node["class"] = ((@node["class"] || "").split(/\s/) + [method.to_s]).join(" ")
+            append_attr("class", method.to_s)
             @node.content = args.first if args.first
           end
 
-          opts.each do |key, value|
-            @node[key.to_s] = ((@node[key.to_s] || "").split(/\s/) + [value]).join(" ")
-          end
+          opts.each { |key, value| append_attr(key.to_s, value) }
 
           # Descend into this node for a nested block via the builder's own parent
           # stack (with its ensure-based restore), rather than re-rooting it by hand.
-          return @doc_builder.send(:descend, @node, &block) if block
+          return @doc_builder.descend(@node, &block) if block
 
           self
         end
@@ -257,6 +256,15 @@ module Makiri
         def respond_to_missing?(_name, _include_private = false)
           true
         end
+
+        private
+
+        # Append +value+ as a space-separated token to the +key+ attribute,
+        # preserving any existing tokens. The shared idiom behind the terse
+        # class-append and the trailing-Hash attribute shortcut.
+        def append_attr(key, value)
+          @node[key] = ((@node[key] || "").split(/\s/) + [value]).join(" ")
+        end
       end
     end
   end

data/lib/makiri/xpath_context.rb

@@ -14,10 +14,18 @@ module Makiri
   # The bulk of the implementation lives in C (see
   # ext/makiri/glue/ruby_xpath.c and ext/makiri/xpath/).
   class XPathContext
-    # +#evaluate+ is defined in C. It evaluates under the GVL (XPath never
-    # releases it), so concurrent +evaluate+ / +register_*+ / +node=+ on the
-    # same context - and any tree mutation of the document being queried - are
-    # serialised by the GVL and cannot corrupt memory.
+    # +#evaluate+ is defined in C and runs under the GVL (XPath never releases
+    # it), so it cannot corrupt memory under concurrency. Two distinct hazards,
+    # handled differently:
+    #
+    # * Cross-thread: the GVL serialises all of +evaluate+ / +register_*+ /
+    #   +node=+ and any tree mutation of the queried document, so threads can
+    #   never run two of them at once.
+    # * Same-thread re-entrancy: a custom function handler runs mid-evaluate and
+    #   could call back into this same context. A re-entrant +register_namespace+
+    #   / +register_variable+ / +node=+ is refused (raises) while an evaluate is
+    #   in progress, since it would free/swap state the suspended evaluator still
+    #   borrows; a nested +evaluate+ is allowed.
 
     # Nokogiri-compatible name for {#register_namespace}.
     alias register_ns register_namespace

data/script/check_c_safety.rb

@@ -25,7 +25,7 @@ PARSER_TUS = %w[
   ext/makiri/xpath/mkr_xpath_funcs_body.h
   ext/makiri/xpath/mkr_xpath_value_body.h
   ext/makiri/bridge/ruby_string.c
-  ext/makiri/lexbor_compat/source_loc.c
+  ext/makiri/dom_adapter/source_loc.c
 ].freeze
 
