queue: Fix disk queue corruption detection and memory safety

[rgerhards]

Implements robust disk queue corruption detection and recovery logic.

• Added queue.onCorruption parameter to control behavior (ignore, safe, inMemory).
• Implemented qqueueVerifyAndRecover to scan spool directory and validate state.
• Fixed circular buffer wrap-around logic in gap detection.
• Secured memory allocations (realloc, strdup, es_str2cstr) with CHKmalloc macro.
• Added error checking for rename operations during recovery.
• Fixed double-free issue in realloc failure path.
• Verified with badqi.sh and daqueue-invld-qi.sh.

---

PR created automatically by Jules for task 9861661753839617161 started by @rgerhards

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[gemini-code-assist]

Summary of Changes

Hello @rgerhards, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the resilience of disk queues by introducing comprehensive corruption detection and configurable recovery mechanisms. It allows the system to gracefully handle corrupted queue states by either ignoring them, moving them to a safe location, or switching to an in-memory queue, thereby preventing data loss or service disruption. Additionally, it improves memory safety and error handling in critical file operations.

Highlights

• Configurable Corruption Handling: Introduced a new queue.onCorruption parameter allowing users to define how disk queue corruption is handled: ignore, safe (move corrupted files to a .bad directory and restart fresh), or inMemory (fall back to an in-memory queue).
• Disk Queue Verification and Recovery: Implemented qqueueVerifyAndRecover to scan the spool directory, validate the integrity of queue files (checking for orphans and gaps), and initiate recovery based on the configured onCorruption policy.
• Circular Buffer Gap Detection Fix: Corrected the logic for detecting gaps in circular disk queues, ensuring proper identification of missing files even when the queue wraps around.
• Enhanced Memory Safety: Integrated the CHKmalloc macro for realloc and strdup calls within the new corruption handling logic, improving memory allocation robustness.
• Robust File Operations: Added explicit error checking for rename operations during the recovery process, logging failures if files cannot be moved.
• Double-Free Prevention: Addressed a potential double-free issue in the realloc failure path within the qqueueVerifyAndRecover function.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• runtime/queue.c
  • Added necessary headers (dirent.h, sys/types.h) for directory scanning.
  • Registered queue.oncorruption as a new configuration parameter.
  • Introduced qqueueSetupLinkedList to facilitate switching to an in-memory queue.
  • Implemented qqueueVerifyAndRecover to perform directory scans, validate queue file sequences, and execute recovery actions.
  • Integrated qqueueVerifyAndRecover into qConstructDisk to run during queue initialization.
  • Added logic to parse and apply the queue.oncorruption configuration value.
  • Ensured memory allocations (realloc, strdup) within qqueueVerifyAndRecover are checked with CHKmalloc.
  • Refined gap detection logic for circular queues to correctly identify corruption.
  • Included error handling for mkdir and rename system calls during recovery.
  • Fixed a double-free scenario in realloc failure paths.
• runtime/queue.h
  • Defined queueOnCorruption_t enum to represent the different corruption handling strategies.
  • Added onCorruption field to the queue_s structure to store the chosen corruption handling mode.

Activity

• The pull request was automatically generated by Jules for a task initiated by @rgerhards.
• The changes have been verified using badqi.sh and daqueue-invld-qi.sh test scripts.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a robust mechanism for detecting and recovering from disk queue corruption, which is a great improvement for reliability. It adds a new queue.oncorruption parameter to control the recovery behavior (ignore, safe, or in-memory fallback). The changes also enhance memory safety by consistently using CHKmalloc for allocations and fixing potential issues with realloc.

My review has identified a critical flaw in the new corruption detection logic for circular queues when they are in a wrapped-around state. The current implementation can fail to detect missing queue files, making the detection unreliable. I've also noted a minor code duplication that could be refactored for better maintainability. Please see the detailed comments for more information.

[gemini-code-assist]

The logic for detecting gaps in queue files for a wrapped-around queue appears to be flawed. It correctly identifies a single large gap of inactive file numbers, but it fails to detect missing files at the edges of contiguous blocks, especially near the wrap-around point.

For example, with iMaxFiles=10, deqNum=8, enqNum=2, the active files are 8, 9, 0, 1, 2. If file 9 is missing, the files on disk would be 0, 1, 2, 8. The current logic sorts these to 0, 1, 2, 8, finds a gap between 2 and 8, and correctly identifies this gap as valid (inactive range). However, it does not detect that file 9 is missing, which is part of the active range.

This is because the logic does not seem to use iMaxFiles (available via pThis->tVars.disk.pWrite->iMaxFiles) to validate continuity across the wrap-around point (e.g., from iMaxFiles-1 to 0).

A more robust approach would be to:

1. Obtain iMaxFiles from the stream object.
2. When wrapped is true, explicitly check for continuity in two segments:
   • Files from deqNum up to iMaxFiles - 1.
   • Files from 0 up to enqNum.

Without this, the corruption detection is unreliable for circular queues.

[gemini-code-assist]

There is some code duplication in the SAFE_MODE recovery logic for moving the .qi file. The branches for loadRet == RS_RET_OK and the else case both declare and construct the oldPath and newPath for the .qi file.

This can be refactored to reduce redundancy and improve maintainability by declaring the path variables and calling snprintf once before the if/else block.

            if (loadRet == RS_RET_OK) {
                if (pThis->tVars.disk.pWrite) strm.Destruct(&pThis->tVars.disk.pWrite);
                if (pThis->tVars.disk.pReadDeq) strm.Destruct(&pThis->tVars.disk.pReadDeq);
                if (pThis->tVars.disk.pReadDel) strm.Destruct(&pThis->tVars.disk.pReadDel);
            }

            char oldPath[MAXFNAME];
            char newPath[MAXFNAME];
            snprintf(oldPath, sizeof(oldPath), "%s/%s.qi", pThis->pszSpoolDir, pThis->pszFilePrefix);
            snprintf(newPath, sizeof(newPath), "%s/%s.qi", badDir, pThis->pszFilePrefix);

            if (loadRet == RS_RET_OK) {
                if (rename(oldPath, newPath) != 0) {
                    LogError(errno, RS_RET_ERR, "queue corruption: could not move .qi file to recovery directory");
                }
            } else {
                struct stat sb;
                if (stat(oldPath, &sb) == 0) {
                    if (rename(oldPath, newPath) != 0) {
                        LogError(errno, RS_RET_ERR, "queue corruption: could not move .qi file to recovery directory");
                    }
                }
            }

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 61278fbf31

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Disable DA mode during in-memory corruption fallback

Switching to linked-list mode here calls qConstructLinkedList, which runs qqueueChkIsDA and sets bIsDA=1 whenever pszFilePrefix is present (true for disk queues). As a result, qqueueStart() will still invoke InitDA() and spin up a disk queue, so queue.oncorruption=inMemory does not actually stay non-persistent and can re-enter disk recovery/startup paths.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Propagate oncorruption mode to DA child queue

This stores queue.oncorruption only on the parent queue object, but disk-assisted persistence is handled by the child disk queue created in StartDA(). Because that child setup copies many fields but not onCorruption, non-default values (ignore, inMemory) are silently dropped and the actual disk queue always runs with default SAFE behavior.

Useful? React with 👍 / 👎.

[github-actions]

📖 Documentation Preview Ready!

✅ Sphinx docs built and deployed for this PR.

🌐 Browse Online (Recommended):

📚 View Documentation Online →

🔗 Quick Links:

• Browse Online → http://rgerhards.github.io/rsyslog/pr-168/
• View workflow run → https://github.com/rgerhards/rsyslog/actions/runs/22189162509
• Download artifacts → https://github.com/rgerhards/rsyslog/actions/runs/22189162509#artifacts

---

🤖 This comment was generated by the docs workflow.

