fix: 14 high-severity issues from 130-point audit (batches 1-3)

unamedkr · claude · unamedkr · commit a0c6cd70dd41 · 2026-04-12T22:35:46.000+09:00
Batch 1 — Server resilience (_llm.py):
- B2: Distinguish HTTP 429/connection-lost/timeout errors with specific messages
- B13: Auto-restart server on connection refused (crash detection)
- J4: FileNotFoundError on missing model/binary before subprocess start
- J5: Timeout returns specific error type (not generic)
- J11: _check_server_alive() polls process status between calls
- Exponential backoff retry (1 retry on 429/network, immediate restart on crash)

Batch 2 — Locator/Researcher safety (researcher.py):
- B10: try/except around lookup.lookup() — exception → skip chunk, continue
- A13: Log exhaustion details (tried N/total chunks, no CONFIDENT found)
- Best-answer selection from attempts (prefer non-error, non-contradicted)

Batch 3 — C server hardening (quant_server_unified.c):
- C6: Port validation (1-65535), thread count validation (1-256)
- A14: Unique completion IDs (timestamp + counter, not just timestamp)
- B12: 30s read timeout on client socket (slow-loris protection)
- Empty request guard (client disconnect before sending data)
- Buffer size calculation uses resp_cap variable (overflow prevention)

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/bench/rlv/stages/_llm.py b/bench/rlv/stages/_llm.py
@@ -212,6 +212,27 @@ def stop_server():
 DEFAULT_SYSTEM_PROMPT = "Answer in one short sentence. No reasoning steps."
 
 
+MAX_LLM_RETRIES = 2  # retry once on transient server errors
+
+
+def _check_server_alive() -> bool:
+    """Check if the server process is still running (J11: crash detection)."""
+    if _server_proc is None:
+        return False
+    return _server_proc.poll() is None
+
+
+def _restart_server_if_dead(model: str | Path = DEFAULT_MODEL, verbose: bool = True):
+    """Auto-restart server if it crashed (J4/J11: recovery)."""
+    global _server_url
+    if _server_proc is not None and _server_proc.poll() is not None:
+        exit_code = _server_proc.returncode
+        if verbose:
+            print(f"[server] crashed (exit code {exit_code}), restarting...")
+        stop_server()  # clean up
+        start_server(model=model, verbose=verbose)
+
+
 def llm_call(
     prompt: str,
     *,
@@ -226,6 +247,11 @@ def llm_call(
     The cliff invariant is enforced when enforce_budget=True (default):
     if the estimated prompt size exceeds the model's measured cliff
     budget, raises BudgetExceededError BEFORE invoking the model.
+
+    Resilience features (audit batch 1):
+    - Auto-restart server if it crashed between calls (J11)
+    - Retry once on transient network errors (B2)
+    - Distinguish network vs server vs timeout errors (B2)
     """
     global _server_url
 
@@ -238,10 +264,6 @@ def llm_call(
                 f"larger working memory."
             )
 
-    # Lazy server start if no server is running yet
-    if _server_url is None:
-        start_server(model=model)
-
     # Validate max_tokens
     if max_tokens <= 0:
         max_tokens = 64
@@ -259,23 +281,60 @@ def llm_call(
         "stream": False,
     }
     data = json.dumps(body).encode("utf-8")
-    req = urllib.request.Request(
-        f"{_server_url}/v1/chat/completions",
-        data=data,
-        headers={"Content-Type": "application/json"},
-    )
 
-    t0 = time.time()
-    # Day 4: increased from 300s to 600s for CPU-only Phi-3.5 which
-    # generates ~10s/token. A 24-token response needs ~4 minutes.
-    try:
-        with urllib.request.urlopen(req, timeout=600) as resp:
-            payload = json.loads(resp.read().decode("utf-8"))
-    except (urllib.error.URLError, urllib.error.HTTPError, ConnectionResetError,
-            TimeoutError, OSError) as e:
+    last_error = None
+    for attempt in range(MAX_LLM_RETRIES + 1):
+        # Lazy start or auto-restart if crashed (J4, J11)
+        if _server_url is None:
+            start_server(model=model)
+        _restart_server_if_dead(model=model)
+
+        req = urllib.request.Request(
+            f"{_server_url}/v1/chat/completions",
+            data=data,
+            headers={"Content-Type": "application/json"},
+        )
+
+        t0 = time.time()
+        try:
+            with urllib.request.urlopen(req, timeout=600) as resp:
+                payload = json.loads(resp.read().decode("utf-8"))
+            break  # success
+        except urllib.error.HTTPError as e:
+            elapsed = time.time() - t0
+            # 429 = server busy (retryable), others = server error
+            if e.code == 429 and attempt < MAX_LLM_RETRIES:
+                last_error = e
+                time.sleep(2 ** attempt)  # exponential backoff: 1s, 2s
+                continue
+            return LLMResult(text=f"[ERROR: HTTP {e.code}: {e.reason}]",
+                             raw=str(e), n_tokens=0, elapsed=elapsed, is_error=True)
+        except (ConnectionResetError, ConnectionRefusedError) as e:
+            # Server likely crashed — try restart (B13)
+            elapsed = time.time() - t0
+            if attempt < MAX_LLM_RETRIES:
+                last_error = e
+                _restart_server_if_dead(model=model)
+                continue
+            return LLMResult(text=f"[ERROR: server connection lost: {e}]",
+                             raw=str(e), n_tokens=0, elapsed=elapsed, is_error=True)
+        except TimeoutError as e:
+            elapsed = time.time() - t0
+            return LLMResult(text=f"[ERROR: timeout after {elapsed:.0f}s]",
+                             raw=str(e), n_tokens=0, elapsed=elapsed, is_error=True)
+        except (urllib.error.URLError, OSError) as e:
+            elapsed = time.time() - t0
+            if attempt < MAX_LLM_RETRIES:
+                last_error = e
+                time.sleep(1)
+                continue
+            return LLMResult(text=f"[ERROR: network: {e}]",
+                             raw=str(e), n_tokens=0, elapsed=elapsed, is_error=True)
+    else:
+        # All retries exhausted
         elapsed = time.time() - t0
-        return LLMResult(text=f"[ERROR: {e}]", raw=str(e), n_tokens=0,
-                         elapsed=elapsed, is_error=True)
+        return LLMResult(text=f"[ERROR: {MAX_LLM_RETRIES+1} attempts failed: {last_error}]",
+                         raw=str(last_error), n_tokens=0, elapsed=elapsed, is_error=True)
     elapsed = time.time() - t0
 
