The test was flaky due to a race condition in moderation event sync:
`wait_for_peer_role` was only checking a peer's self-view of its own
role via mirrored context, rather than ensuring other peers performing
subsequent moderation actions had actually received and processed the
broadcast.
This caused divergent sanctions lists between nodes, leading to `Invalid
credentials hash` warnings and test timeouts when subsequent moderation
actions (like Barrier 5/6) were rejected by nodes that hadn't yet
processed previous updates.
Fixed by using `tox_group_peer_get_role` in `wait_for_peer_role` to
ensure the calling node has locally processed the role update before
proceeding past a synchronization barrier.
This release focuses on hardening, architectural refinement, and better testing capabilities.
On the Hardening front, the ToxAV module has undergone significant security improvements. We have addressed a heap buffer overflow in RTP packet handling and fixed several logic bugs in the bandwidth controller and audio modules that could affect stability.
Architectural Refactoring continues with the internalization of core system dependencies. The system clock, random number generation, and memory management are now accessed through abstract interfaces, further decoupling the core from OS-specific implementations and making the codebase more portable and testable.
The previous logic would only skip nodes if they were both missing an IP
and NOT timed out. This caused Tox to attempt routing packets through
stale or informed but unreachable nodes.
This change ensures we skip any node that either lacks an IP or has
timed out, improving DHT routing reliability.
- Use MessagePack strings for IP addresses and other text fields.
- Mark dynamic event fields as nullable in getters.
- Add overflow checks for event list capacity.
This test ensures that multiple priority packets added to a
`TCP_Connection` while the socket is busy are correctly queued in the
linked list without dropping intermediate packets.
Specifically, it protects against regressions where updating the tail
pointer incorrectly (e.g., using the head pointer as a base for append)
would result in data loss. This was identified as a risk in PR #2387.
The `mutable_mutex` member was used to work around const-correctness
checks when locking the mutex in `const` functions. This pattern
confused static analyzers and was generally unclear.
By changing the mutex member to be a pointer (`pthread_mutex_t *`) and
allocating it dynamically, we achieve the same effect (the pointer
itself is const in a const struct, but the pointed-to mutex is not) in a
standard compliant way that satisfies static analyzers and avoids
`-Wcast-qual` warnings without needing casts.
- Move `struct NAT` from `toxcore/DHT.h` to `toxcore/DHT.c` to improve
encapsulation.
- Add `tcp_packet_type_to_string` and `tcp_packet_from_int` to
`toxcore/TCP_common` for better debug logs.
- Add `net_family_to_string` to `toxcore/net` for the same reason.
- Change length from `uint16_t` to `uint32_t` in `make_gc_handshake_packet`.
- Add explicit cast to `uint16_t` when calling `wrap_group_handshake_packet`.
This is a hardening measure. Currently, `MAX_SENT_GC_NODES` is 1, so the
length variable (`uint16_t`) cannot overflow. However, if this constant
were increased significantly in the future, the addition `length +=
nodes_size` could wrap around. This change eliminates that latent risk.
Move core networking types and the Network interface to net, and the
standard OS socket implementation to os_network. Update network to use
these new abstractions.
- Add `MpscQueue` for thread-safe task scheduling.
- Add `ToxRunner` to execute Tox instances in dedicated threads.
- Update `Simulation` to coordinate time steps across multiple runners using a synchronization barrier.
- Refactor `FakeMemory` and `FakeClock` to be thread-safe.
- Update `tox_network` helpers and tests to utilize the threaded runner infrastructure.
Update event generator to use mem_balloc/mem_delete for byte arrays in
events, ensuring consistency with Tox memory management. Also fix struct
initialization to use compound literals compliant with tokstyle.
Properly lock virtual clock access and snapshot synchronization to
address Coverity CIDs 1668069, 1668068, 1668067, 1668066. Use a separate
clock_mutex to avoid the need for recursive mutexes and ensure
portability.
Green Sky