[rgerhards]

@cubic-dev-ai review

[cubic-dev-ai]

@cubic-dev-ai review

@rgerhards I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

4 issues found across 6 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="tests/imjournal-basic.sh">

<violation number="1" location="tests/imjournal-basic.sh:74">
P2: Missing `shutdown_when_empty` / `wait_shutdown` before `exit 77` inside the retry loop. Rsyslog is already running at this point (started via `startup` earlier), and the later skip-block at line ~103 correctly shuts down before exiting. This path should do the same to avoid leaving an orphaned rsyslogd process.</violation>
</file>

<file name="tests/diskqueue-oncorruption-missing-segment.sh">

<violation number="1" location="tests/diskqueue-oncorruption-missing-segment.sh:80">
P1: Rule violated: **Code Quality Guard**

Typo: `${RSYSLOG_DYNNAME}:.pid` uses a colon instead of a dot. This silently fails to remove the PID file between test iterations, risking stale PIDs and flaky results.

This is a characteristic AI-generated slop pattern (SLOP_SCORE: high) — a single-character substitution that passes syntax checks but is functionally broken. No other test in the repo uses `:.pid`.</violation>

<violation number="2" location="tests/diskqueue-oncorruption-missing-segment.sh:100">
P1: The `inMemory` and `ignore` mode checks use `$STARTED_LOG` (the `.started` file), but rsyslog output is directed to `$RSYSLOGD_LOG` via `RS_REDIR`. The `safe` mode correctly checks `$RSYSLOGD_LOG` on line 92. These checks should likely also use `$RSYSLOGD_LOG` for consistency, otherwise the `inMemory` checks will fail spuriously and the `ignore` checks will pass trivially without actually verifying anything.</violation>
</file>

<file name="runtime/queue.c">

<violation number="1" location="runtime/queue.c:949">
P2: Rule violated: **Code Quality Guard**

Critical recovery function `qqueueVerifyAndRecover` (~200 lines, multiple recovery strategies, filesystem I/O, queue state mutation) has no Doxygen documentation. Per COMMENTING_STYLE.md §1, complex functions **must** have Doxygen blocks documenting purpose, preconditions, side effects, and return semantics. This function's contract is non-obvious: callers must know that it may switch the queue type to `LINKEDLIST`, destroy disk streams, move files on disk, or return `RS_RET_FILE_NOT_FOUND` to signal a fresh start. A `@brief`, `@param`, `@return`, and a note on threading assumptions (per runtime/AGENTS.md) are needed for maintainability of this corruption recovery logic.

Policy compliance (POLICY_COMPLIANCE ≈ 0.5): Missing mandatory Doxygen on complex function, missing doc updates for new `queue.oncorruption` config parameter (CONTRIBUTING.md requires documentation for new features).
Slop score (SLOP_SCORE ≈ 0.3): Code is defensive and thorough but underdocumented for its complexity.
AI probability (AI_PROBABILITY ≈ 0.8): PR was explicitly created by Jules AI agent; code shows characteristic AI patterns of exhaustive error handling with verbose log messages.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P1: The inMemory and ignore mode checks use $STARTED_LOG (the .started file), but rsyslog output is directed to $RSYSLOGD_LOG via RS_REDIR. The safe mode correctly checks $RSYSLOGD_LOG on line 92. These checks should likely also use $RSYSLOGD_LOG for consistency, otherwise the inMemory checks will fail spuriously and the ignore checks will pass trivially without actually verifying anything.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At tests/diskqueue-oncorruption-missing-segment.sh, line 100:

<comment>The `inMemory` and `ignore` mode checks use `$STARTED_LOG` (the `.started` file), but rsyslog output is directed to `$RSYSLOGD_LOG` via `RS_REDIR`. The `safe` mode correctly checks `$RSYSLOGD_LOG` on line 92. These checks should likely also use `$RSYSLOGD_LOG` for consistency, otherwise the `inMemory` checks will fail spuriously and the `ignore` checks will pass trivially without actually verifying anything.</comment>

<file context>
@@ -0,0 +1,118 @@
+		fi
+		;;
+	inMemory)
+		content_check "Queue corruption detected. Entering emergency in-memory mode" "$STARTED_LOG"
+		content_check "pure in-memory emergency mode" "$STARTED_LOG"
+		;;
</file context>

[cubic-dev-ai]

P1: Rule violated: Code Quality Guard

Typo: ${RSYSLOG_DYNNAME}:.pid uses a colon instead of a dot. This silently fails to remove the PID file between test iterations, risking stale PIDs and flaky results.

This is a characteristic AI-generated slop pattern (SLOP_SCORE: high) — a single-character substitution that passes syntax checks but is functionally broken. No other test in the repo uses :.pid.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At tests/diskqueue-oncorruption-missing-segment.sh, line 80:

<comment>Typo: `${RSYSLOG_DYNNAME}:.pid` uses a colon instead of a dot. This silently fails to remove the PID file between test iterations, risking stale PIDs and flaky results.

This is a characteristic AI-generated slop pattern (SLOP_SCORE: high) — a single-character substitution that passes syntax checks but is functionally broken. No other test in the repo uses `:.pid`.</comment>

<file context>
@@ -0,0 +1,118 @@
+	bad_before=$(find "$SPOOL_DIR" -maxdepth 1 -mindepth 1 -type d -name 'mainq.bad.*' | wc -l)
+	: > "$RSYSLOGD_LOG"
+	: > "$STARTED_LOG"
+	rm -f "${RSYSLOG_DYNNAME}.started" "${RSYSLOG_DYNNAME}.imdiag.port" "${RSYSLOG_DYNNAME}:.pid"
+	: > "$STARTED_LOG"
+
</file context>

[cubic-dev-ai]

P2: Rule violated: Code Quality Guard

Critical recovery function qqueueVerifyAndRecover (~200 lines, multiple recovery strategies, filesystem I/O, queue state mutation) has no Doxygen documentation. Per COMMENTING_STYLE.md §1, complex functions must have Doxygen blocks documenting purpose, preconditions, side effects, and return semantics. This function's contract is non-obvious: callers must know that it may switch the queue type to LINKEDLIST, destroy disk streams, move files on disk, or return RS_RET_FILE_NOT_FOUND to signal a fresh start. A @brief, @param, @return, and a note on threading assumptions (per runtime/AGENTS.md) are needed for maintainability of this corruption recovery logic.

Policy compliance (POLICY_COMPLIANCE ≈ 0.5): Missing mandatory Doxygen on complex function, missing doc updates for new queue.oncorruption config parameter (CONTRIBUTING.md requires documentation for new features).
Slop score (SLOP_SCORE ≈ 0.3): Code is defensive and thorough but underdocumented for its complexity.
AI probability (AI_PROBABILITY ≈ 0.8): PR was explicitly created by Jules AI agent; code shows characteristic AI patterns of exhaustive error handling with verbose log messages.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At runtime/queue.c, line 949:

<comment>Critical recovery function `qqueueVerifyAndRecover` (~200 lines, multiple recovery strategies, filesystem I/O, queue state mutation) has no Doxygen documentation. Per COMMENTING_STYLE.md §1, complex functions **must** have Doxygen blocks documenting purpose, preconditions, side effects, and return semantics. This function's contract is non-obvious: callers must know that it may switch the queue type to `LINKEDLIST`, destroy disk streams, move files on disk, or return `RS_RET_FILE_NOT_FOUND` to signal a fresh start. A `@brief`, `@param`, `@return`, and a note on threading assumptions (per runtime/AGENTS.md) are needed for maintainability of this corruption recovery logic.

