Skip to content

fix(apps): reject malformed CLI numeric args instead of crashing#141

Merged
div0rce merged 1 commit into
mainfrom
fix/cli-arg-parsing
Jun 25, 2026
Merged

fix(apps): reject malformed CLI numeric args instead of crashing#141
div0rce merged 1 commit into
mainfrom
fix/cli-arg-parsing

Conversation

@div0rce

@div0rce div0rce commented Jun 25, 2026

Copy link
Copy Markdown
Owner

Summary

The multi-agent bug hunt found three CLI tools parsing numeric arguments with unguarded std::stoul/std::stoull/std::stoi. On bad input these crash via std::terminate() (an uncaught std::invalid_argument/std::out_of_range escapes main), and out-of-range ports are silently truncated by a uint16_t cast:

  • qsl-client <port>
  • qsl-mdfeed subscribe <port> [count] [rcvbuf] / publish <port> [seed] [orders]
  • qsl-export-fixture [seed] [orders]

(qsl-gateway/qsl-replay/qsl-export-stream already validated their args — this closes the gap in the remaining tools.)

Fix

All three now parse with std::from_chars helpers (parse_u64/parse_port/parse_rcvbuf, matching qsl-replay's exception-free style): the whole token must be consumed, ports are bounded to 0–65535, and rcvbuf is bounded to a non-negative int. On any malformed arg they print usage and exit 2 instead of aborting or truncating.

Each main was refactored into small parse helpers (port_from_args / run_subscribe / run_publish / parse_args, plus an all_present fold) so the added validation stays under the CodeScene complexity/conditional thresholds — net Code Health improved (mdfeed 9.50→9.68, export-fixture 9.51→9.53), delta clean.

Verification

  • 5 new CTest cases assert malformed / out-of-range args exit non-zero with usage:
    qsl_client_invalid_port_fails, qsl_client_out_of_range_port_fails, qsl_mdfeed_invalid_count_fails, qsl_mdfeed_out_of_range_port_fails, qsl_export_fixture_invalid_seed_fails.
  • Smoke-tested: qsl-client 99xyz / 70000, qsl-mdfeed subscribe 9009 notanumber, qsl-mdfeed publish 70000, qsl-export-fixture abc all now print usage and exit 2; good input unchanged.
  • make check 270/270, make asan 270/270, CodeScene delta clean.

🤖 Generated with Claude Code

The bug-hunt found three CLI tools parsed numeric arguments with unguarded
std::stoul/std::stoull/std::stoi, which call std::terminate() (an uncaught
std::invalid_argument/std::out_of_range escapes main) on non-numeric or
out-of-range input, and silently truncate out-of-range ports via a uint16_t cast:

- qsl-client <port>
- qsl-mdfeed subscribe <port> [count] [rcvbuf] / publish <port> [seed] [orders]
- qsl-export-fixture [seed] [orders]

All now parse with std::from_chars helpers (parse_u64/parse_port/parse_rcvbuf,
matching qsl-replay's exception-free style), require the whole token to be
consumed, and bound ports to 0-65535; on any malformed arg they print usage and
exit 2 instead of aborting. (qsl-gateway/qsl-replay/qsl-export-stream already did
this; this closes the gap in the remaining tools.)

Refactored each main into small parse helpers (port_from_args / run_subscribe /
run_publish / parse_args, plus an all_present fold) so the added validation stays
under the CodeScene complexity/conditional thresholds — net Code Health improved
(mdfeed 9.50->9.68, export-fixture 9.51->9.53), delta clean.

Tests: 5 CTest cases assert malformed/out-of-range args exit non-zero with usage
(qsl_client_invalid_port_fails, qsl_client_out_of_range_port_fails,
qsl_mdfeed_invalid_count_fails, qsl_mdfeed_out_of_range_port_fails,
qsl_export_fixture_invalid_seed_fails). make check/asan 270/270.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@div0rce, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 50 minutes and 11 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 0c91f646-5eae-497f-9699-ff88d77bb5b5

📥 Commits

Reviewing files that changed from the base of the PR and between d42e59c and 30e3a2d.

📒 Files selected for processing (4)
  • apps/qsl-client/main.cpp
  • apps/qsl-export-fixture/main.cpp
  • apps/qsl-mdfeed/main.cpp
  • tests/CMakeLists.txt
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/cli-arg-parsing

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codescene-delta-analysis codescene-delta-analysis Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Health Improved (2 files improve in Code Health)

Our agent can fix these. Install it.

Gates Passed
6 Quality Gates Passed

View Improvements
File Code Health Impact Categories Improved
main.cpp 9.51 → 9.54 Complex Method
main.cpp 9.50 → 9.69 Complex Method

Quality Gate Profile: Pay Down Tech Debt
Install CodeScene MCP: safeguard and uplift AI-generated code. Catch issues early with our IDE extension and CLI tool.

@div0rce div0rce merged commit 7e6265e into main Jun 25, 2026
8 checks passed
@div0rce div0rce deleted the fix/cli-arg-parsing branch June 25, 2026 00:55
div0rce added a commit that referenced this pull request Jun 25, 2026
…ct (#147)

* docs: overhaul all stale docs for the post-v0.2.1 (v0.2.2) state

Full staleness audit of every prose doc against current main. The anchors were
frozen at v0.2.1 / 263 tests / "no active milestone" while 12 PRs (#135-#146)
had merged and are unreleased.

- Resume anchors (PROGRESS.md, HANDOFF.md): Current state / Last action /
  Next action / test count (263->270) brought current; the two duplicate frozen
  anchors and the stale macOS benchmark numbers fixed; a dated v0.2.2 log entry.
- CLAUDE.md + AGENTS.md: the post-M35 roadmap-memory section now records the
  post-v0.2.1 hardening + perf wave (identical edit in both).
- CHANGELOG.md: new [0.2.2] section (decoder enum rejection #136, network/CLI
  hardening #137/#140/#141/#143, real UBSan abort gate #142, ocaml diff_report
  #144, try_emplace ~+5% #138, index load-factor ~+18.6% #145). CMakeLists
  version 0.2.1 -> 0.2.2.
- README: benchmark/flamegraph/limitations sections reflect the engine wins
  (measured on the profile workload, not the micro-bench table) and the gateway
  hardening; release_readiness 270/270 + UBSan gate + v0.2.2 scope.
- Networking docs (socket_gateway, socket_hardening): connection cap, EINTR
  retry, transient-accept survival, fd-exhaustion handling, UDP send-error
  counting. replay_and_recovery: decode_command now rejects out-of-domain enums.
  binary_protocol/differential_testing/fix_protocol/SECURITY/recruiting_notes/
  CONTRIBUTING: smaller accuracy updates. results/README: add the three socket
  artifacts.

make check 270/270. Stale results/*.txt provenance digests regenerated
separately. pool_backed_storage.md table follows its artifact regeneration.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* results: regenerate stale provenance artifacts for the v0.2.2 source

The post-v0.2.1 source changes (#135-#146) left 14 results/*.txt with stale
Source digests (the authoritative staleness signal per the provenance rules,
not commit-hash drift). Regenerated via their make targets so each declares
Dirty inputs: no against current HEAD: differential, pool_backed_storage,
allocator_experiment, recovery_benchmarks, false_sharing_study, perf_stat_linux
(partial PMU, QSL_PERF_ALLOW_PARTIAL), perf_report_linux, numa_affinity_study
(linux-constrained), socket_load_summary, socket_profile_loopback,
socket_stress_summary, dpdk_environment, nic_offload_environment.

docs/pool_backed_storage.md: refreshed the median table, digest reference, and
qualitative ordering from the regenerated artifact (contiguous fastest on four of
five workloads; intrusive leads dense). The baseline rows now include the
try_emplace (#138) and index load-factor (#145) wins.

Honesty notes: these were measured on a thermally-warmed M2 from a long session,
so absolute values run higher than a cool-host snapshot — the relative orderings
and provenance digests are the load-bearing content, and every artifact carries
a hardware/build-dependence caveat. latest.txt is regenerated separately on a
cooled host to keep its headline micro-benchmark numbers representative.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* results: regenerate latest.txt (cool host) and sync README/PROGRESS numbers

latest.txt regenerated on a thermally-recovered host so the headline micro-bench
numbers are representative (protocol canary 16.1 ns/op), with a fresh Source
digest (Dirty inputs: no) matching current source. The README benchmark table
and the PROGRESS measured-results section are aligned to it: order_book ~90,
protocol ~16, gateway ~102, matching ~91, replay ~101 ns. The matching/replay
rows are slightly faster than the prior committed run (the v0.2.2 engine wins
showing on the resting-order paths); the order_book micro-bench is unchanged
(near-empty index, so it does not exercise the load-factor win).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* results: re-regenerate env-check artifacts against the final v0.2.2 docs

dpdk_environment.txt and nic_offload_environment.txt include README.md (and
CLAUDE.md/AGENTS.md/results/README.md) in their digest scope, so the README
number-sync re-staled them. Regenerated against the final committed docs;
Dirty inputs: no.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant