Was not noticed since it is reported only with optimization enabled, as
stated in gcc(1):
The effectiveness of some warnings depends on optimizations also
being enabled. For example -Wsuggest-final-types is more effective with
link-time optimization and -Wmaybe-uninitialized does not warn at all
unless optimization is enabled.
And interesting thing is that it is reported only for -O2, not for -O3,
that's why I did not catched it in both cmake env that I had:
- debug (it has -O0)
- release (it has -O3)
While autoconf has -O2.
UBSAN reports:
test/regress_buffer.c:2360:2: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:140:33: note: nonnull attribute specified here
tinytest uses another way of detecting test failures, it uses pipe
between child and parent, and if the test function in child returns OK
it writes OK flag into pipe, and reads it in parent.
However sanitizers uses atexit handlers to detect leaks, and this will
not detect failures in case of exit() will be called from the atexit
handlers, fix this by checking status after waitpid().
UBSAN reports:
evbuffer/remove_buffer_with_empty3: ../buffer.c:1443:3: runtime error: null pointer passed as argument 2, which is declared to never be null
#0 0x7ffff6cd0410 in evbuffer_pullup ../buffer.c:1443
#1 0x5555556d68b9 in test_evbuffer_remove_buffer_with_empty3 ../test/regress_buffer.c:408
#2 0x5555557b95ee in testcase_run_bare_ ../test/tinytest.c:173
#3 0x5555557ba048 in testcase_run_one ../test/tinytest.c:333
#4 0x5555557bc0f8 in tinytest_main ../test/tinytest.c:527
#5 0x555555787702 in main ../test/regress_main.c:528
#6 0x7ffff606c001 in __libc_start_main (/usr/lib/libc.so.6+0x27001)
#7 0x55555569436d in _start (/src/le/libevent/.cmake-debug/bin/regress+0x14036d)
evutil.c:2559:1: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
#0 0x4f2be0 in EVUTIL_ISXDIGIT_ libevent/evutil.c:2559:1
#1 0x4bd689 in regname_ok libevent/http.c:4838:7
#2 0x4bc16b in parse_authority libevent/http.c:4958:9
#3 0x4bb8b5 in evhttp_uri_parse_with_flags libevent/http.c:5103:7
#4 0x4bb762 in evhttp_uri_parse libevent/http.c:5050:9
#5 0x4b8f41 in evhttp_parse_query_impl libevent/http.c:3505:9
#6 0x4b8ed7 in evhttp_parse_query libevent/http.c:3569:9
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23291
Report: https://oss-fuzz.com/testcase-detail/5670743106125824
Added new option `edns-udp-size` for evdns_base which allows
to control maximum allowed size of UDP DNS messages. This
maximum size is passed to the DNS server via edns mechanism.
@jcoffland:
"When the max connection limit is enabled and the limit is reached, the
server will respond immediately with 503 Service Unavailable. This can
be used to prevent servers from running out of file descriptors. This is
better than request limiting because clients may make more than one
request over a single connection. Blocking a request does not
necessarily close the connection and free up a socket."
* http-max_connections-pr-592:
test: cover evhttp max connections
Added evhttp max simultaneous connection limiting
@seleznevae:
"Added support for DNS requests via TCP. By default, requests are done
via UDP. In case truncated response is received new attempt is done
via TCP connection. Added 2 new macros DNS_QUERY_USEVC and
DNS_QUERY_IGNTC to force all requests to be done via TCP and to disable
switch to TCP in case of truncated responses.
Also added possibility for DNS server to listen and receive requests on
TCP port. Current implementation of TCP support in DNS server seems
rather preliminary and maybe changes after discussion and code review.
Fallback to TCP in case of truncated DNS requests is done automatically.
To imitate the old behaviour macros DNS_QUERY_IGNTC should be used. To
force all DNS requests to be done via TCP one should use the flag
DNS_QUERY_USEVC. Names DNS_QUERY_IGNTC, DNS_QUERY_USEVC were chosen to
imitate similar flags in c-ares and glibc."
Ok, interfaces looks good, merging to avoid stalling it for too long.
* evdns-tcp-pr-1004:
evdns: fix coding style issues
evdns: fix trailing whitespaces
evdns: bufferevent_setcb before bufferevent_free is redundant
evdns: Implement dns requests via tcp
libevent is lacking a scalable backend on Windows. Let's leverage the wepoll
library until Windows comes up with an epoll/kqueue compete user mode API.
- All regress tests pass for standard wepoll
- These 2 tests fail intermittently for changelist wepoll, so disabling
changelist wepoll for now
http/cancel_inactive_server
http/stream_in
- verify target on Windows runs tests for both wepoll and win32 backends
- wepoll backend preferred over win32 backend
- wepoll version 1.5.6
v2: cleaner backend abstraction. Disallow wepoll on MinGW/Cygwin.
v3: Add wepoll.h to dist
v4: Make sure wepoll source files are excluded from cygwin/mingw builds
v5: Keep win32 as default backend on windows.
v6: Include wepoll in mingw builds. Verified that regress tests pass w/ WEPOLL backend.
v7: Enable wepoll on mingw when building with cmake
v8: Add wepoll testrunner for autotools test target
- EV_CLOSED is EPOLLRDHUP in epoll
- EPOLLRDHUP reported w/o EPOLLHUP if the socket closed with shutdown(SHUT_WR)
- EPOLLRDHUP reported w/ EPOLLHUP if the socket closed with close()
so in this case epoll backend will detect this event as error
(EV_READ|EV_WRITE), since the epoll_ctl() will return EPOLLRDHUP with
EPOLLHUP set, but this is not correct, let's fix this.
Fixes: #984
Fix undefined behaviour and application crash that might take
place in some rare cases after calling evdns_base_free when
there are requests in the waiting queue.
Current cleanup procedure in evdns_base_free_and_unlock
function includes 2 steps:
1. Finish all inflight requests.
2. Finish all waiting requests.
During the first step we iterate over each list in req_heads
structure and finish all requests in these lists. With current
logic finishing an inflight request (function request_finished)
removes it from the inflight requests container and forces
a wating connection to be sent (by calling
evdns_requests_pump_waiting_queue). When these new requests are
sent it is possible that they will be inserted to the list in
req_heads that we've already cleaned.
So in some cases container of the inflight requests is not empty
after this procedure and some requests are not finished and
deleted. When timeouts for these requests expire
evdns_request_timeout_callback is called but corresponding
evdns_base has been already deleted which causes undefined
behaviour and possible applicaton crash.
It is interesting to note that in old versions of libevent such
situation was not possible. This bug was introduced by the commit
14f84bbdc77d90b1d936076661443cdbf516c593. Before this commit
nameservers were deleted before finishing the requests. Therefore
it was not possible that requests from the waiting queue be sent
while we finish the inflight requests.