fix(apps): reject malformed CLI numeric args instead of crashing#141
Conversation
The bug-hunt found three CLI tools parsed numeric arguments with unguarded std::stoul/std::stoull/std::stoi, which call std::terminate() (an uncaught std::invalid_argument/std::out_of_range escapes main) on non-numeric or out-of-range input, and silently truncate out-of-range ports via a uint16_t cast: - qsl-client <port> - qsl-mdfeed subscribe <port> [count] [rcvbuf] / publish <port> [seed] [orders] - qsl-export-fixture [seed] [orders] All now parse with std::from_chars helpers (parse_u64/parse_port/parse_rcvbuf, matching qsl-replay's exception-free style), require the whole token to be consumed, and bound ports to 0-65535; on any malformed arg they print usage and exit 2 instead of aborting. (qsl-gateway/qsl-replay/qsl-export-stream already did this; this closes the gap in the remaining tools.) Refactored each main into small parse helpers (port_from_args / run_subscribe / run_publish / parse_args, plus an all_present fold) so the added validation stays under the CodeScene complexity/conditional thresholds — net Code Health improved (mdfeed 9.50->9.68, export-fixture 9.51->9.53), delta clean. Tests: 5 CTest cases assert malformed/out-of-range args exit non-zero with usage (qsl_client_invalid_port_fails, qsl_client_out_of_range_port_fails, qsl_mdfeed_invalid_count_fails, qsl_mdfeed_out_of_range_port_fails, qsl_export_fixture_invalid_seed_fails). make check/asan 270/270. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Warning Review limit reached
More reviews will be available in 50 minutes and 11 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (4)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Health Improved
(2 files improve in Code Health)
Our agent can fix these. Install it.
Gates Passed
6 Quality Gates Passed
View Improvements
| File | Code Health Impact | Categories Improved |
|---|---|---|
| main.cpp | 9.51 → 9.54 | Complex Method |
| main.cpp | 9.50 → 9.69 | Complex Method |
Quality Gate Profile: Pay Down Tech Debt
Install CodeScene MCP: safeguard and uplift AI-generated code. Catch issues early with our IDE extension and CLI tool.
…ct (#147) * docs: overhaul all stale docs for the post-v0.2.1 (v0.2.2) state Full staleness audit of every prose doc against current main. The anchors were frozen at v0.2.1 / 263 tests / "no active milestone" while 12 PRs (#135-#146) had merged and are unreleased. - Resume anchors (PROGRESS.md, HANDOFF.md): Current state / Last action / Next action / test count (263->270) brought current; the two duplicate frozen anchors and the stale macOS benchmark numbers fixed; a dated v0.2.2 log entry. - CLAUDE.md + AGENTS.md: the post-M35 roadmap-memory section now records the post-v0.2.1 hardening + perf wave (identical edit in both). - CHANGELOG.md: new [0.2.2] section (decoder enum rejection #136, network/CLI hardening #137/#140/#141/#143, real UBSan abort gate #142, ocaml diff_report #144, try_emplace ~+5% #138, index load-factor ~+18.6% #145). CMakeLists version 0.2.1 -> 0.2.2. - README: benchmark/flamegraph/limitations sections reflect the engine wins (measured on the profile workload, not the micro-bench table) and the gateway hardening; release_readiness 270/270 + UBSan gate + v0.2.2 scope. - Networking docs (socket_gateway, socket_hardening): connection cap, EINTR retry, transient-accept survival, fd-exhaustion handling, UDP send-error counting. replay_and_recovery: decode_command now rejects out-of-domain enums. binary_protocol/differential_testing/fix_protocol/SECURITY/recruiting_notes/ CONTRIBUTING: smaller accuracy updates. results/README: add the three socket artifacts. make check 270/270. Stale results/*.txt provenance digests regenerated separately. pool_backed_storage.md table follows its artifact regeneration. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * results: regenerate stale provenance artifacts for the v0.2.2 source The post-v0.2.1 source changes (#135-#146) left 14 results/*.txt with stale Source digests (the authoritative staleness signal per the provenance rules, not commit-hash drift). Regenerated via their make targets so each declares Dirty inputs: no against current HEAD: differential, pool_backed_storage, allocator_experiment, recovery_benchmarks, false_sharing_study, perf_stat_linux (partial PMU, QSL_PERF_ALLOW_PARTIAL), perf_report_linux, numa_affinity_study (linux-constrained), socket_load_summary, socket_profile_loopback, socket_stress_summary, dpdk_environment, nic_offload_environment. docs/pool_backed_storage.md: refreshed the median table, digest reference, and qualitative ordering from the regenerated artifact (contiguous fastest on four of five workloads; intrusive leads dense). The baseline rows now include the try_emplace (#138) and index load-factor (#145) wins. Honesty notes: these were measured on a thermally-warmed M2 from a long session, so absolute values run higher than a cool-host snapshot — the relative orderings and provenance digests are the load-bearing content, and every artifact carries a hardware/build-dependence caveat. latest.txt is regenerated separately on a cooled host to keep its headline micro-benchmark numbers representative. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * results: regenerate latest.txt (cool host) and sync README/PROGRESS numbers latest.txt regenerated on a thermally-recovered host so the headline micro-bench numbers are representative (protocol canary 16.1 ns/op), with a fresh Source digest (Dirty inputs: no) matching current source. The README benchmark table and the PROGRESS measured-results section are aligned to it: order_book ~90, protocol ~16, gateway ~102, matching ~91, replay ~101 ns. The matching/replay rows are slightly faster than the prior committed run (the v0.2.2 engine wins showing on the resting-order paths); the order_book micro-bench is unchanged (near-empty index, so it does not exercise the load-factor win). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * results: re-regenerate env-check artifacts against the final v0.2.2 docs dpdk_environment.txt and nic_offload_environment.txt include README.md (and CLAUDE.md/AGENTS.md/results/README.md) in their digest scope, so the README number-sync re-staled them. Regenerated against the final committed docs; Dirty inputs: no. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Summary
The multi-agent bug hunt found three CLI tools parsing numeric arguments with unguarded
std::stoul/std::stoull/std::stoi. On bad input these crash viastd::terminate()(an uncaughtstd::invalid_argument/std::out_of_rangeescapesmain), and out-of-range ports are silently truncated by auint16_tcast:qsl-client <port>qsl-mdfeed subscribe <port> [count] [rcvbuf]/publish <port> [seed] [orders]qsl-export-fixture [seed] [orders](
qsl-gateway/qsl-replay/qsl-export-streamalready validated their args — this closes the gap in the remaining tools.)Fix
All three now parse with
std::from_charshelpers (parse_u64/parse_port/parse_rcvbuf, matchingqsl-replay's exception-free style): the whole token must be consumed, ports are bounded to 0–65535, andrcvbufis bounded to a non-negativeint. On any malformed arg they print usage and exit2instead of aborting or truncating.Each
mainwas refactored into small parse helpers (port_from_args/run_subscribe/run_publish/parse_args, plus anall_presentfold) so the added validation stays under the CodeScene complexity/conditional thresholds — net Code Health improved (mdfeed 9.50→9.68, export-fixture 9.51→9.53), delta clean.Verification
qsl_client_invalid_port_fails,qsl_client_out_of_range_port_fails,qsl_mdfeed_invalid_count_fails,qsl_mdfeed_out_of_range_port_fails,qsl_export_fixture_invalid_seed_fails.qsl-client 99xyz/70000,qsl-mdfeed subscribe 9009 notanumber,qsl-mdfeed publish 70000,qsl-export-fixture abcall now print usage and exit 2; good input unchanged.make check270/270,make asan270/270, CodeScene delta clean.🤖 Generated with Claude Code