Merge branch 'jk/url-insteadof-config'
[gitweb.git] / run-command.c
index 84e4ce66e9d3da22be318813d75cbb3a94b614e4..9e36151bf97d36945ca3464e719687718ee6d1c7 100644 (file)
@@ -3,6 +3,8 @@
 #include "exec_cmd.h"
 #include "sigchain.h"
 #include "argv-array.h"
+#include "thread-utils.h"
+#include "strbuf.h"
 
 void child_process_init(struct child_process *child)
 {
@@ -19,6 +21,7 @@ void child_process_clear(struct child_process *child)
 
 struct child_to_clean {
        pid_t pid;
+       struct child_process *process;
        struct child_to_clean *next;
 };
 static struct child_to_clean *children_to_clean;
@@ -26,10 +29,41 @@ static int installed_child_cleanup_handler;
 
 static void cleanup_children(int sig, int in_signal)
 {
+       struct child_to_clean *children_to_wait_for = NULL;
+
        while (children_to_clean) {
                struct child_to_clean *p = children_to_clean;
                children_to_clean = p->next;
+
+               if (p->process && !in_signal) {
+                       struct child_process *process = p->process;
+                       if (process->clean_on_exit_handler) {
+                               trace_printf(
+                                       "trace: run_command: running exit handler for pid %"
+                                       PRIuMAX, (uintmax_t)p->pid
+                               );
+                               process->clean_on_exit_handler(process);
+                       }
+               }
+
                kill(p->pid, sig);
+
+               if (p->process && p->process->wait_after_clean) {
+                       p->next = children_to_wait_for;
+                       children_to_wait_for = p;
+               } else {
+                       if (!in_signal)
+                               free(p);
+               }
+       }
+
+       while (children_to_wait_for) {
+               struct child_to_clean *p = children_to_wait_for;
+               children_to_wait_for = p->next;
+
+               while (waitpid(p->pid, NULL, 0) < 0 && errno == EINTR)
+                       ; /* spin waiting for process exit or error */
+
                if (!in_signal)
                        free(p);
        }
@@ -47,10 +81,11 @@ static void cleanup_children_on_exit(void)
        cleanup_children(SIGTERM, 0);
 }
 
-static void mark_child_for_cleanup(pid_t pid)
+static void mark_child_for_cleanup(pid_t pid, struct child_process *process)
 {
        struct child_to_clean *p = xmalloc(sizeof(*p));
        p->pid = pid;
+       p->process = process;
        p->next = children_to_clean;
        children_to_clean = p;
 
@@ -82,18 +117,65 @@ static inline void close_pair(int fd[2])
        close(fd[1]);
 }
 
-#ifndef GIT_WINDOWS_NATIVE
-static inline void dup_devnull(int to)
+int is_executable(const char *name)
 {
-       int fd = open("/dev/null", O_RDWR);
-       if (fd < 0)
-               die_errno(_("open /dev/null failed"));
-       if (dup2(fd, to) < 0)
-               die_errno(_("dup2(%d,%d) failed"), fd, to);
-       close(fd);
+       struct stat st;
+
+       if (stat(name, &st) || /* stat, not lstat */
+           !S_ISREG(st.st_mode))
+               return 0;
+
+#if defined(GIT_WINDOWS_NATIVE)
+       /*
+        * On Windows there is no executable bit. The file extension
+        * indicates whether it can be run as an executable, and Git
+        * has special-handling to detect scripts and launch them
+        * through the indicated script interpreter. We test for the
+        * file extension first because virus scanners may make
+        * it quite expensive to open many files.
+        */
+       if (ends_with(name, ".exe"))
+               return S_IXUSR;
+
+{
+       /*
+        * Now that we know it does not have an executable extension,
+        * peek into the file instead.
+        */
+       char buf[3] = { 0 };
+       int n;
+       int fd = open(name, O_RDONLY);
+       st.st_mode &= ~S_IXUSR;
+       if (fd >= 0) {
+               n = read(fd, buf, 2);
+               if (n == 2)
+                       /* look for a she-bang */
+                       if (!strcmp(buf, "#!"))
+                               st.st_mode |= S_IXUSR;
+               close(fd);
+       }
 }
 #endif
+       return st.st_mode & S_IXUSR;
+}
 
+/*
+ * Search $PATH for a command.  This emulates the path search that
+ * execvp would perform, without actually executing the command so it
+ * can be used before fork() to prepare to run a command using
+ * execve() or after execvp() to diagnose why it failed.
+ *
+ * The caller should ensure that file contains no directory
+ * separators.
+ *
+ * Returns the path to the command, as found in $PATH or NULL if the
+ * command could not be found.  The caller inherits ownership of the memory
+ * used to store the resultant path.
+ *
+ * This should not be used on Windows, where the $PATH search rules
+ * are more complicated (e.g., a search for "foo" should find
+ * "foo.exe").
+ */
 static char *locate_in_PATH(const char *file)
 {
        const char *p = getenv("PATH");
@@ -114,7 +196,7 @@ static char *locate_in_PATH(const char *file)
                }
                strbuf_addstr(&buf, file);
 