 RULES = [

data/script/check_c_safety_allowlist.yml

@@ -33,20 +33,20 @@ ignore_paths:
     rule: html_doc_unwrap_boundary
     reason: the HTML branch of mkr_xpath_context_for, entered only after the XML kind returns early.
   # mkr_parsed_html_doc (asserts kind == HTML)
-  - path: ext/makiri/lexbor_compat/compat.h
+  - path: ext/makiri/dom_adapter/compat.h
     rule: parsed_html_doc_boundary
     reason: declaration of the HTML parsed-document accessor.
-  - path: ext/makiri/lexbor_compat/post_parse.c
+  - path: ext/makiri/dom_adapter/post_parse.c
     rule: parsed_html_doc_boundary
     reason: definition (the kind assert lives here) + HTML post-parse pipeline.
   - path: ext/makiri/glue/ruby_doc.c
     rule: parsed_html_doc_boundary
     reason: mkr_html_doc_unwrap is defined here over the HTML parsed document.
   # mkr_parsed_xml_doc (XML arena accessor) — kept out of the pure-HTML glue files
-  - path: ext/makiri/lexbor_compat/compat.h
+  - path: ext/makiri/dom_adapter/compat.h
     rule: parsed_xml_doc_boundary
     reason: declaration of the XML parsed-document accessor.
-  - path: ext/makiri/lexbor_compat/post_parse.c
+  - path: ext/makiri/dom_adapter/post_parse.c
     rule: parsed_xml_doc_boundary
     reason: definition + XML document wrapping/teardown.
   - path: ext/makiri/glue/ruby_xml.c
@@ -65,7 +65,7 @@ ignore_paths:
     rule: parsed_xml_doc_boundary
     reason: the kind-aware mkr_node_raw resolves an XML Document only after a MKR_DOC_XML check.
   # owner_document (HTML-only lxb_dom_node_t field)
-  - path: ext/makiri/lexbor_compat/post_parse.c
+  - path: ext/makiri/dom_adapter/post_parse.c
     rule: owner_document_boundary
     reason: mkr_lxb_document_bytes resolves a Lexbor node's owner document to size its mraw pools (HTML-only; the XML serializer uses arena_bytes instead).
   - path: ext/makiri/glue/ruby_html_node.c
@@ -80,6 +80,9 @@ ignore_paths:
   - path: ext/makiri/xpath/mkr_xpath_node_access_html.h
     rule: owner_document_boundary
     reason: the HTML monomorphization of the engine's node-access layer.
+  - path: ext/makiri/dom_adapter/cross_import.c
+    rule: owner_document_boundary
+    reason: mkr_html_ns_uri reads the SOURCE HTML node's owner document ns table to resolve its namespace id to a URI; reached only on the HTML (lxb) side of HTML->XML translation, never on an XML node (no cross-kind document comparison).
   # mkr_node_raw (kind-agnostic void* raw pointer; never dereferenced as a typed node)
   - path: ext/makiri/glue/glue.h
     rule: node_raw_boundary

data/script/leaks_harness.rb

@@ -15,6 +15,8 @@ ITERATIONS = Integer(ENV.fetch("LEAKS_ITERATIONS", "120"))
 
 HTML = "<div id=m class='a b'><ul><li class=item>x</li><li>y<svg><path/></svg></li></ul><p>t&amp;</p></div>"
 XML  = %(<r xmlns:p="urn:p" xmlns="urn:d"><a id="1">t</a><p:b/><!--c--><![CDATA[z]]></r>)
+CSS  = "div.a, #b > span { color: red !important; --v: 1px }\n" \
+       "@media (min-width: 600px) { .x { opacity: 0 } }\n@font-face { font-family: y }"
 
 handler = Class.new { def my_fn(nodes) = nodes.length.to_s }.new
 
@@ -57,6 +59,11 @@ ITERATIONS.times do |i|
   ctx.register_namespace("d", "urn:d"); ctx.register_variable("v", "1")
   ctx.evaluate("//d:a[@id=$v]"); ctx.evaluate("//d:a[@id=$v]")
   begin ctx.evaluate("//(") rescue Makiri::XPath::SyntaxError; end
+
+  # --- Lexbor CSS stylesheet parser (per-call parser+stylesheet lifetime,
+  # freed under rb_ensure) including the NUL-reject raise path ---
+  Makiri::Lexbor::CSS.parse_stylesheet(CSS)
+  begin Makiri::Lexbor::CSS.parse_stylesheet("a{}\0x") rescue Makiri::Error; end
 end
 