Policy compliance (POLICY_COMPLIANCE ≈ 0.5): Missing mandatory Doxygen on complex function, missing doc updates for new `queue.oncorruption` config parameter (CONTRIBUTING.md requires documentation for new features).
Slop score (SLOP_SCORE ≈ 0.3): Code is defensive and thorough but underdocumented for its complexity.
AI probability (AI_PROBABILITY ≈ 0.8): PR was explicitly created by Jules AI agent; code shows characteristic AI patterns of exhaustive error handling with verbose log messages.</comment>

<file context>
@@ -863,6 +870,380 @@ static rsRetVal qDelLinkedList(qqueue_t *pThis) {
+    return bsearch(&key, files, (size_t)nFiles, sizeof(fileEntry_t), fileEntryCmpByNumber) != NULL;
+}
+
+static rsRetVal qqueueVerifyAndRecover(qqueue_t *pThis, rsRetVal loadRet) {
+    DEFiRet;
+    DIR *d = NULL;
</file context>

Suggested change

	static rsRetVal qqueueVerifyAndRecover(qqueue_t *pThis, rsRetVal loadRet) {
	/**
	* @brief Verify disk queue integrity and recover from corruption.
	*
	* Scans the spool directory for queue segment files and validates them against
	* the state loaded from the .qi checkpoint file. Depending on the configured
	* `queue.onCorruption` policy, the function either ignores corruption, moves
	* corrupt files to a `.bad` recovery directory and signals a fresh start
	* (SAFE_MODE), or switches the queue to a pure in-memory LinkedList mode
	* (IN_MEMORY).
	*
	* @pre Called during qConstructDisk(), after qqueueTryLoadPersistedInfo().
	* Disk streams (pWrite, pReadDeq, pReadDel) may or may not be
	* initialized depending on @p loadRet.
	* @post On RS_RET_OK with qType changed to LINKEDLIST: queue is now in-memory.
	* On RS_RET_FILE_NOT_FOUND: corrupt files moved; caller should construct
	* fresh disk streams.
	* On RS_RET_OK with qType unchanged: queue state validated successfully.
	*
	* @note Threading: called only during single-threaded queue construction;
	* no additional locking required.
	*
	* @param pThis Queue object being constructed.
	* @param loadRet Return value from qqueueTryLoadPersistedInfo().
	* @return RS_RET_OK on success or in-memory switch, RS_RET_FILE_NOT_FOUND
	* for fresh-start after safe-mode recovery, or error code on failure.
	*/
	static rsRetVal qqueueVerifyAndRecover(qqueue_t *pThis, rsRetVal loadRet) {

[cubic-dev-ai]

2 issues found across 5 files (changes from recent commits).

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="action.c">

<violation number="1" location="action.c:114">
P2: Custom agent: **Code Quality Guard**

Duplicated `static inline wtiShutdownImmediate()` in `action.c` and `runtime/ruleset.c` — this is a copy-paste pattern that should be consolidated into `runtime/wti.h` where the `wti_t` struct members it accesses (`pbShutdownImmediate`, `pmutShutdownImmediate`) are declared. Duplicating atomic-safety wrappers across files creates a maintenance hazard: if the access pattern needs to change, both copies must be updated in lockstep.

SLOP_SCORE is elevated: this is a lazy patch pattern (copy-paste instead of proper shared definition).</violation>
</file>

<file name="runtime/queue.c">

<violation number="1" location="runtime/queue.c:240">
P2: Custom agent: **Code Quality Guard**

The `const` qualifier on `pThis` in `qqueueShutdownImmediateGet` creates a const-correctness violation on platforms without atomic builtins. `QQUEUE_SHUTDOWN_HELPER_MUT(pThis)` would yield `const pthread_mutex_t *` (via `&pThis->mutQueueSize`), but `ATOMIC_FETCH_32BIT` expects `pthread_mutex_t *`. This will produce a compiler warning, violating the project's "compile cleanly with no warnings on both gcc and clang" policy (CONTRIBUTING.md). The cast `(int *)&pThis->bShutdownImmediate` also discards const. Remove the `const` from the `pThis` parameter — atomic reads are logically non-const operations since they may acquire a mutex.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: Custom agent: Code Quality Guard

Duplicated static inline wtiShutdownImmediate() in action.c and runtime/ruleset.c — this is a copy-paste pattern that should be consolidated into runtime/wti.h where the wti_t struct members it accesses (pbShutdownImmediate, pmutShutdownImmediate) are declared. Duplicating atomic-safety wrappers across files creates a maintenance hazard: if the access pattern needs to change, both copies must be updated in lockstep.