-               if (!access(buf.buf, F_OK))
+               if (is_executable(buf.buf))
                        return strbuf_detach(&buf, NULL);
 
                if (!*end)
@@ -158,67 +240,275 @@ int sane_execvp(const char *file, char * const argv[])
        return -1;
 }
 
-static const char **prepare_shell_cmd(const char **argv)
+static const char **prepare_shell_cmd(struct argv_array *out, const char **argv)
 {
-       int argc, nargc = 0;
-       const char **nargv;
-
-       for (argc = 0; argv[argc]; argc++)
-               ; /* just counting */
-       /* +1 for NULL, +3 for "sh -c" plus extra $0 */
-       nargv = xmalloc(sizeof(*nargv) * (argc + 1 + 3));
-
-       if (argc < 1)
+       if (!argv[0])
                die("BUG: shell command is empty");
 
        if (strcspn(argv[0], "|&;<>()$`\\\"' \t\n*?[#~=%") != strlen(argv[0])) {
 #ifndef GIT_WINDOWS_NATIVE
-               nargv[nargc++] = SHELL_PATH;
+               argv_array_push(out, SHELL_PATH);
 #else
-               nargv[nargc++] = "sh";
+               argv_array_push(out, "sh");
 #endif
-               nargv[nargc++] = "-c";
-
-               if (argc < 2)
-                       nargv[nargc++] = argv[0];
-               else {
-                       struct strbuf arg0 = STRBUF_INIT;
-                       strbuf_addf(&arg0, "%s \"$@\"", argv[0]);
-                       nargv[nargc++] = strbuf_detach(&arg0, NULL);
-               }
-       }
+               argv_array_push(out, "-c");
 
-       for (argc = 0; argv[argc]; argc++)
-               nargv[nargc++] = argv[argc];
-       nargv[nargc] = NULL;
+               /*
+                * If we have no extra arguments, we do not even need to
+                * bother with the "$@" magic.
+                */
+               if (!argv[1])
+                       argv_array_push(out, argv[0]);
+               else
+                       argv_array_pushf(out, "%s \"$@\"", argv[0]);
+       }
 
-       return nargv;
+       argv_array_pushv(out, argv);
+       return out->argv;
 }
 
 #ifndef GIT_WINDOWS_NATIVE
-static int execv_shell_cmd(const char **argv)
+static int child_notifier = -1;
+
+enum child_errcode {
+       CHILD_ERR_CHDIR,
+       CHILD_ERR_DUP2,
+       CHILD_ERR_CLOSE,
+       CHILD_ERR_SIGPROCMASK,
+       CHILD_ERR_ENOENT,
+       CHILD_ERR_SILENT,
+       CHILD_ERR_ERRNO
+};
+
+struct child_err {
+       enum child_errcode err;
+       int syserr; /* errno */
+};
+
+static void child_die(enum child_errcode err)
 {
-       const char **nargv = prepare_shell_cmd(argv);
-       trace_argv_printf(nargv, "trace: exec:");
-       sane_execvp(nargv[0], (char **)nargv);
-       free(nargv);
-       return -1;
+       struct child_err buf;
+
+       buf.err = err;
+       buf.syserr = errno;
+
+       /* write(2) on buf smaller than PIPE_BUF (min 512) is atomic: */
+       xwrite(child_notifier, &buf, sizeof(buf));
+       _exit(1);
 }
-#endif
 
-#ifndef GIT_WINDOWS_NATIVE
-static int child_notifier = -1;
+static void child_dup2(int fd, int to)
+{
+       if (dup2(fd, to) < 0)
+               child_die(CHILD_ERR_DUP2);
+}
 
