Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
post-mortem: the 8.0.0 mishap
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Tue, 21 Mar 2023 15:32:45 +0100 (CET)
Hi,
We worked out exactly WHY we shipped curl 8.0.0 with a problem that caused
immediate test failures.
A while back we merged several CI job files into a single "linux.yml" file to
make them easier to manage.
In that (multi state) merge, some of the old CI jobs had valgrind enabled when
the tests ran, but the valgrind package were not installed by linux.yml at
that point and we did not spot that we with this merge basically stopped
running CI jobs with valgrind enabled.
Obviously, we had also previously disabled the -fsanitize jobs we have had in
the past to there was also none of those running that could detect this.
We *THOUGHT* we were allright and that all tests were good, but in fact this
was a lie because we did not know how they actually ran with valgrind enabled.
Obviously none of us developers ran all the tests locally often enough to
detect this case either.
When 8.0.0 subsequently shipped and users ran the full test suite with
valgrind the problem was immediately detected and it was reported to us within
hours of the release.
It took me some additional 90 minutes of deliberating and research (involving
peeps in the IRC channel) to land on the conclusion that we really needed a
8.0.1 and I then emailed this list about it.
The easy fix was to revert the offending commit and release 8.0.1 without it.
I still want that particular fix done so I'm doing a second attempt (#10801)
that I will not merge until it has been properly verified with valgrind.
The PR #10798 is me putting valgrind into the linux.yml job so that we again
do better tests. It reveals a few additional problems that I also need to work
on, for example memory leaks when using hyper: #10803
Left to do: add a build (or three) that uses clang's and/or gcc's
-fsanitize=address,undefined,signed-integer-overflow instead of valgrind, to
help us detect mistakes such as the one shipped in 8.0.0.
Thanks for flying curl. Never a dull moment.
Date: Tue, 21 Mar 2023 15:32:45 +0100 (CET)
Hi,
We worked out exactly WHY we shipped curl 8.0.0 with a problem that caused
immediate test failures.
A while back we merged several CI job files into a single "linux.yml" file to
make them easier to manage.
In that (multi state) merge, some of the old CI jobs had valgrind enabled when
the tests ran, but the valgrind package were not installed by linux.yml at
that point and we did not spot that we with this merge basically stopped
running CI jobs with valgrind enabled.
Obviously, we had also previously disabled the -fsanitize jobs we have had in
the past to there was also none of those running that could detect this.
We *THOUGHT* we were allright and that all tests were good, but in fact this
was a lie because we did not know how they actually ran with valgrind enabled.
Obviously none of us developers ran all the tests locally often enough to
detect this case either.
When 8.0.0 subsequently shipped and users ran the full test suite with
valgrind the problem was immediately detected and it was reported to us within
hours of the release.
It took me some additional 90 minutes of deliberating and research (involving
peeps in the IRC channel) to land on the conclusion that we really needed a
8.0.1 and I then emailed this list about it.
The easy fix was to revert the offending commit and release 8.0.1 without it.
I still want that particular fix done so I'm doing a second attempt (#10801)
that I will not merge until it has been properly verified with valgrind.
The PR #10798 is me putting valgrind into the linux.yml job so that we again
do better tests. It reveals a few additional problems that I also need to work
on, for example memory leaks when using hyper: #10803
Left to do: add a build (or three) that uses clang's and/or gcc's
-fsanitize=address,undefined,signed-integer-overflow instead of valgrind, to
help us detect mistakes such as the one shipped in 8.0.0.
Thanks for flying curl. Never a dull moment.
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-03-21