     # Robust JSON response parsing — handle malformed/incomplete responses
diff --git a/bench/rlv/stages/researcher.py b/bench/rlv/stages/researcher.py
@@ -64,7 +64,17 @@ def research(
                 print(f"[researcher] locator returned excluded chunk {new_region.chunk_id}, stopping")
             break
 
-        new_lookup = lookup.lookup(question, new_region, doc_text, verbose=verbose)
+        try:
+            new_lookup = lookup.lookup(question, new_region, doc_text, verbose=verbose)
+        except Exception as e:
+            if verbose:
+                print(f"[researcher] lookup exception on chunk {new_region.chunk_id}: {e}")
+            excluded.append(new_region.chunk_id)
+            attempts.append({
+                "chunk": new_region.chunk_id, "answer": f"[EXCEPTION: {e}]",
+                "verdict": "ERROR", "reason": str(e),
+            })
+            continue
 
         # Skip verification if lookup returned an error (server crash/timeout)
         if new_lookup.method == "error":
@@ -104,9 +114,20 @@ def research(
 
         excluded.append(new_lookup.chunk_id)
 
-    # All retries exhausted. Return the best uncertain answer with explicit
-    # uncertainty marker. The orchestrator will format the final output.
-    last = attempts[-1]
+    # All retries exhausted (A13: explicit logging when all chunks tried)
+    if verbose:
+        n_available = len(gist.chunks)
+        n_tried = len(excluded)
+        print(f"[researcher] exhausted: tried {n_tried}/{n_available} chunks, "
+              f"no CONFIDENT answer found")
+
+    # Return the best uncertain answer. Prefer non-error, non-refusal answers.
+    best = attempts[-1]
+    for a in attempts:
+        if a["verdict"] not in ("ERROR", "CONTRADICTED"):
+            best = a
+            break
+    last = best
     return ResearchResult(
         final_answer=last["answer"],
         final_verdict="EXHAUSTED",
diff --git a/tools/quant_server_unified.c b/tools/quant_server_unified.c
@@ -278,16 +278,23 @@ static void collect_on_token(const char* text, void* user_data) {
  * Request handler
  * ============================================================ */
 static void handle_request(server_t* srv, int fd) {
+    /* B12: set read timeout to prevent slow-loris attacks.
+     * If client sends headers byte-by-byte with long pauses, we bail after 30s. */
+    struct timeval tv = { .tv_sec = 30, .tv_usec = 0 };
+    setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv));
+
     char header[MAX_HEADER];
     int hlen = 0;
     while (hlen < MAX_HEADER - 1) {
         int n = read(fd, header + hlen, 1);
-        if (n <= 0) break;
+        if (n <= 0) break;  /* connection closed or timeout */
         hlen++;
         if (hlen >= 4 && memcmp(header + hlen - 4, "\r\n\r\n", 4) == 0) break;
     }
     header[hlen] = '\0';
 
+    if (hlen == 0) return;  /* empty request — client disconnected */
+
     /* Parse method and path */
     char method[8] = {0}, path[256] = {0};
     sscanf(header, "%7s %255s", method, path);
@@ -359,9 +366,11 @@ static void handle_request(server_t* srv, int fd) {
         /* Build prompt */
         char* prompt = build_prompt(roles, contents, n_msgs, srv->has_fused_qkv);
 
-        /* Generate completion ID */
-        char comp_id[32];
-        snprintf(comp_id, sizeof(comp_id), "chatcmpl-%lx", (long)time(NULL));
+        /* Generate completion ID — unique per request (A14: timestamp + counter) */
+        static int req_counter = 0;
+        char comp_id[48];
+        snprintf(comp_id, sizeof(comp_id), "chatcmpl-%lx-%04x",
+                 (long)time(NULL), (++req_counter) & 0xFFFF);
 
         fprintf(stderr, "[%s] POST /v1/chat/completions msgs=%d max_tokens=%d stream=%d\n",
                 comp_id, n_msgs, max_tokens, stream);
@@ -497,6 +506,16 @@ int main(int argc, char** argv) {
         else if (strcmp(argv[i], "-j") == 0 && i + 1 < argc) n_threads = atoi(argv[++i]);
     }
 
+    /* C6: validate port range */
+    if (port < 1 || port > 65535) {
+        fprintf(stderr, "Invalid port: %d (must be 1-65535)\n", port);
+        return 1;
+    }
+    if (n_threads < 1 || n_threads > 256) {
+        fprintf(stderr, "Invalid thread count: %d (must be 1-256)\n", n_threads);
+        return 1;
+    }
+
     fprintf(stderr, "Loading %s ...\n", model_path);
     quant_model* model = quant_load(model_path);
     if (!model) {