 GC.start

data/suppressions/ruby.supp

@@ -0,0 +1,140 @@
+# Valgrind suppressions for `rake spec:valgrind` (ruby_memcheck).
+#
+# ruby_memcheck auto-loads every `<suppressions>/<ruby-version>.supp` it finds,
+# and `ruby.supp` (the bare RUBY_ENGINE name) matches every Ruby version. These
+# entries are ADDED to the ones the gem already bundles.
+#
+# Why this file exists: our job runs with `--undef-value-errors=yes` and
+# `filter_all_errors: true`, which surfaces *every* uninitialised-value report
+# whose stack touches the makiri binary. CRuby's garbage collector legitimately
+# reads uninitialised memory - the conservative machine-stack scan reads stale
+# stack words, and incremental mark/sweep reads not-yet-written RVALUE flags -
+# and when a GC cycle fires inside one of our allocations (or marks through our
+# mark callback) the makiri frame is on the stack, so the binary-touch filter
+# keeps the report. The gem's bundled ruby.supp only covers `each_location*`
+# under `Memcheck:Addr8`, not the `Cond`/`Value8` reads we see, so ~190 of these
+# Ruby-GC false positives slip through and fail the run.
+#
+# Each suppression below is anchored on a CRuby GC driver function (gc marks /
+# sweep / conservative root scan), with leading `...` absorbing the GC-internal
+# error-origin frames above it. A real uninitialised read in our own code does
+# NOT descend from these GC drivers, so it still fails the gate. We do NOT
+# suppress Addr/Overlap/Param/etc. - only the GC uninit reads and a couple of
+# Ruby-internal leaks the VM never frees before exit.
+
+# ---- conservative GC: uninitialised-value reads (Memcheck:Cond) ----
+{
+  ruby-gc-cond-garbage_collect
+  Memcheck:Cond
+  ...
+  fun:garbage_collect
+}
+{
+  ruby-gc-cond-gc_start
+  Memcheck:Cond
+  ...
+  fun:gc_start
+}
+{
+  ruby-gc-cond-gc_marks
+  Memcheck:Cond
+  ...
+  fun:gc_marks*
+}
+{
+  ruby-gc-cond-gc_sweep
+  Memcheck:Cond
+  ...
+  fun:gc_sweep*
+}
+{
+  ruby-gc-cond-rb_gc_impl_mark
+  Memcheck:Cond
+  ...
+  fun:rb_gc_impl_mark*
+}
+{
+  ruby-gc-cond-machine_context
+  Memcheck:Cond
+  ...
+  fun:rb_gc_mark_machine_context
+}
+{
+  ruby-gc-cond-mark_roots
+  Memcheck:Cond
+  ...
+  fun:mark_roots
+}
+
+# ---- conservative GC: uninitialised-value reads (Memcheck:Value8) ----
+# `gc_aging` (Ruby's default.c) ages objects during incremental marking and
+# reads the not-yet-written RVALUE flag word - the same false positive as the
+# drivers below, but here it is the ONLY resolved frame (every caller is
+# `<unknown stack frame>`), so the `...`-then-driver anchors miss it. Anchor on
+# the top frame itself (the `.part.0` GCC partial-inline clone is matched by `*`).
+{
+  ruby-gc-cond-gc_aging
+  Memcheck:Cond
+  fun:gc_aging*
+}
+{
+  ruby-gc-value8-gc_aging
+  Memcheck:Value8
+  fun:gc_aging*
+}
+{
+  ruby-gc-value8-garbage_collect
+  Memcheck:Value8
+  ...
+  fun:garbage_collect
+}
+{
+  ruby-gc-value8-gc_start
+  Memcheck:Value8
+  ...
+  fun:gc_start
+}
+{
+  ruby-gc-value8-gc_marks
+  Memcheck:Value8
+  ...
+  fun:gc_marks*
+}
+{
+  ruby-gc-value8-gc_sweep
+  Memcheck:Value8
+  ...
+  fun:gc_sweep*
+}
+{
+  ruby-gc-value8-rb_gc_impl_mark
+  Memcheck:Value8
+  ...
+  fun:rb_gc_impl_mark*
+}
+{
+  ruby-gc-value8-machine_context
+  Memcheck:Value8
+  ...
+  fun:rb_gc_mark_machine_context
+}
+{
+  ruby-gc-value8-mark_roots
+  Memcheck:Value8
+  ...
+  fun:mark_roots
+}
+
+# ---- Ruby VM internal caches that are never freed before exit ----
+# The global constant-cache / inline method-cache id_table is allocated lazily
+# on method lookup and lives for the life of the VM, so RUBY_FREE_AT_EXIT still
+# reports it as "definitely lost" whenever the first lookup happened under one
+# of our cfuncs. Not ours to free.
+{
+  ruby-vm-method-cache-id_table
+  Memcheck:Leak
+  ...
+  fun:rb_id_table_create
+  fun:vm_search_cc
+  ...
+}

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: makiri
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.0
 platform: x86_64-linux
 authors:
 - takahashim
@@ -109,6 +109,7 @@ files:
 - script/check_leaks.rb
 - script/leaks_harness.rb
 - sig/makiri.rbs
+- suppressions/ruby.supp
 homepage: https://github.com/takahashim/makiri
 licenses:
 - Apache-2.0