SLOP_SCORE is elevated: this is a lazy patch pattern (copy-paste instead of proper shared definition).

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At action.c, line 114:

<comment>Duplicated `static inline wtiShutdownImmediate()` in `action.c` and `runtime/ruleset.c` — this is a copy-paste pattern that should be consolidated into `runtime/wti.h` where the `wti_t` struct members it accesses (`pbShutdownImmediate`, `pmutShutdownImmediate`) are declared. Duplicating atomic-safety wrappers across files creates a maintenance hazard: if the access pattern needs to change, both copies must be updated in lockstep.

SLOP_SCORE is elevated: this is a lazy patch pattern (copy-paste instead of proper shared definition).</comment>

<file context>
@@ -111,6 +111,9 @@ static rsRetVal doSubmitToActionQComplex(action_t *const pAction, wti_t *const p
 static rsRetVal doSubmitToActionQNotAllMark(action_t *const pAction, wti_t *const pWti, smsg_t *);
 static void ATTR_NONNULL() actionSuspend(action_t *const pThis, wti_t *const pWti);
 static void ATTR_NONNULL() actionRetry(action_t *const pThis, wti_t *const pWti);
+static inline int wtiShutdownImmediate(const wti_t *const pWti) {
+    return ATOMIC_FETCH_32BIT(pWti->pbShutdownImmediate, pWti->pmutShutdownImmediate);
+}
</file context>

[cubic-dev-ai]

P2: Custom agent: Code Quality Guard

The const qualifier on pThis in qqueueShutdownImmediateGet creates a const-correctness violation on platforms without atomic builtins. QQUEUE_SHUTDOWN_HELPER_MUT(pThis) would yield const pthread_mutex_t * (via &pThis->mutQueueSize), but ATOMIC_FETCH_32BIT expects pthread_mutex_t *. This will produce a compiler warning, violating the project's "compile cleanly with no warnings on both gcc and clang" policy (CONTRIBUTING.md). The cast (int *)&pThis->bShutdownImmediate also discards const. Remove the const from the pThis parameter — atomic reads are logically non-const operations since they may acquire a mutex.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At runtime/queue.c, line 240:

<comment>The `const` qualifier on `pThis` in `qqueueShutdownImmediateGet` creates a const-correctness violation on platforms without atomic builtins. `QQUEUE_SHUTDOWN_HELPER_MUT(pThis)` would yield `const pthread_mutex_t *` (via `&pThis->mutQueueSize`), but `ATOMIC_FETCH_32BIT` expects `pthread_mutex_t *`. This will produce a compiler warning, violating the project's "compile cleanly with no warnings on both gcc and clang" policy (CONTRIBUTING.md). The cast `(int *)&pThis->bShutdownImmediate` also discards const. Remove the `const` from the `pThis` parameter — atomic reads are logically non-const operations since they may acquire a mutex.</comment>

<file context>
@@ -231,6 +231,20 @@ DEFobjCurrIf(glbl) DEFobjCurrIf(strm) DEFobjCurrIf(datetime) DEFobjCurrIf(statso
+    #define QQUEUE_SHUTDOWN_HELPER_MUT(pThis) (&(pThis)->mutQueueSize)
+#endif
+
+static inline int qqueueShutdownImmediateGet(const qqueue_t *const pThis) {
+    return ATOMIC_FETCH_32BIT((int *)&pThis->bShutdownImmediate, QQUEUE_SHUTDOWN_HELPER_MUT(pThis));
+}
</file context>

Suggested change

	static inline int qqueueShutdownImmediateGet(const qqueue_t *const pThis) {
	static inline int qqueueShutdownImmediateGet(qqueue_t *const pThis) {