-static void notify_parent(void)
+static void child_close(int fd)
 {
+       if (close(fd))
+               child_die(CHILD_ERR_CLOSE);
+}
+
+static void child_close_pair(int fd[2])
+{
+       child_close(fd[0]);
+       child_close(fd[1]);
+}
+
+/*
+ * parent will make it look like the child spewed a fatal error and died
+ * this is needed to prevent changes to t0061.
+ */
+static void fake_fatal(const char *err, va_list params)
+{
+       vreportf("fatal: ", err, params);
+}
+
+static void child_error_fn(const char *err, va_list params)
+{
+       const char msg[] = "error() should not be called in child\n";
+       xwrite(2, msg, sizeof(msg) - 1);
+}
+
+static void child_warn_fn(const char *err, va_list params)
+{
+       const char msg[] = "warn() should not be called in child\n";
+       xwrite(2, msg, sizeof(msg) - 1);
+}
+
+static void NORETURN child_die_fn(const char *err, va_list params)
+{
+       const char msg[] = "die() should not be called in child\n";
+       xwrite(2, msg, sizeof(msg) - 1);
+       _exit(2);
+}
+
+/* this runs in the parent process */
+static void child_err_spew(struct child_process *cmd, struct child_err *cerr)
+{
+       static void (*old_errfn)(const char *err, va_list params);
+
+       old_errfn = get_error_routine();
+       set_error_routine(fake_fatal);
+       errno = cerr->syserr;
+
+       switch (cerr->err) {
+       case CHILD_ERR_CHDIR:
+               error_errno("exec '%s': cd to '%s' failed",
+                           cmd->argv[0], cmd->dir);
+               break;
+       case CHILD_ERR_DUP2:
+               error_errno("dup2() in child failed");
+               break;
+       case CHILD_ERR_CLOSE:
+               error_errno("close() in child failed");
+               break;
+       case CHILD_ERR_SIGPROCMASK:
+               error_errno("sigprocmask failed restoring signals");
+               break;
+       case CHILD_ERR_ENOENT:
+               error_errno("cannot run %s", cmd->argv[0]);
+               break;
+       case CHILD_ERR_SILENT:
+               break;
+       case CHILD_ERR_ERRNO:
+               error_errno("cannot exec '%s'", cmd->argv[0]);
+               break;
+       }
+       set_error_routine(old_errfn);
+}
+
+static void prepare_cmd(struct argv_array *out, const struct child_process *cmd)
+{
+       if (!cmd->argv[0])
+               die("BUG: command is empty");
+
        /*
-        * execvp failed.  If possible, we'd like to let start_command
-        * know, so failures like ENOENT can be handled right away; but
-        * otherwise, finish_command will still report the error.
+        * Add SHELL_PATH so in the event exec fails with ENOEXEC we can
+        * attempt to interpret the command with 'sh'.
         */
-       xwrite(child_notifier, "", 1);
+       argv_array_push(out, SHELL_PATH);
+
+       if (cmd->git_cmd) {
+               argv_array_push(out, "git");
+               argv_array_pushv(out, cmd->argv);
+       } else if (cmd->use_shell) {
+               prepare_shell_cmd(out, cmd->argv);
+       } else {
+               argv_array_pushv(out, cmd->argv);
+       }
+
+       /*
+        * If there are no '/' characters in the command then perform a path
+        * lookup and use the resolved path as the command to exec.  If there
+        * are no '/' characters or if the command wasn't found in the path,
+        * have exec attempt to invoke the command directly.
+        */
+       if (!strchr(out->argv[1], '/')) {
+               char *program = locate_in_PATH(out->argv[1]);
+               if (program) {
+                       free((char *)out->argv[1]);
+                       out->argv[1] = program;
+               }
+       }
 }
+
+static char **prep_childenv(const char *const *deltaenv)
+{
+       extern char **environ;
+       char **childenv;
+       struct string_list env = STRING_LIST_INIT_DUP;
+       struct strbuf key = STRBUF_INIT;
+       const char *const *p;
+       int i;
+
+       /* Construct a sorted string list consisting of the current environ */
+       for (p = (const char *const *) environ; p && *p; p++) {
+               const char *equals = strchr(*p, '=');
+
+               if (equals) {
+                       strbuf_reset(&key);
+                       strbuf_add(&key, *p, equals - *p);
+                       string_list_append(&env, key.buf)->util = (void *) *p;
+               } else {
+                       string_list_append(&env, *p)->util = (void *) *p;
+               }
+       }
+       string_list_sort(&env);
+
+       /* Merge in 'deltaenv' with the current environ */
+       for (p = deltaenv; p && *p; p++) {
+               const char *equals = strchr(*p, '=');
+
+               if (equals) {
+                       /* ('key=value'), insert or replace entry */
+                       strbuf_reset(&key);
+                       strbuf_add(&key, *p, equals - *p);
+                       string_list_insert(&env, key.buf)->util = (void *) *p;
+               } else {
+                       /* otherwise ('key') remove existing entry */
+                       string_list_remove(&env, *p, 0);
+               }
+       }
+
+       /* Create an array of 'char *' to be used as the childenv */
+       childenv = xmalloc((env.nr + 1) * sizeof(char *));
+       for (i = 0; i < env.nr; i++)
+               childenv[i] = env.items[i].util;
+       childenv[env.nr] = NULL;
+
+       string_list_clear(&env, 0);
+       strbuf_release(&key);
+       return childenv;
+}
+
+struct atfork_state {
+#ifndef NO_PTHREADS
+       int cs;
+#endif
+       sigset_t old;
+};
+
+#ifndef NO_PTHREADS
+static void bug_die(int err, const char *msg)
+{
+       if (err) {
+               errno = err;
+               die_errno("BUG: %s", msg);
+       }
+}
+#endif
+
+static void atfork_prepare(struct atfork_state *as)
+{
+       sigset_t all;
+
+       if (sigfillset(&all))
+               die_errno("sigfillset");
+#ifdef NO_PTHREADS
+       if (sigprocmask(SIG_SETMASK, &all, &as->old))
+               die_errno("sigprocmask");
+#else
+       bug_die(pthread_sigmask(SIG_SETMASK, &all, &as->old),
+               "blocking all signals");
+       bug_die(pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &as->cs),
+               "disabling cancellation");
+#endif
+}
+
+static void atfork_parent(struct atfork_state *as)
+{
+#ifdef NO_PTHREADS
+       if (sigprocmask(SIG_SETMASK, &as->old, NULL))
+               die_errno("sigprocmask");
+#else
+       bug_die(pthread_setcancelstate(as->cs, NULL),
+               "re-enabling cancellation");
+       bug_die(pthread_sigmask(SIG_SETMASK, &as->old, NULL),
+               "restoring signal mask");
 #endif
+}
+#endif /* GIT_WINDOWS_NATIVE */
 
 static inline void set_cloexec(int fd)
 {
@@ -240,12 +530,12 @@ static int wait_or_whine(pid_t pid, const char *argv0, int in_signal)
 
        if (waiting < 0) {
                failed_errno = errno;
-               error("waitpid for %s failed: %s", argv0, strerror(errno));
+               error_errno("waitpid for %s failed", argv0);
        } else if (waiting != pid) {
                error("waitpid is confused (%s)", argv0);
        } else if (WIFSIGNALED(status)) {
                code = WTERMSIG(status);
-               if (code != SIGINT && code != SIGQUIT)
+               if (code != SIGINT && code != SIGQUIT && code != SIGPIPE)
                        error("%s died of signal %d", argv0, code);
                /*
                 * This return value is chosen so that code & 0xff
@@ -255,13 +545,6 @@ static int wait_or_whine(pid_t pid, const char *argv0, int in_signal)
                code += 128;
        } else if (WIFEXITED(status)) {
                code = WEXITSTATUS(status);
-               /*
-                * Convert special exit code when execvp failed.
-                */
-               if (code == 127) {
-                       code = -1;
-                       failed_errno = ENOENT;
-               }
        } else {
                error("waitpid is confused (%s)", argv0);
        }
@@ -346,115 +629,155 @@ int start_command(struct child_process *cmd)
 #ifndef GIT_WINDOWS_NATIVE
 {
        int notify_pipe[2];
+       int null_fd = -1;
+       char **childenv;
+       struct argv_array argv = ARGV_ARRAY_INIT;
+       struct child_err cerr;
+       struct atfork_state as;
+
        if (pipe(notify_pipe))
                notify_pipe[0] = notify_pipe[1] = -1;
 
+       if (cmd->no_stdin || cmd->no_stdout || cmd->no_stderr) {
+               null_fd = open("/dev/null", O_RDWR | O_CLOEXEC);
+               if (null_fd < 0)
+                       die_errno(_("open /dev/null failed"));
+               set_cloexec(null_fd);
+       }
+
+       prepare_cmd(&argv, cmd);
+       childenv = prep_childenv(cmd->env);
+       atfork_prepare(&as);
+
+       /*
+        * NOTE: In order to prevent deadlocking when using threads special
+        * care should be taken with the function calls made in between the
+        * fork() and exec() calls.  No calls should be made to functions which
+        * require acquiring a lock (e.g. malloc) as the lock could have been
+        * held by another thread at the time of forking, causing the lock to
+        * never be released in the child process.  This means only
+        * Async-Signal-Safe functions are permitted in the child.
+        */
        cmd->pid = fork();
        failed_errno = errno;
        if (!cmd->pid) {
+               int sig;
                /*
-                * Redirect the channel to write syscall error messages to
-                * before redirecting the process's stderr so that all die()
-                * in subsequent call paths use the parent's stderr.
+                * Ensure the default die/error/warn routines do not get
+                * called, they can take stdio locks and malloc.
                 */
-               if (cmd->no_stderr || need_err) {
-                       int child_err = dup(2);
-                       set_cloexec(child_err);
-                       set_error_handle(fdopen(child_err, "w"));
-               }
+               set_die_routine(child_die_fn);
+               set_error_routine(child_error_fn);
+               set_warn_routine(child_warn_fn);
 
                close(notify_pipe[0]);
                set_cloexec(notify_pipe[1]);
                child_notifier = notify_pipe[1];
-               atexit(notify_parent);
 
                if (cmd->no_stdin)
-                       dup_devnull(0);
+                       child_dup2(null_fd, 0);
                else if (need_in) {
-                       dup2(fdin[0], 0);
-                       close_pair(fdin);
+                       child_dup2(fdin[0], 0);
+                       child_close_pair(fdin);
                } else if (cmd->in) {
-                       dup2(cmd->in, 0);
-                       close(cmd->in);
+                       child_dup2(cmd->in, 0);
+                       child_close(cmd->in);
                }
 
                if (cmd->no_stderr)
-                       dup_devnull(2);
+                       child_dup2(null_fd, 2);
                else if (need_err) {
-                       dup2(fderr[1], 2);
-                       close_pair(fderr);
+                       child_dup2(fderr[1], 2);
+                       child_close_pair(fderr);
                } else if (cmd->err > 1) {
-                       dup2(cmd->err, 2);
-                       close(cmd->err);
+                       child_dup2(cmd->err, 2);
+                       child_close(cmd->err);
                }
 
                if (cmd->no_stdout)
-                       dup_devnull(1);
+                       child_dup2(null_fd, 1);
                else if (cmd->stdout_to_stderr)
-                       dup2(2, 1);
+                       child_dup2(2, 1);
                else if (need_out) {
-                       dup2(fdout[1], 1);
-                       close_pair(fdout);
+                       child_dup2(fdout[1], 1);
+                       child_close_pair(fdout);
                } else if (cmd->out > 1) {
-                       dup2(cmd->out, 1);
-                       close(cmd->out);
+                       child_dup2(cmd->out, 1);
+                       child_close(cmd->out);
                }
 
