deps: upgrade zlib to 1.2.11 #10980
deps: upgrade zlib to 1.2.11 #10980
Conversation
nodejs-github-bot
added
zlib
|
No idea why the bot thinks this shouldn't land on 7.x, it cherry-picked clean for me onto 7.x staging. |
|
Yeah I think something has been wrong with the bot for awhile now, I've had to manually un-label that countless times. |
|
I thought the bot just didn't take into account that a PR would land as long as earlier PRs landed first - but this change depends on nothing, so it looks like its quite broken. |
|
The fips buildbot failed to download https://openssl.org/source/openssl-fips-2.0.9.tar.gz. @nodejs/build Can we cache it somewhere? It's a point of failure and not very good netizenship to download it with every CI run. |
sam-github
force-pushed
the
update-zlib
branch
from
c269e41
to
9fd1f63
Compare
|
Thanks, @bnoordhuis, done. I suppose zlib to be pretty stable, are the clean test results sufficient to land this, or is there anything else that can be done to increase confidence? |
|
A green CI should be good enough. |
|
@nodejs/ctc some more thumbs up please, and I'll land tomorrow. /cc @MylesBorins |
| deflateGetDictionary returns Z_OK on success, or Z_STREAM_ERROR if the | ||
| stream state is inconsistent. | ||
| */ | ||
|
|
There was a problem hiding this comment.
Does this correspond to semver-minor? Looking at other diffs in zlib.h, there seems API/ABI compatible fortunately.
There was a problem hiding this comment.
You believe that it is ABI compatible? Do we have a way of testing this? @MylesBorins you mentioned an "ABI roaster"?
There was a problem hiding this comment.
You believe that it is ABI compatible?
As far as, I look at this but I do not have a confidence.
Do we have a way of testing this? @MylesBorins you mentioned an "ABI roaster"?
I'm not sure. It is nice to have a tools to check it.
|
I found that I had missed to add |
|
re |
|
|
|
I agree it would be better to define HAVE_HIDDEN, but I think changing the visibility of symbols is unrelated to this PR to update the source, and since symbol visibility effects the API, it would be semver-major. Can I open a seperate PR for HAVE_HIDDEN? |
Sure, let's move it. |
|
HAVE_HIDDEN: #11082 |
|
#11082 has landed |
|
What's the status on this one? :-) |
This is a special LTS to fix a number of regressions that were found on the 6.10.x release line. This includes: * a fix for memory leak in the crypto module that was introduced in 6.10.1 * a fix for a regression introduced to the windows repl in 6.10.0 * a backported fix for V8 to stop a segfault that could occur when using spread syntax It also includes an upgrade to zlib 1.2.11 to fix a numberof low severity CVEs that were present in zlib 1.2.8. http://seclists.org/oss-sec/2016/q4/602 Notable changes * crypto: - fix memory leak if certificate is revoked (Tom Atkinson) #12089 * deps: - upgrade zlib to 1.2.11 (Sam Roberts) #10980 - backport V8 fixes for spread syntax regression causing segfaults (Michaël Zasso) #12037 * repl: - Revert commit that broke REPL display on Windows (Myles Borins) #12123
This is a maintenance release to fix a memory leak that was introduced in 4.8.1. It also includes an upgrade to zlib 1.2.11 to fix a number of low severity CVEs that were present in zlib 1.2.8. http://seclists.org/oss-sec/2016/q4/602 Notable changes: * crypto: - fix memory leak if certificate is revoked (Tom Atkinson) #12089 * deps: - upgrade zlib to 1.2.11 (Sam Roberts) #10980
This is a special LTS to fix a number of regressions that were found on the 6.10.x release line. This includes: * a fix for memory leak in the crypto module that was introduced in 6.10.1 * a fix for a regression introduced to the windows repl in 6.10.0 * a backported fix for V8 to stop a segfault that could occur when using spread syntax It also includes an upgrade to zlib 1.2.11 to fix a numberof low severity CVEs that were present in zlib 1.2.8. http://seclists.org/oss-sec/2016/q4/602 Notable changes * crypto: - fix memory leak if certificate is revoked (Tom Atkinson) #12089 * deps: - upgrade zlib to 1.2.11 (Sam Roberts) #10980 - backport V8 fixes for spread syntax regression causing segfaults (Michaël Zasso) #12037 * repl: - Revert commit that broke REPL display on Windows (Myles Borins) #12123
