Fix C++ SEGV: NULL deref in LSP type resolver on large header files

Root cause: c_eval_expr_type_inner has 42 places accessing ptr->kind
on CBMType* pointers. Some code paths (cbm_type_substitute, internal
lookups) return NULL on unusual C++ AST shapes (deeply nested
templates, 300+ defs per file). NULL->kind = SIGSEGV.

Fix: safe_kind() inline returns CBM_TYPE_UNKNOWN for NULL pointers.
All 42 ->kind accesses in c_eval_expr_type_inner replaced.
Also: recursion depth guard (256), cbm_type_substitute returns
cbm_type_unknown() for NULL input, walk_usages/walk_env depth limits.

Verified: spdlog (previously crashed) now indexes 2526 nodes, 5518 edges.
All 2586 tests pass.

Author: DeusData

internal/cbm/extract_env_accesses.c

@@ -131,8 +131,13 @@ static bool is_env_var_name(const char *s) {
     return has_upper;
 }
 
+#define WALK_ENV_MAX_DEPTH 4096
+
 // NOLINTNEXTLINE(misc-no-recursion) — intentional AST tree walk
-static void walk_env_accesses(CBMExtractCtx *ctx, TSNode node, const CBMLangSpec *spec) {
+static void walk_env_inner(CBMExtractCtx *ctx, TSNode node, const CBMLangSpec *spec, int depth) {
+    if (depth > WALK_ENV_MAX_DEPTH) {
+        return;
+    }
     const char *kind = ts_node_type(node);
     const char *env_key = NULL;
 
@@ -158,10 +163,14 @@ static void walk_env_accesses(CBMExtractCtx *ctx, TSNode node, const CBMLangSpec
     // Recurse
     uint32_t count = ts_node_child_count(node);
     for (uint32_t i = 0; i < count; i++) {
-        walk_env_accesses(ctx, ts_node_child(node, i), spec);
+        walk_env_inner(ctx, ts_node_child(node, i), spec, depth + 1);
     }
 }
 
+static void walk_env_accesses(CBMExtractCtx *ctx, TSNode node, const CBMLangSpec *spec) {
+    walk_env_inner(ctx, node, spec, 0);
+}
+
 void cbm_extract_env_accesses(CBMExtractCtx *ctx) {
     const CBMLangSpec *spec = cbm_lang_spec(ctx->language);
     if (!spec) {

internal/cbm/extract_usages.c

@@ -76,7 +76,14 @@ static bool is_reference_node(TSNode node, CBMLanguage lang) {
 }
 
 // NOLINTNEXTLINE(misc-no-recursion) — intentional AST tree walk
-static void walk_usages(CBMExtractCtx *ctx, TSNode node, const CBMLangSpec *spec) {
+/* Max recursion depth — prevents stack overflow on deeply nested C++ templates.
+ * 8MB stack / ~256 bytes per frame ≈ 32K max, use 4K as safe limit. */
+#define WALK_USAGES_MAX_DEPTH 4096
+
+static void walk_usages_inner(CBMExtractCtx *ctx, TSNode node, const CBMLangSpec *spec, int depth) {
+    if (depth > WALK_USAGES_MAX_DEPTH) {
+        return;
+    }
     if (is_reference_node(node, ctx->language)) {
         // Skip if inside a call (already counted as CALLS edge)
         if (is_inside_call(node, spec)) {
@@ -110,10 +117,14 @@ static void walk_usages(CBMExtractCtx *ctx, TSNode node, const CBMLangSpec *spec
 recurse:;
     uint32_t count = ts_node_child_count(node);
     for (uint32_t i = 0; i < count; i++) {
-        walk_usages(ctx, ts_node_child(node, i), spec);
+        walk_usages_inner(ctx, ts_node_child(node, i), spec, depth + 1);
     }
 }
 
+static void walk_usages(CBMExtractCtx *ctx, TSNode node, const CBMLangSpec *spec) {
+    walk_usages_inner(ctx, node, spec, 0);
+}
+
 void cbm_extract_usages(CBMExtractCtx *ctx) {
     const CBMLangSpec *spec = cbm_lang_spec(ctx->language);
     if (!spec) {

internal/cbm/lsp/c_lsp.c

@@ -74,6 +74,7 @@ typedef struct {
     bool cpp_mode;          // C++ features enabled
     bool in_template;       // currently inside template declaration
     bool debug;
+    int eval_depth;         // recursion depth for c_eval_expr_type (crash guard)
 } CLSPContext;
 
 // --- API ---

internal/cbm/lsp/c_lsp.h

@@ -231,7 +231,8 @@ const CBMType* cbm_type_resolve_alias(const CBMType* t) {
 // Generic substitution: recursively replace TYPE_PARAM with concrete types.
 const CBMType* cbm_type_substitute(CBMArena* a, const CBMType* t,
     const char** type_params, const CBMType** type_args) {
-    if (!t || !type_params || !type_args) return t;
+    if (!t) return cbm_type_unknown();
+    if (!type_params || !type_args) return t;
 