                if (cmd->dir && chdir(cmd->dir))
-                       die_errno("exec '%s': cd to '%s' failed", cmd->argv[0],
-                           cmd->dir);
-               if (cmd->env) {
-                       for (; *cmd->env; cmd->env++) {
-                               if (strchr(*cmd->env, '='))
-                                       putenv((char *)*cmd->env);
-                               else
-                                       unsetenv(*cmd->env);
-                       }
+                       child_die(CHILD_ERR_CHDIR);
+
+               /*
+                * restore default signal handlers here, in case
+                * we catch a signal right before execve below
+                */
+               for (sig = 1; sig < NSIG; sig++) {
+                       /* ignored signals get reset to SIG_DFL on execve */
+                       if (signal(sig, SIG_DFL) == SIG_IGN)
+                               signal(sig, SIG_IGN);
                }
-               if (cmd->git_cmd)
-                       execv_git_cmd(cmd->argv);
-               else if (cmd->use_shell)
-                       execv_shell_cmd(cmd->argv);
-               else
-                       sane_execvp(cmd->argv[0], (char *const*) cmd->argv);
+
+               if (sigprocmask(SIG_SETMASK, &as.old, NULL) != 0)
+                       child_die(CHILD_ERR_SIGPROCMASK);
+
+               /*
+                * Attempt to exec using the command and arguments starting at
+                * argv.argv[1].  argv.argv[0] contains SHELL_PATH which will
+                * be used in the event exec failed with ENOEXEC at which point
+                * we will try to interpret the command using 'sh'.
+                */
+               execve(argv.argv[1], (char *const *) argv.argv + 1,
+                      (char *const *) childenv);
+               if (errno == ENOEXEC)
+                       execve(argv.argv[0], (char *const *) argv.argv,
+                              (char *const *) childenv);
+
                if (errno == ENOENT) {
-                       if (!cmd->silent_exec_failure)
-                               error("cannot run %s: %s", cmd->argv[0],
-                                       strerror(ENOENT));
-                       exit(127);
+                       if (cmd->silent_exec_failure)
+                               child_die(CHILD_ERR_SILENT);
+                       child_die(CHILD_ERR_ENOENT);
                } else {
-                       die_errno("cannot exec '%s'", cmd->argv[0]);
+                       child_die(CHILD_ERR_ERRNO);
                }
        }
+       atfork_parent(&as);
        if (cmd->pid < 0)
-               error("cannot fork() for %s: %s", cmd->argv[0],
-                       strerror(errno));
+               error_errno("cannot fork() for %s", cmd->argv[0]);
        else if (cmd->clean_on_exit)
-               mark_child_for_cleanup(cmd->pid);
+               mark_child_for_cleanup(cmd->pid, cmd);
 
        /*
-        * Wait for child's execvp. If the execvp succeeds (or if fork()
+        * Wait for child's exec. If the exec succeeds (or if fork()
         * failed), EOF is seen immediately by the parent. Otherwise, the
-        * child process sends a single byte.
+        * child process sends a child_err struct.
         * Note that use of this infrastructure is completely advisory,
         * therefore, we keep error checks minimal.
         */
        close(notify_pipe[1]);
-       if (read(notify_pipe[0], &notify_pipe[1], 1) == 1) {
+       if (xread(notify_pipe[0], &cerr, sizeof(cerr)) == sizeof(cerr)) {
                /*
-                * At this point we know that fork() succeeded, but execvp()
+                * At this point we know that fork() succeeded, but exec()
                 * failed. Errors have been reported to our stderr.
                 */
                wait_or_whine(cmd->pid, cmd->argv[0], 0);
+               child_err_spew(cmd, &cerr);
                failed_errno = errno;
                cmd->pid = -1;
        }
        close(notify_pipe[0]);
+
+       if (null_fd >= 0)
+               close(null_fd);
+       argv_array_clear(&argv);
+       free(childenv);
 }
 #else
 {
        int fhin = 0, fhout = 1, fherr = 2;
        const char **sargv = cmd->argv;
+       struct argv_array nargv = ARGV_ARRAY_INIT;
 
        if (cmd->no_stdin)
                fhin = open("/dev/null", O_RDWR);
@@ -480,21 +803,19 @@ int start_command(struct child_process *cmd)
                fhout = dup(cmd->out);
 
        if (cmd->git_cmd)
-               cmd->argv = prepare_git_cmd(cmd->argv);
+               cmd->argv = prepare_git_cmd(&nargv, cmd->argv);
        else if (cmd->use_shell)
-               cmd->argv = prepare_shell_cmd(cmd->argv);
+               cmd->argv = prepare_shell_cmd(&nargv, cmd->argv);
 
        cmd->pid = mingw_spawnvpe(cmd->argv[0], cmd->argv, (char**) cmd->env,
                        cmd->dir, fhin, fhout, fherr);
        failed_errno = errno;
        if (cmd->pid < 0 && (!cmd->silent_exec_failure || errno != ENOENT))
-               error("cannot spawn %s: %s", cmd->argv[0], strerror(errno));
+               error_errno("cannot spawn %s", cmd->argv[0]);
        if (cmd->clean_on_exit && cmd->pid >= 0)
-               mark_child_for_cleanup(cmd->pid);
-
-       if (cmd->git_cmd)
-               free(cmd->argv);
+               mark_child_for_cleanup(cmd->pid, cmd);
 
