Skip to content

Bound remaining hangable operations in test scripts#10900

Open
julek-wolfssl wants to merge 3 commits into
wolfSSL:masterfrom
julek-wolfssl:julek-dev/test-scripts-hang-fixes
Open

Bound remaining hangable operations in test scripts#10900
julek-wolfssl wants to merge 3 commits into
wolfSSL:masterfrom
julek-wolfssl:julek-dev/test-scripts-hang-fixes

Conversation

@julek-wolfssl

Copy link
Copy Markdown
Member

Summary

A test script that blocks forever burns the CI job's full timeout-minutes with no logs. e82ecdf and 5c5cbd3 bounded the waited-on servers; this covers the remaining hang classes in scripts/*.test:

  • Wrap foreground example client/server, openssl s_client, and openssl ocsp invocations in timeout -s KILL 2m. A client wedged before or without a live peer (e.g. blocked in first-seed entropy gathering, or DTLS with no reset from a dead peer) is not bounded by its peer's timeout.
  • Add the macOS timeout() fallback shim to scripts that now use timeout.
  • Bound the get_first_free_port scan loops (nc -w 1, 100-port cap).
  • Add -w 1 to the remaining nc probes and dtls.test UDP pcap markers.
  • ocsp-responder-openssl-interop.test: bound the responder reap in cleanup: give each responder 5 s to exit after SIGTERM, then SIGKILL before waiting, so a wedged responder cannot hang the EXIT trap.
  • benchmark.test: bound the clients but leave the -i servers unwrapped: the script ends them with kill -6, which timeout(1) does not forward, so wrapping would orphan the server.
  • trusted_peer/tls13: kill the server with SIGTERM instead of SIGKILL in cleanup so the signal forwards through the timeout wrapper to the wrapped server.

Test plan

  • Affected scripts/*.test pass locally
  • CI passes

Copilot AI review requested due to automatic review settings July 14, 2026 10:17
@julek-wolfssl julek-wolfssl self-assigned this Jul 14, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens scripts/*.test against indefinite hangs in CI by bounding long-running client/server/probe operations and tightening cleanup behavior, so a wedged subprocess doesn’t consume the job’s full timeout-minutes without producing logs.

Changes:

  • Wrap previously-unbounded foreground clients/servers and OpenSSL invocations with timeout -s KILL 2m, adding a macOS fallback timeout() shim where needed.
  • Bound “find a free port” scan loops (add nc -w 1, plus a 100-port scan cap) and add -w 1 to remaining nc probes/markers.
  • Improve cleanup to avoid hanging EXIT traps (notably for OCSP responder interop) and adjust server termination signals where timeout-wrapping is used.

Reviewed changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
scripts/trusted_peer.test Add timeout shim + wrap example server/client invocations; adjust cleanup signal to terminate the timeout wrapper cleanly.
scripts/tls13.test Wrap TLS 1.3 example server/client/probes with timeout; adjust cleanup signal to terminate wrapped server.
scripts/rsapss.test Add timeout shim; bound wolfSSL server and OpenSSL s_client runs.
scripts/psk.test Add timeout shim; bound client runs (including version probe).
scripts/openssl.test Add timeout shim; bound wolfSSL client and OpenSSL s_client/capability probes.
scripts/openssl_srtp.test Add timeout shim; bound DTLS/SRTP wolfSSL client.
scripts/ocsp.test Add timeout shim; bound external OCSP client connections.
scripts/ocsp-stapling2.test Cap free-port scanning and bound multiple shutdown clients with timeout.
scripts/ocsp-stapling.test Cap free-port scanning, add nc -w 1 readiness probe, and bound client invocations (incl. retry path).
scripts/ocsp-stapling-with-wolfssl-responder.test Cap free-port scanning and bound client shutdown/tests with timeout.
scripts/ocsp-stapling-with-ca-as-responder.test Add timeout shim; cap free-port scanning; bound client shutdown/tests with timeout.
scripts/ocsp-stapling_tls13multi.test Cap free-port scanning and bound client shutdown/tests with timeout.
scripts/ocsp-responder-openssl-interop.test Add timeout shim; cap free-port scanning; bound OpenSSL ocsp queries; harden responder cleanup.
scripts/google.test Add timeout shim; bound external client connection.
scripts/external.test Add timeout shim; bound external client connection.
scripts/dtlscid.test Bound DTLS CID client invocation with timeout.
scripts/dtls.test Add timeout shim; add nc -u -w 1 markers to avoid blocking probes.
scripts/benchmark.test Add timeout shim; bound benchmark client invocations (servers intentionally left unwrapped).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread scripts/tls13.test Outdated
Comment thread scripts/ocsp-responder-openssl-interop.test

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 18 out of 18 changed files in this pull request and generated 2 comments.

Comment thread scripts/tls13.test Outdated
Comment thread scripts/psk.test Outdated

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 18 out of 18 changed files in this pull request and generated no new comments.

@julek-wolfssl julek-wolfssl marked this pull request as ready for review July 14, 2026 13:28
@github-actions

Copy link
Copy Markdown

retest this please

A test script that blocks forever burns the CI job's full
timeout-minutes with no logs. e82ecdf and 5c5cbd3 bounded the
waited-on servers; this covers the remaining hang classes in
scripts/*.test:

- Wrap foreground example client/server, openssl s_client, and
  openssl ocsp invocations in "timeout -s KILL 2m". A client wedged
  before or without a live peer (e.g. blocked in first-seed entropy
  gathering, or DTLS with no reset from a dead peer) is not bounded
  by its peer's timeout.
- Add the macOS timeout() fallback shim to scripts that now use
  timeout.
- Bound the get_first_free_port scan loops (nc -w 1, 100-port cap).
- Add -w 1 to the remaining nc probes and dtls.test UDP pcap markers.
- ocsp-responder-openssl-interop.test: bound the responder reap in
  cleanup: give each responder 5 s to exit after SIGTERM, then
  SIGKILL before waiting, so a wedged responder cannot hang the EXIT
  trap.
- benchmark.test: bound the clients but leave the -i servers
  unwrapped: the script ends them with kill -6, which timeout(1)
  does not forward, so wrapping would orphan the server.
- trusted_peer/tls13: kill the server with SIGTERM instead of
  SIGKILL in cleanup so the signal forwards through the timeout
  wrapper to the wrapped server.
- tls13.test: take the client's exit status from PIPESTATUS[0]; $? after
  the pipe was tee's status, hiding a client failure or 2m-timeout kill.
- ocsp-responder-openssl-interop.test: only escalate to SIGKILL if the
  responder is still running, and make the reap counter local.
The 'Bad SSL version' probes branch on grep's status, so a client
killed by the 2m timeout read as 'TLS v1.2 supported' and ran the
wrong branch. Take both statuses from PIPESTATUS and fail loudly on
a probe timeout.
@julek-wolfssl julek-wolfssl force-pushed the julek-dev/test-scripts-hang-fixes branch from c7714df to 08549c6 Compare July 16, 2026 12:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants