Bug#480154: FTBFS on mips (cgiupload tests fail)

Sun Aug 10 19:09:20 UTC 2008

tag 480154 patch
thanks

On Sat, Aug 02, 2008 at 05:15:32PM +0200, Ana Guerrero wrote:
> On Mon, May 26, 2008 at 03:22:55PM +0300, Niko Tyni wrote:
> > On Thu, May 08, 2008 at 02:09:10PM +0300, Damyan Ivanov wrote:
> > > Package: libapache2-mod-perl2
> > > Version: 2.0.4-1
> > > Severity: serious
> > > 
> > > 2.0.4-1 fails to build on mips[1].
> > > 
> > >     [1] http://buildd.debian.org/fetch.cgi?&pkg=libapache2-mod-perl2&ver=2.0.4-1&arch=mips&stamp=1209964732&file=log
> > > 
> > >     t/modules/cgipost2......................ok
> > >     t/modules/cgiupload.....................# Failed test 2 in
> > >     t/modules/cgiupload.t at line 36 fail #2
> > >     FAILED test 2
> > >         Failed 1/2 tests, 50.00% okay
> > >     t/modules/cgiupload2....................# Failed test 2 in
> > >     t/modules/cgiupload2.t at line 36 fail #2
> > >     FAILED test 2
> > >         Failed 1/2 tests, 50.00% okay
> > 
> > This just happened to me once on amd64+sbuild; the next try succeeded.
> > Probably a race condition in the test suite. Reopening and downgrading
> > to 'important' (as usual for low-probability FTBFS bugs).
> 
> I just reproduced this, try again in a different machine and got the FTBFS
> again. I am afraid it is not a low-probability FTBFS bug. 
> I am upgrading to serious.

OK, I think I've got it now. The fix is to build-depend on 
libcgi-pm-perl (>= 3.33). From the CGI.pm changelog at 3.33:

   3. Fixed failure of tempfile upload due to sprintf() taint failure in perl 5.10

See http://rt.perl.org/rt3/Public/Bug/Display.html?id=50322

For those interested, some notes:

- t/modules/cgiupload fails all its tests if run alone with e.g.
   APACHE_TEST_EXTRA_ARGS="-httpd_conf /etc/apache2/apache2.conf t/modules/cgiupload"  make test
  but if t/modules/cgi.t is run first, everything seems fine:
   APACHE_TEST_EXTRA_ARGS="-httpd_conf /etc/apache2/apache2.conf t/modules/cgi t/modules/cgiupload"  make test

- the difference is that the server-side part of cgi.t,
  t/response/TestModules/cgi.pm, has 'PerlOptions -SetupEnv'

- this means that 'SetEnv TMPDIR @t_logs@' in t/conf/extra.conf.in doesn't get
  activated when cgi.t is run first

- if $ENV{TMPDIR} is set when first running CGI->new(), its tainted
  value is used as an sprintf() format up until CGI.pm 3.33, leading to
  a fatal exception introduced in Perl 5.10. From t/logs/error.log:

  [Sun Aug 10 21:05:53 2008] [error] [client 127.0.0.1] Insecure dependency in sprintf while running with -T switch at (eval 149) line 6.\n

- this is an internal server error, so the length of the returned
  document isn't the one expected and the test fails

- the difficulty in reproducing this is because Apache will create new
  children/threads non-deterministically (possibly based on server
  load?), and the test only fails when run in a new child that hasn't
  run t/response/TestModules/cgi.pm first.

- the bug can be made more reproducible by increasing the loop count in
  t/modules/cgiupload.t from 2 to something like 100, but I still can't
  see it in a full 'make test' run myself. This makes it always show
  up when only running cgi.t and cgiupload.t, though.

- I *think* what happens is that on a loaded build host, the tests may
  get all the way up to cgiupload.t in a single server interpreter
  because the client side runs slowly, and a new child is only created
  in the cgiupload.t loop.

- in any case, installing libcgi-pm-perl fixes the problem for me
  (although there's still an upstream mod_perl2 bug in that TMPDIR isn't
  inside the build sandbox all the time).

Cheers,
-- 
Niko Tyni   ntyni at debian.org