as release is getting close, I've performed cppcheck analysis https://github.com/haproxy/haproxy/issues/1939 https://github.com/haproxy/haproxy/issues/1940 https://github.com/haproxy/haproxy/issues/1941
let me know, if it is noisy/useless, I'm fine with cdiscarding cppcheck issues (however, it is not trivial to suppress them) Ilya пт, 18 нояб. 2022 г. в 21:56, Willy Tarreau <w...@1wt.eu>: > Hi, > > HAProxy 2.7-dev9 was released on 2022/11/18. It added 168 new commits > after version 2.7-dev8. > > I know, one month has elapsed since -dev8, but some of us were fully > busy preparing the haproxyconf and others dealing alone with the bug > reports, so now we have to catch up slowly. On the other hand, these > efforts were rewarded since many bugs were addressed and the feedback > on the conf was generally excellent. > > No less than 41 bugs were addressed since -dev8, that's about 2 per work > day, and most of them are now of low importance so we're converging. > However I find that there's still an annoying number of small ones in the > issue tracker, which are not necessarily regressions but which deserve > being analysed a bit, and this takes time. > > I'll try to sum up one month of changes below by mostly focusing on > user-visible ones (including developers): > > - USE_SHM_OPEN that is used to preserve startup logs across reloads > operated by the master process was extended by default to the > linux-musl and freebsd targets. > > - tree-wide update to the "fallthrough" hint to tell the compiler to > shut up on missing breaks between switch/case statements: those who > were dealing with preprocessing followed by compiling with compilers > starting with gcc 7 were still seeing lots of warnings due to the > preprocessor stripping the comments and the compiler not seeing them. > This typically happened for those using distcc or ccache (could > possibly trigger for some distros using build farms). > > - xxhash was updated to version 0.8.1 to address the similar fallthrough > issue as above (very few other differences so that's OK). > > - fixed the build issue that was breaking DEBUG_MEM_STATS on old > compilers; it was my fault for putting quotes around symbol names > where it was inappropriate. > > - fixed build issues for dev/poll and dev/tcploop which were ignoring > changes to the source file, and mis-reporting certain build steps. > > - various QUIC build fixes on m68k, 32-bit platforms in general, and > worked around a wrong warning from gcc-12. Usual number of updates > including more counters and code cleanups/refactoring. By the way, > we'd like to thank Gabriel Tzagkarakis for his amazing help in fixing > the remaining QUIC bugs over the last month. > > - the support for completely obsolete and abandonned set-cookie2 was > finally removed (thanks Tim for the reminder). It was planned for 2.5 > already but we forgot it and it was not suitable to break the 2.5->2.6 > transition. > > - mux-h1's connection handling was refined so that the stream code > depends > less on the low-level connection status. This is part of the permanent > quest to report the most accurate errors possible and not to report any > when everything went fine. Mux-h2 experienced a similar but smaller > cleanup (it's trickier and we don't want to risk regressions now). > > - SSL certiticate error checking was ignoring decoding errors and was > fixed. There is a non-nul risk that errors are now reported at boot > time from broken certs that would already not work anyway but would > have been silently ignored. > > - ca-ignore-err and crt-ignore-err can now use an error contant name > and not just a value (since openssl found it fun to change the > documented values between 1.x and 3.0). In addition, such options > were previously limited to the 64 first values, this is no longer > the case. > > - a new "trace" statement can be placed in the global section, using > the exact same syntax as on the CLI. It requires that the directive > "expose-experimental-directives" is set first because we're not certain > it will remain like this, but it significantly improves operations for > users willing to share traces with developers during debugging > sessions, > so we figured that any format would be better than nothing. > > - a "quick-exit" keyword was added to the global section so that those > who absolutely need to skip deinit() on quick reload can do it. The > time savings are only marginal, however it could have been a useful > workaround a few times in the past when triggering a double-free in > deinit(). > > - the "debug dev memstats" output now also displays where buffers are > allocated and released. This should help track leaks when they happen. > > - the "peers" section now supports a principle of sharding. The idea is > that when you have to push lots of updates to some aggregating nodes, > the amount of traffic can quickly become a limiting factor. With this > it becomes possible to use different targets for different keys. The > keys are hashed with the tables' names and only the relevant peers get > them. > > - the stderr logs could exhibit the prefix "CLI" after an "add server" > command had been issued on the same thread. Now it will always be > properly cleared. However some users who might have been observing > the random faulty behavior could notice a difference. > > - SSL error reporting upon startup was made clearer; previously, some > errors could appear ambigous when loading certs and CAs. > > - "nbthread", "thread-group" and "thread-groups" will now refuse to be > changed after any section other than "global". We've indeed identified > a number of nasty chicken-and-egg situations where the risk that the > thread count or the thread-to-group mapping changes after a "bind" line > (or possibly other statements) makes certain things very difficult to > deal with. One of them was the need to support "bind" lines spreading > over multiple groups, as well as automatic shards. There's very little > chance anyone has fun adding an extra "global" section after other > ones just to change "nbthread", but just in case we'd rather fire an > error now than during the 2.7->2.8 transition. > > - CI improvements such as 32-bit builds and libreSSL updates. > > - lots of code cleanups and some flag renames > > - various small doc updates > > As you can see there's nothing really outstanding, lots of small stuff > that had to be finished and that takes time. On the todo list of things > that were not yet added to the issue tracker, I can cite: > > - need to make the servers' idle conns counter per-thread group. I > noticed already that when using thread groups, we were killing > connections far too aggressively since they can't be shared between > groups and we tend to end up with slightly more than the estimated > limit. I finally figured how to address this but that's yet another > day of work so it will be in next one. > > - I found that "timeout check" fails to extend the check delay when > running with short checks. I'm pretty sure it used to work and don't > know when it broke. This will not hold 2.7 though. > > The other issues I'm seeing in the tracker are not 2.7-specific for now > but I still want to think about some of them with 2.7 in mind to be sure > not to face post-release trouble. > > Hopefully in the second half of next week we can emit a -dev10 if some > stuff requires it to ease testing, and if everything goes well it looks > reasonable to aim for a release in the middle of the week after to stay > on end of month. There's no strict schedule as usual, and I'm fine with > slipping a little bit but only if we have good reasons (i.e. not "I > found this patch in my tree" nor "I haven't had time to test"). This > means that if you'd like to run some tests on your favorite OS, or if > you need to boot the old dusty Solaris, OpenBSD or AIX machine that > sleeps in the basement and takes one hour to build, now