This is a special LTS to fix a number of regressions that were found on the 6.10.x release line. This includes: * a fix for memory leak in the crypto module that was introduced in 6.10.1 * a fix for a regression introduced to the windows repl in 6.10.0 * a backported fix for V8 to stop a segfault that could occur when using spread syntax It also includes an upgrade to zlib 1.2.11 to fix a numberof low severity CVEs that were present in zlib 1.2.8. http://seclists.org/oss-sec/2016/q4/602 Notable changes * crypto: - fix memory leak if certificate is revoked (Tom Atkinson) nodejs#12089 * deps: - upgrade zlib to 1.2.11 (Sam Roberts) nodejs#10980 - backport V8 fixes for spread syntax regression causing segfaults (Michaël Zasso) nodejs#12037 * repl: - Revert commit that broke REPL display on Windows (Myles Borins) nodejs#12123
This is a maintenance release to fix a memory leak that was introduced in 4.8.1. It also includes an upgrade to zlib 1.2.11 to fix a number of low severity CVEs that were present in zlib 1.2.8. http://seclists.org/oss-sec/2016/q4/602 Notable changes: * crypto: - fix memory leak if certificate is revoked (Tom Atkinson) nodejs#12089 * deps: - upgrade zlib to 1.2.11 (Sam Roberts) nodejs#10980
| #ifdef __50SERIES /* Prime/PRIMOS */ | ||
| # define OS_CODE 0x0f | ||
| #ifdef __APPLE__ | ||
| # define OS_CODE 19 |
There was a problem hiding this comment.
This might be the source of #12244. This would slightly change the gzip header that is produced by zlib.gzip() on macOS. From looking at the code it seems that macOS would have previously fallen through to the default of 0x03 (Unix).
There was a problem hiding this comment.
is this something we would want to float a patch for on LTS?
There was a problem hiding this comment.
I am on the fence. Its clearly an observable change, @flippmoke saw it, but its not clear that we are that committed to binary identicality of output encoding. Then again, it seems a low-risk change to float a patch on the LTS branches to make them absolutely identical in output. @flippmoke, do you have an opinion on this? Do you feel that your test suites were depending on unstable encoding details, or do you feel that this is a regression?
There was a problem hiding this comment.
@sam-github I would say we were surprised to see a in encoding change due to a patch release. However, I can understand how this is not a big deal for the vast majority of use cases for users. It is possibly confusing as well for OSX users that might use zlib elsewhere that they will not get the same binary results. However, I feel this is more an issue with zlib issuing this in a patch release rather then node doing this in a patch release.
Also just a note I am somewhat confused by the MAC OS header above it as well and when _ _ APPLE _ _applies compared to it. https://github.com/nodejs/node/pull/10980/files/dfa8abe1b500b86ffb3951736c209e57d83ed3ed#diff-a12b3cb4ae22eb7956dc70bda62773a3L121
There was a problem hiding this comment.
@flippmoke I believe that is a relic of the pre-xcode days when MetroWerks/CodeWarrior was the compiler of choice on Mac. Yay legacy!
This is a maintenance release to fix a memory leak that was
introduced in 4.8.1.
It also includes an upgrade to zlib 1.2.11 to fix a number of low
severity CVEs that were present in zlib 1.2.8.
http://seclists.org/oss-sec/2016/q4/602
Notable changes:
* crypto:
- fix memory leak if certificate is revoked (Tom Atkinson)
nodejs/node#12089
* deps:
- upgrade zlib to 1.2.11 (Sam Roberts)
nodejs/node#10980
Signed-off-by: Ilkka Myller <ilkka.myller@nodefield.com>
This is a special LTS to fix a number of regressions that were found
on the 6.10.x release line.