     switch (t->kind) {
     case CBM_TYPE_TYPE_PARAM: {

internal/cbm/lsp/type_rep.c

@@ -0,0 +1,82 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Index a single benchmark repository and capture metrics.
+# Usage: benchmark-index.sh <binary> <lang> <repo_path> <results_dir>
+
+BINARY="${1:?Usage: benchmark-index.sh <binary> <lang> <repo_path> <results_dir>}"
+LANG="${2:?}"
+REPO="${3:?}"
+RESULTS_DIR="${4:?}"
+
+# Resolve symlinks
+REPO=$(cd "$REPO" && pwd -P)
+
+OUT="$RESULTS_DIR/$LANG"
+mkdir -p "$OUT"
+
+echo "INDEX: $LANG ($REPO)"
+
+# Count source files and LOC (exclude .git, vendor, node_modules, build dirs)
+FILE_COUNT=$(find "$REPO" -type f \
+  ! -path '*/.git/*' ! -path '*/node_modules/*' ! -path '*/vendor/*' \
+  ! -path '*/target/*' ! -path '*/build/*' ! -path '*/dist/*' \
+  ! -path '*/__pycache__/*' ! -path '*/.cache/*' \
+  | wc -l | tr -d ' ')
+
+LOC=$(find "$REPO" -type f \
+  ! -path '*/.git/*' ! -path '*/node_modules/*' ! -path '*/vendor/*' \
+  ! -path '*/target/*' ! -path '*/build/*' ! -path '*/dist/*' \
+  ! -path '*/__pycache__/*' ! -path '*/.cache/*' \
+  -exec cat {} + 2>/dev/null | wc -l | tr -d ' ')
+
+echo "$FILE_COUNT" > "$OUT/file-count.txt"
+echo "$LOC" > "$OUT/loc.txt"
+
+# Index via CLI and capture timing
+START_MS=$(python3 -c "import time; print(int(time.time()*1000))")
+
+INDEX_JSON=$("$BINARY" cli index_repository "{\"repo_path\":\"$REPO\",\"mode\":\"full\"}" 2>/dev/null || echo '{"error":"index failed"}')
+
+END_MS=$(python3 -c "import time; print(int(time.time()*1000))")
+ELAPSED=$((END_MS - START_MS))
+
+echo "$INDEX_JSON" > "$OUT/00-index.json"
+echo "$ELAPSED" > "$OUT/index-time.txt"
+
+# Extract node/edge counts (CLI wraps in MCP content envelope)
+NODES=$(echo "$INDEX_JSON" | python3 -c "
+import json,sys
+d=json.load(sys.stdin)
+# Unwrap MCP content envelope if present
+if 'content' in d:
+    inner=json.loads(d['content'][0]['text'])
+else:
+    inner=d
+print(inner.get('nodes',0))
+" 2>/dev/null || echo "0")
+EDGES=$(echo "$INDEX_JSON" | python3 -c "
+import json,sys
+d=json.load(sys.stdin)
+if 'content' in d:
+    inner=json.loads(d['content'][0]['text'])
+else:
+    inner=d
+print(inner.get('edges',0))
+" 2>/dev/null || echo "0")
+PROJECT=$(echo "$INDEX_JSON" | python3 -c "
+import json,sys
+d=json.load(sys.stdin)
+if 'content' in d:
+    inner=json.loads(d['content'][0]['text'])
+else:
+    inner=d
+print(inner.get('project',''))
+" 2>/dev/null || echo "")
+
+echo "$NODES" > "$OUT/nodes.txt"
+echo "$EDGES" > "$OUT/edges.txt"
+echo "$PROJECT" > "$OUT/project.txt"
+
+printf "  %s: %s files, %s LOC, %sms, %s nodes, %s edges\n" \
+  "$LANG" "$FILE_COUNT" "$LOC" "$ELAPSED" "$NODES" "$EDGES"

scripts/benchmark-index.sh

@@ -32,7 +32,7 @@ symlink() {
 
 mkdir -p "$BENCH_DIR"
 
-# Programming languages — Tier 1 (39 languages, 27 original + 12 new)
+# Programming languages — Tier 1 (44 languages)
 clone go          "go-chi/chi"
 clone python      "httpie/cli"
 clone javascript  "expressjs/express"
@@ -43,7 +43,7 @@ clone kotlin      "JetBrains/Exposed"
 clone scala       "playframework/play-samples"
 clone rust        "meilisearch/meilisearch"
 clone c           "redis/redis"
-clone cpp         "nlohmann/json"
+clone cpp         "google/leveldb"
 clone csharp      "ardalis/CleanArchitecture"
 clone php         "koel/koel"
 clone ruby        "sinatra/sinatra"
@@ -71,8 +71,12 @@ clone fortran     "cp2k/cp2k"
 clone cobol       "OCamlPro/gnucobol"
 clone verilog     "YosysHQ/yosys"
 clone emacslisp   "emacs-mirror/emacs"
+clone matlab      "acristoffers/tree-sitter-matlab"
+clone lean        "leanprover-community/mathlib4"
+clone form        "vermaseren/form"
+clone wolfram     "WolframResearch/WolframLanguageForJupyter"
 
-# Helper languages — Tier 2 (20 languages, 8 original + 12 new)
+# Helper languages — Tier 2 (22 languages)
 clone yaml        "kubernetes/examples"
 clone hcl         "terraform-aws-modules/terraform-aws-eks"
 clone scss        "twbs/bootstrap"
@@ -96,6 +100,9 @@ symlink markdown  python        # httpie docs
 symlink makefile  c             # redis Makefile
 clone glsl        "repalash/Open-Shaders"
 symlink ini       python        # httpie .cfg/.ini files
+symlink magma     lean          # .m files — disambiguated via content markers
+symlink kubernetes yaml         # YAML subtype — Deployment/Service manifests
+symlink kustomize yaml          # YAML subtype — kustomization.yaml
 
 echo ""
 echo "=== Clone complete ==="