is the best > moment for it. > > Please find the usual URLs below : > Site index : https://www.haproxy.org/ > Documentation : https://docs.haproxy.org/ > Wiki : https://github.com/haproxy/wiki/wiki > Discourse : https://discourse.haproxy.org/ > Slack channel : https://slack.haproxy.org/ > Issue tracker : https://github.com/haproxy/haproxy/issues > Sources : https://www.haproxy.org/download/2.7/src/ > Git repository : https://git.haproxy.org/git/haproxy.git/ > Git Web browsing : https://git.haproxy.org/?p=haproxy.git > Changelog : https://www.haproxy.org/download/2.7/src/CHANGELOG > Pending bugs : https://www.haproxy.org/l/pending-bugs > Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs > Code reports : https://www.haproxy.org/l/code-reports > Latest builds : https://www.haproxy.org/l/dev-packages > > Willy > --- > Complete changelog : > Amaury Denoyelle (24): > BUILD: ssl_sock: fix null dereference for QUIC build > BUG/MINOR: quic: fix buffer overflow on retry token generation > MINOR: quic: add version field on quic_rx_packet > MINOR: quic: extend pn_offset field from quic_rx_packet > MINOR: quic: define first packet flag > MINOR: quic: extract connection retrieval > MINOR: quic: split and rename qc_lstnr_pkt_rcv() > MINOR: quic: refactor packet drop on reception > MINOR: quic: extend Retry token check function > BUG/MINOR: mux-quic: complete flow-control for uni streams > MINOR: quic: do not crash on unhandled sendto error > MINOR: quic: display unknown error sendto counter on stat page > MINOR: quic: remove unnecessary quic_session_accept() > BUG/MINOR: quic: fix subscribe operation > MINOR: quic: add counter for interrupted reception > BUG/MINOR: quic: fix race condition on datagram purging > CLEANUP: cli: rename dynamic error printing state > MINOR: cli: define usermsgs print context > MINOR: server: clear prefix on stderr logs after add server > BUILD: quic: fix dubious 0-byte overflow on qc_release_lost_pkts > MINOR: ncbuf: complete doc for ncb_advance() > BUG/MEDIUM: quic: fix unsuccessful handshakes on ncb_advance error > BUG/MEDIUM: quic: fix memleak for out-of-order crypto data > MINOR: quic: complete traces/debug for handshake > > Aurelien DARRAGON (6): > MINOR: list: fixing typo in MT_LIST_LOCK_ELT > DOC/MINOR: list: fixing MT_LIST_LOCK_ELT macro documentation > MINOR: list: adding MT_LIST_APPEND_LOCKED macro > BUG/MINOR: log: fixing bug in tcp syslog_io_handler Octet-Counting > BUG/MEDIUM: wdt/clock: properly handle early task hangs > BUG/MINOR: http_ana/txn: don't re-initialize txn and req var lists > > Christopher Faulet (39): > BUG/MINOR: log: Preserve message facility when the log target is a > ring buffer > BUG/MINOR: ring: Properly parse connect timeout > BUG/MEDIUM: compression: handle rewrite errors when updating > response headers > BUG/MINOR: sink: Only use backend capability for the sink proxies > BUG/MINOR: sink: Set default connect/server timeout for implicit > ring buffers > BUG/MAJOR: stick-table: don't process store-response rules for > applets > BUG/MINOR: http-htx: Fix error handling during parsing http replies > BUG/MINOR: resolvers: Don't wait periodic resolution on healthcheck > failure > BUG/MINOR: resolvers: Set port before IP address when processing SRV > records > BUG/MINOR: mux-fcgi: Be sure to send empty STDING record in case of > zero-copy > BUG/MEDIUM: mux-fcgi: Avoid value length overflow when it doesn't > fit at once > REG-TESTS: cache: Remove T-E header for 304-Not-Modified responses > MINOR: mux-h1: Remove usless code inside shutr callback > CLEANUP: mux-h1; Rename H1S_F_ERROR flag into H1S_F_ERROR_MASK > REORG: mux-h1: Reorg the H1C structure > CLEANUP: mux-h1: Rename H1C_F_ST_ERROR and H1C_F_ST_SILENT_SHUT flags > MINOR: mux-h1: Add a dedicated enum to deal with H1 connection state > MEDIUM: mux-h1: Handle H1C states via its state field instead of > H1C_F_ST_* > MINOR: mux-h1: Don't handle subscribe for reads in h1_process_demux() > CLEANUP: mux-h1: Rename H1C_F_ERR_PENDING into H1C_F_ABRT_PENDING > MINOR: mux-h1: Add flag on H1 stream to deal with internal errors > MEDIUM: mux-h1: Rely on the H1C to deal with shutdown for reads > CLEANUP: mux-h1: Reorder H1 connection flags to avoid holes > MEDIUM: mux-h1: Don't report a final error whe a message is aborted > MEDIUM: mux-pt: Don't always set a final error on SE on the sending > path > MEDIUM: mux-h2: Introduce flags to deal with connection read/write > errors > CLEANUP: mux-h2: Remove unused fields in h2c structures > MEDIUM: mux-fcgi: Introduce flags to deal with connection read/write > errors > MINOR: sconn: Set SE_FL_ERROR only when there is no more data to read > MINOR: mux-h1: Rely on a H1S flag to know a WS key was found or not > DOC: lua-api: Remove warning about the lua filters > BUG/MEDIUM: listener: Fix race condition when updating the global > mngmt task > CLEANUP: listener: Remove useless task_queue from > manage_global_listener_queue > BUG/MINOR: mux-h1: Fix error handling when H1S allocation failed on > client side > CLEANUP: mux-h1: Don't test h1c in h1_shutw_conn() > BUG/MEDIUM: raw-sock: Don't report connection error if something was > received > MINOR: cfgparse: Always check the section position > MEDIUM: thread: Restric nbthread/thread-group(s) to very first > global sections > BUILD: peers: Remove unused variables > > Dridi Boukelmoune (1): > IMPORT: slz: mention the potential header in slz_finish() > > Emeric Brun (2): > MINOR: peers: handle multiple resync requests using shards > BUG/MEDIUM: peers: messages about unkown tables not correctly ignored > > Frédéric Lécaille (3): > BUILD: quic: QUIC mux build fix for 32-bit build > BUILD: quic: Fix build for m68k cross-compilation > MINOR: peers: Support for peer shards > > Ilya Shipitsin (5): > BUILD: scripts: disable tests build on QuicTLS build > CI: add monthly gcc cross compile jobs > CLEANUP: assorted typo fixes in the code and comments > CI: switch to the "latest" LibreSSL > CI: enable QUIC for LibreSSL builds > > Mickael Torres (1): > BUG/MINOR: mux-h1: Do not send a last null chunk on body-less answers > > Miroslav Zagorac (1): > BUG/MINOR: httpclient: fixed memory allocation for the SSL ca_file > > Remi Tricot-Le Breton (6): > BUG/MINOR: ssl: Memory leak of DH BIGNUM fields > BUG/MINOR: ssl: Memory leak of AUTHORITY_KEYID struct when loading > issuer > BUG/MINOR: ssl: ocsp structure not freed properly in case of error > BUG/MEDIUM: ssl: Verify error codes can exceed 63 > BUG/MINOR: ssl: Fix potential overflow > BUG/MINOR: ssl: SSL_load_error_strings might not be defined > > Thierry Fournier (1): > BUG/MEDIUM: httpclient: segfault when the httpclient parser fails > > William Lallemand (22): > BUG/MEDIUM: httpclient/lua: crash when the lua task timeout before > the httpclient > BUG/MEDIUM: httpclient: check if the httpclient was released in the > IO handler > REGTESTS: httpclient/lua: test the lua task timeout with the > httpclient > CI: github: dump the backtrace of coredumps in the alpine container > BUILD: Makefile: add "USE_SHM_OPEN" on the linux-musl target > DOC: lua: add a note about compression w/ httpclient > CLEANUP: mworker/cli: rename the status function to loadstatus > MINOR: mworker/cli: does no try to dump the startup-logs w/o > USE_SHM_OPEN > MINOR: ssl: add the SSL error string when failing to load a > certificate > MINOR: ssl: add the SSL error string before the chain > MEDIUM: ssl: be stricter about chain error > MINOR: ssl: dump the SSL string error when SSL_CTX_use_PrivateKey() > failed. > CLEANUP: ssl: remove dead code in ssl_sock_load_pem_into_ckch() > MEDIUM: ssl: {ca,crt}-ignore-err can now use error constant name > MINOR: ssl: x509_v_err_str converter transforms an integer to a > X509_V_ERR name > BUG/MINOR: ssl: bind_conf is uncorrectly accessed when using QUIC > CLEANUP: ssl: remove printf in bind_parse_ignore_err > BUG/MINOR: ssl: crt-ignore-err memory leak with 'all' parameter > MINOR: ssl: ssl_sock_load_cert_chain() display error strings > MINOR: ssl: reintroduce ERR_GET_LIB(ret) == ERR_LIB_PEM in > ssl_sock_load_pem_into_ckch() > BUG/MINOR: ssl: don't initialize the keylog callback when not > required > BUILD: Makefile: enable USE_SHM_OPEN by default on freebsd > > Willy Tarreau (57): > BUILD: ssl_utils: fix build on gcc versions before 8 > BUILD: debug: remove unnecessary quotes in HA_WEAK() calls > CI: emit the compiler's version in the build reports > IMPORT: xxhash: update xxHash to version 0.8.1 > IMPORT: slz: declare len to fix debug build when optimal match is > enabled > IMPORT: slz: define and use a __fallthrough statement for switch/case > BUILD: compiler: add a macro to detect if another one is set and > equals 1 > BUILD: compiler: add a default definition for __has_attribute() > BUILD: compiler: define a __fallthrough statement for switch/case > BUILD: sample: use __fallthrough in smp_is_rw() and smp_dup() > BUILD: quic: use __fallthrough in quic_connect_server() > BUILD: ssl/crt-list: use __fallthrough in > cli_io_handler_add_crtlist() > BUILD: ssl: use __fallthrough in > cli_io_handler_commit_{cert,cafile_crlfile}() > BUILD: ssl: use __fallthrough in cli_io_handler_tlskeys_files() > BUILD: hlua: use __fallthrough in hlua_post_init_state() > BUILD: stream: use __fallthrough in stats_dump_full_strm_to_buffer() > BUILD: tcpcheck: use __fallthrough in check_proxy_tcpcheck() > BUILD: stats: use __fallthrough in stats_dump_proxy_to_buffer() > BUILD: peers: use __fallthrough in peer_io_handler() > BUILD: hash: use __fallthrough in hash_djb2() > BUILD: tools: use __fallthrough in url_decode() > BUILD: args: use __fallthrough in make_arg_list() > BUILD: acl: use __fallthrough in parse_acl_expr() > BUILD: spoe: use __fallthrough in spoe_handle_appctx() > BUILD: logs: use __fallthrough in build_log_header() > BUILD: check: use __fallthrough in __health_adjust() > BUILD: http_act: use __fallthrough in parse_http_del_header() > BUILD: h1_htx: use __fallthrough in h1_parse_chunk() > BUILD: vars: use __fallthrough in var_accounting_{diff,add}() > BUILD: map: use __fallthrough in cli_io_handler_*() > BUILD: compression: use __fallthrough in comp_http_payload() > BUILD: stconn: use __fallthrough in various shutw() functions > BUILD: prometheus: use __fallthrough in promex_dump_metrics() and IO > handler() > CLEANUP: stick-table: remove the unused table->exp_next > OPTIM: stick-table: avoid atomic ops in stktable_requeue_exp() when > possible > BUG/MEDIUM: stick-table: fix a race condition when updating the > expiration task > MEDIUM: http-ana: remove set-cookie2 support > MINOR: deinit: add a "quick-exit" option to bypass the deinit step > OPTIM: ebtree: make ebmb_insert_prefix() keep a copy the new node's > pfx > OPTIM: ebtree: make ebmb_insert_prefix() keep a copy the new node's > key > MINOR: pool/debug: create a new pool_alloc_flag() macro > MINOR: dynbuf: switch allocation and release to macros to better > track users > DOC: config: fix alphabetical ordering of global section > MINOR: trace: split the CLI "trace" parser in CLI vs statement > MEDIUM: trace: create a new "trace" statement in the "global" section > BUG/MEDIUM: ring: fix creation of server in uninitialized ring > BUILD: makefile: mark poll and tcploop targets as phony > BUILD: makefile: properly pass CC to sub-projects > BUILD: makefile: move default verbosity settings to include/make/ > verbose.mk > BUILD: makefile: use $(cmd_MAKE) in quiet mode > BUILD: makefile: move the compiler option detection stuff to > compiler.mk > DEV: poll: make the connect() step an action as well > DEV: poll: strip the "do_" prefix from reported function names > DEV: poll: indicate the FD's side in front of its value > BUG/MINOR: pool/cli: use ullong to report total pool usage in bytes > DOC: internal: commit notes about polling states and flags > DOC: internal: commit notes about polling states and flags on > connect() > > --- > >