+       argv_array_clear(&nargv);
        cmd->argv = sargv;
        if (fhin != 0)
                close(fhin);
@@ -598,6 +919,16 @@ static void *run_thread(void *data)
        struct async *async = data;
        intptr_t ret;
 
+       if (async->isolate_sigpipe) {
+               sigset_t mask;
+               sigemptyset(&mask);
+               sigaddset(&mask, SIGPIPE);
+               if (pthread_sigmask(SIG_BLOCK, &mask, NULL) < 0) {
+                       ret = error("unable to block SIGPIPE in async thread");
+                       return (void *)ret;
+               }
+       }
+
        pthread_setspecific(async_key, async);
        ret = async->proc(async->proc_in, async->proc_out, async->data);
        return (void *)ret;
@@ -607,7 +938,7 @@ static NORETURN void die_async(const char *err, va_list params)
 {
        vreportf("fatal: ", err, params);
 
-       if (!pthread_equal(main_thread, pthread_self())) {
+       if (in_async()) {
                struct async *async = pthread_getspecific(async_key);
                if (async->proc_in >= 0)
                        close(async->proc_in);
@@ -626,6 +957,18 @@ static int async_die_is_recursing(void)
        return ret != NULL;
 }
 
+int in_async(void)
+{
+       if (!main_thread_set)
+               return 0; /* no asyncs started yet */
+       return !pthread_equal(main_thread, pthread_self());
+}
+
+static void NORETURN async_exit(int code)
+{
+       pthread_exit((void *)(intptr_t)code);
+}
+
 #else
 
 static struct {
@@ -665,8 +1008,32 @@ int git_atexit(void (*handler)(void))
 }
 #define atexit git_atexit
 
+static int process_is_async;
+int in_async(void)
+{
+       return process_is_async;
+}
+
+static void NORETURN async_exit(int code)
+{
+       exit(code);
+}
+
 #endif
 
+void check_pipe(int err)
+{
+       if (err == EPIPE) {
+               if (in_async())
+                       async_exit(141);
+
+               signal(SIGPIPE, SIG_DFL);
+               raise(SIGPIPE);
+               /* Should never happen, but just in case... */
+               exit(141);
+       }
+}
+
 int start_async(struct async *async)
 {
        int need_in, need_out;
@@ -678,7 +1045,7 @@ int start_async(struct async *async)
                if (pipe(fdin) < 0) {
                        if (async->out > 0)
                                close(async->out);
-                       return error("cannot create pipe: %s", strerror(errno));
+                       return error_errno("cannot create pipe");
                }
                async->in = fdin[1];
        }
@@ -690,7 +1057,7 @@ int start_async(struct async *async)
                                close_pair(fdin);
                        else if (async->in)
                                close(async->in);
-                       return error("cannot create pipe: %s", strerror(errno));
+                       return error_errno("cannot create pipe");
                }
                async->out = fdout[0];
        }
@@ -715,7 +1082,7 @@ int start_async(struct async *async)
 
        async->pid = fork();
        if (async->pid < 0) {
-               error("fork (async) failed: %s", strerror(errno));
+               error_errno("fork (async) failed");
                goto error;
        }
        if (!async->pid) {
@@ -724,10 +1091,11 @@ int start_async(struct async *async)
                if (need_out)
                        close(fdout[0]);
                git_atexit_clear();
+               process_is_async = 1;
                exit(!!async->proc(proc_in, proc_out, async->data));
        }
 
-       mark_child_for_cleanup(async->pid);
+       mark_child_for_cleanup(async->pid, NULL);
 
        if (need_in)
                close(fdin[0]);
@@ -761,7 +1129,7 @@ int start_async(struct async *async)
        {
                int err = pthread_create(&async->tid, NULL, run_thread, async);
                if (err) {
-                       error("cannot create thread: %s", strerror(err));
+                       error_errno("cannot create thread");
                        goto error;
                }
        }
@@ -800,8 +1168,14 @@ const char *find_hook(const char *name)
 
        strbuf_reset(&path);
        strbuf_git_path(&path, "hooks/%s", name);
-       if (access(path.buf, X_OK) < 0)
+       if (access(path.buf, X_OK) < 0) {
+#ifdef STRIP_EXTENSION
+               strbuf_addstr(&path, STRIP_EXTENSION);
+               if (access(path.buf, X_OK) >= 0)
+                       return path.buf;
+#endif
                return NULL;
+       }
        return path.buf;
 }
 
@@ -836,18 +1210,475 @@ int run_hook_le(const char *const *env, const char *name, ...)
        return ret;
 }
 