This includes:
* a fix for memory leak in the crypto module that
was introduced in 6.10.1
* a fix for a regression introduced to the windows repl in 6.10.0
* a backported fix for V8 to stop a segfault that could occur
when using spread syntax
It also includes an upgrade to zlib 1.2.11 to fix a numberof low
severity CVEs that were present in zlib 1.2.8.
http://seclists.org/oss-sec/2016/q4/602
Notable changes
* crypto:
- fix memory leak if certificate is revoked (Tom Atkinson)
nodejs/node#12089
* deps:
- upgrade zlib to 1.2.11 (Sam Roberts)
nodejs/node#10980
- backport V8 fixes for spread syntax regression causing segfaults
(Michaël Zasso) nodejs/node#12037
* repl:
- Revert commit that broke REPL display on Windows (Myles Borins)
nodejs/node#12123
Signed-off-by: Ilkka Myller <ilkka.myller@nodefield.com>
This is a maintenance release to fix a memory leak that was
introduced in 4.8.1.
It also includes an upgrade to zlib 1.2.11 to fix a number of low
severity CVEs that were present in zlib 1.2.8.
http://seclists.org/oss-sec/2016/q4/602
Notable changes:
* crypto:
- fix memory leak if certificate is revoked (Tom Atkinson)
nodejs/node#12089
* deps:
- upgrade zlib to 1.2.11 (Sam Roberts)
nodejs/node#10980
Signed-off-by: Ilkka Myller <ilkka.myller@nodefield.com>
This is a special LTS to fix a number of regressions that were found
on the 6.10.x release line.
This includes:
* a fix for memory leak in the crypto module that
was introduced in 6.10.1
* a fix for a regression introduced to the windows repl in 6.10.0
* a backported fix for V8 to stop a segfault that could occur
when using spread syntax
It also includes an upgrade to zlib 1.2.11 to fix a numberof low
severity CVEs that were present in zlib 1.2.8.
http://seclists.org/oss-sec/2016/q4/602
Notable changes
* crypto:
- fix memory leak if certificate is revoked (Tom Atkinson)
nodejs/node#12089
* deps:
- upgrade zlib to 1.2.11 (Sam Roberts)
nodejs/node#10980
- backport V8 fixes for spread syntax regression causing segfaults
(Michaël Zasso) nodejs/node#12037
* repl:
- Revert commit that broke REPL display on Windows (Myles Borins)
nodejs/node#12123
Signed-off-by: Ilkka Myller <ilkka.myller@nodefield.com>
|
Hi, i suspect regression. I have pako, zlib port to js, and it uses node's zlib to verify data. After 6.10.2 tests fails with deflate See https://travis-ci.org/nodeca/pako/jobs/255485506. To reproduce - clone paco's repo, and run tests in desired version of node. 6.10.1 works, all next - not. Can anyone comment? |
That's exactly what i do. I use pako & node's zlib with all possible options and check that results are binary equal https://github.com/nodeca/pako/blob/master/test/deflate.js Also note, that in my case it fails with
Sorry i've just disabled broken tests. If you enable those back, tests will fail in all nodes with zlib 1.2.11. I use Ubuntu 14.04lts About os type in header (pako writes "unix") - that make sense for gzip only, not for deflate. |
|
I'll run again just to verify, but if you think this is a bug, can you provide a standalone repro? But, if you are doing things like the following, you might want to consider whether it is a valid test: I don't think above is. There are usually multiple legal compressed forms, what the algorithms guarantee is: Again, I haven't read your test suite, so above is just a note about things that we've seen a few people have problems with in their test suites (not applications) after the zlib update. |
I do not know, is it a bug or not. But pako is not "yet another deflate implementation", it's a real port of zlib 1.2.8. And i suspect, zlib did not changed binary output (i don't count 1 byte of OS code in header). So, prior to dig deep, i asked, if anybody know about similar issues. I'll triage in 1-2 weeks and tell you result. |
|
@sam-github https://github.com/puzrin/node_zlib1211_l0 It seems, zlib really changed binary representation of deflate "stored" mode. That's very strange but i don't consider it as bug. |
|
@puzrin Thanks for looking into this. I don't regard it as a bug either. |
Update zlib.
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passesAffected core subsystem(s)
deps