On Dec 30, 2016 14:55, "Stefan Fritsch" <s...@sfritsch.de> wrote:
Hi, it's quite rare that I have a bit of time for httpd nowadays. But I want to comment on a mail that Jacob Champion wrote on -security that contains some valid points about the lack of our test framework. I am posting this to -dev with his permission. On Wednesday, 21 December 2016 08:55:30 CET Jacob Champion wrote: > - Our APIs are really complex, and we don't really have unit tests for > them. Nor are the internal APIs documented as well as the external APIs > are. We had a few false starts for security fixes this release that were > later shown to break something else, and I think that's related. Yes, httpd lacks unit tests. One problem is that many APIs depend on very complex structs like request_rec, conn_rec, server_conf, etc. In order to write unit tests for such APIs, one would need to write quite a bit of infrastructure to set these things up. I think it would be worth the effort, but it's not a small task. As there does not seem to be anybody with enough spare time to do it, one could possibly ask someone (CII?) for funding. A possible approach would be to compile the unit tests in the server and execute them on startup if a special define is given (like the various DUMP_* defines). Not sure how to get access to all the static helper function for unit tests, though. Unless one would somehow include the tests in the same .c file. Thinking two things would help. Splitting our functional utilities into a libaputil would make it much easier to write the tests that exercise these elements of our code. And what I found easiest is a dedicated module to provide diagnostics or tests. When not loaded, they are skipped.