-int capture_command(struct child_process *cmd, struct strbuf *buf, size_t hint)
+struct io_pump {
+       /* initialized by caller */
+       int fd;
+       int type; /* POLLOUT or POLLIN */
+       union {
+               struct {
+                       const char *buf;
+                       size_t len;
+               } out;
+               struct {
+                       struct strbuf *buf;
+                       size_t hint;
+               } in;
+       } u;
+
+       /* returned by pump_io */
+       int error; /* 0 for success, otherwise errno */
+
+       /* internal use */
+       struct pollfd *pfd;
+};
+
+static int pump_io_round(struct io_pump *slots, int nr, struct pollfd *pfd)
+{
+       int pollsize = 0;
+       int i;
+
+       for (i = 0; i < nr; i++) {
+               struct io_pump *io = &slots[i];
+               if (io->fd < 0)
+                       continue;
+               pfd[pollsize].fd = io->fd;
+               pfd[pollsize].events = io->type;
+               io->pfd = &pfd[pollsize++];
+       }
+
+       if (!pollsize)
+               return 0;
+
+       if (poll(pfd, pollsize, -1) < 0) {
+               if (errno == EINTR)
+                       return 1;
+               die_errno("poll failed");
+       }
+
+       for (i = 0; i < nr; i++) {
+               struct io_pump *io = &slots[i];
+
+               if (io->fd < 0)
+                       continue;
+
+               if (!(io->pfd->revents & (POLLOUT|POLLIN|POLLHUP|POLLERR|POLLNVAL)))
+                       continue;
+
+               if (io->type == POLLOUT) {
+                       ssize_t len = xwrite(io->fd,
+                                            io->u.out.buf, io->u.out.len);
+                       if (len < 0) {
+                               io->error = errno;
+                               close(io->fd);
+                               io->fd = -1;
+                       } else {
+                               io->u.out.buf += len;
+                               io->u.out.len -= len;
+                               if (!io->u.out.len) {
+                                       close(io->fd);
+                                       io->fd = -1;
+                               }
+                       }
+               }
+
+               if (io->type == POLLIN) {
+                       ssize_t len = strbuf_read_once(io->u.in.buf,
+                                                      io->fd, io->u.in.hint);
+                       if (len < 0)
+                               io->error = errno;
+                       if (len <= 0) {
+                               close(io->fd);
+                               io->fd = -1;
+                       }
+               }
+       }
+
+       return 1;
+}
+
+static int pump_io(struct io_pump *slots, int nr)
 {
-       cmd->out = -1;
+       struct pollfd *pfd;
+       int i;
+
+       for (i = 0; i < nr; i++)
+               slots[i].error = 0;
+
+       ALLOC_ARRAY(pfd, nr);
+       while (pump_io_round(slots, nr, pfd))
+               ; /* nothing */
+       free(pfd);
+
+       /* There may be multiple errno values, so just pick the first. */
+       for (i = 0; i < nr; i++) {
+               if (slots[i].error) {
+                       errno = slots[i].error;
+                       return -1;
+               }
+       }
+       return 0;
+}
+
+
+int pipe_command(struct child_process *cmd,
+                const char *in, size_t in_len,
+                struct strbuf *out, size_t out_hint,
+                struct strbuf *err, size_t err_hint)
+{
+       struct io_pump io[3];
+       int nr = 0;
+
+       if (in)
+               cmd->in = -1;
+       if (out)
+               cmd->out = -1;
+       if (err)
+               cmd->err = -1;
+
        if (start_command(cmd) < 0)
                return -1;
 
-       if (strbuf_read(buf, cmd->out, hint) < 0) {
-               close(cmd->out);
+       if (in) {
+               io[nr].fd = cmd->in;
+               io[nr].type = POLLOUT;
+               io[nr].u.out.buf = in;
+               io[nr].u.out.len = in_len;
+               nr++;
+       }
+       if (out) {
+               io[nr].fd = cmd->out;
+               io[nr].type = POLLIN;
+               io[nr].u.in.buf = out;
+               io[nr].u.in.hint = out_hint;
+               nr++;
+       }
+       if (err) {
+               io[nr].fd = cmd->err;
+               io[nr].type = POLLIN;
+               io[nr].u.in.buf = err;
+               io[nr].u.in.hint = err_hint;
+               nr++;
+       }
+
+       if (pump_io(io, nr) < 0) {
                finish_command(cmd); /* throw away exit code */
                return -1;
        }
 
-       close(cmd->out);
        return finish_command(cmd);
 }
+
+enum child_state {
+       GIT_CP_FREE,
+       GIT_CP_WORKING,
+       GIT_CP_WAIT_CLEANUP,
+};
+
+struct parallel_processes {
+       void *data;
+
+       int max_processes;
+       int nr_processes;
+
+       get_next_task_fn get_next_task;
+       start_failure_fn start_failure;
+       task_finished_fn task_finished;
+
+       struct {
+               enum child_state state;
+               struct child_process process;
+               struct strbuf err;
+               void *data;
+       } *children;
+       /*
+        * The struct pollfd is logically part of *children,
+        * but the system call expects it as its own array.
+        */
+       struct pollfd *pfd;
+
+       unsigned shutdown : 1;
+
+       int output_owner;
+       struct strbuf buffered_output; /* of finished children */
+};
+
+static int default_start_failure(struct strbuf *out,
+                                void *pp_cb,
+                                void *pp_task_cb)
+{
+       return 0;
+}
+
+static int default_task_finished(int result,
+                                struct strbuf *out,
+                                void *pp_cb,
+                                void *pp_task_cb)
+{
+       return 0;
+}
+
+static void kill_children(struct parallel_processes *pp, int signo)
+{
+       int i, n = pp->max_processes;
+
+       for (i = 0; i < n; i++)
+               if (pp->children[i].state == GIT_CP_WORKING)
+                       kill(pp->children[i].process.pid, signo);
+}
+
+static struct parallel_processes *pp_for_signal;
+
+static void handle_children_on_signal(int signo)
+{
+       kill_children(pp_for_signal, signo);
+       sigchain_pop(signo);
+       raise(signo);
+}
+
+static void pp_init(struct parallel_processes *pp,
+                   int n,
+                   get_next_task_fn get_next_task,
+                   start_failure_fn start_failure,
+                   task_finished_fn task_finished,
+                   void *data)
+{
+       int i;
+
+       if (n < 1)
+               n = online_cpus();
+
+       pp->max_processes = n;
+
+       trace_printf("run_processes_parallel: preparing to run up to %d tasks", n);
+
+       pp->data = data;
+       if (!get_next_task)
+               die("BUG: you need to specify a get_next_task function");
+       pp->get_next_task = get_next_task;
+
+       pp->start_failure = start_failure ? start_failure : default_start_failure;
+       pp->task_finished = task_finished ? task_finished : default_task_finished;
+
+       pp->nr_processes = 0;
+       pp->output_owner = 0;
+       pp->shutdown = 0;
+       pp->children = xcalloc(n, sizeof(*pp->children));
+       pp->pfd = xcalloc(n, sizeof(*pp->pfd));
+       strbuf_init(&pp->buffered_output, 0);
+
+       for (i = 0; i < n; i++) {
+               strbuf_init(&pp->children[i].err, 0);
+               child_process_init(&pp->children[i].process);
+               pp->pfd[i].events = POLLIN | POLLHUP;
+               pp->pfd[i].fd = -1;
+       }
+
+       pp_for_signal = pp;
+       sigchain_push_common(handle_children_on_signal);
+}
+
+static void pp_cleanup(struct parallel_processes *pp)
+{
+       int i;
+
+       trace_printf("run_processes_parallel: done");
+       for (i = 0; i < pp->max_processes; i++) {
+               strbuf_release(&pp->children[i].err);
+               child_process_clear(&pp->children[i].process);
+       }
+
+       free(pp->children);
+       free(pp->pfd);
+
+       /*
+        * When get_next_task added messages to the buffer in its last
+        * iteration, the buffered output is non empty.
+        */
+       strbuf_write(&pp->buffered_output, stderr);
+       strbuf_release(&pp->buffered_output);
+
+       sigchain_pop_common();
+}
+
+/* returns
+ *  0 if a new task was started.
+ *  1 if no new jobs was started (get_next_task ran out of work, non critical
+ *    problem with starting a new command)
+ * <0 no new job was started, user wishes to shutdown early. Use negative code
+ *    to signal the children.
+ */
+static int pp_start_one(struct parallel_processes *pp)
+{
+       int i, code;
+
+       for (i = 0; i < pp->max_processes; i++)
+               if (pp->children[i].state == GIT_CP_FREE)
+                       break;
+       if (i == pp->max_processes)
+               die("BUG: bookkeeping is hard");
+
+       code = pp->get_next_task(&pp->children[i].process,
+                                &pp->children[i].err,
+                                pp->data,
+                                &pp->children[i].data);
+       if (!code) {
+               strbuf_addbuf(&pp->buffered_output, &pp->children[i].err);
+               strbuf_reset(&pp->children[i].err);
+               return 1;
+       }
+       pp->children[i].process.err = -1;
+       pp->children[i].process.stdout_to_stderr = 1;
+       pp->children[i].process.no_stdin = 1;
+
+       if (start_command(&pp->children[i].process)) {
+               code = pp->start_failure(&pp->children[i].err,
+                                        pp->data,
+                                        &pp->children[i].data);
+               strbuf_addbuf(&pp->buffered_output, &pp->children[i].err);
+               strbuf_reset(&pp->children[i].err);
+               if (code)
+                       pp->shutdown = 1;
+               return code;
+       }
+
+       pp->nr_processes++;
+       pp->children[i].state = GIT_CP_WORKING;
+       pp->pfd[i].fd = pp->children[i].process.err;
+       return 0;
+}
+
+static void pp_buffer_stderr(struct parallel_processes *pp, int output_timeout)
+{
+       int i;
+
+       while ((i = poll(pp->pfd, pp->max_processes, output_timeout)) < 0) {
+               if (errno == EINTR)
+                       continue;
+               pp_cleanup(pp);
+               die_errno("poll");
+       }
+
+       /* Buffer output from all pipes. */
+       for (i = 0; i < pp->max_processes; i++) {
+               if (pp->children[i].state == GIT_CP_WORKING &&
+                   pp->pfd[i].revents & (POLLIN | POLLHUP)) {
+                       int n = strbuf_read_once(&pp->children[i].err,
+                                                pp->children[i].process.err, 0);
+                       if (n == 0) {
+                               close(pp->children[i].process.err);
+                               pp->children[i].state = GIT_CP_WAIT_CLEANUP;
+                       } else if (n < 0)
+                               if (errno != EAGAIN)
+                                       die_errno("read");
+               }
+       }
+}
+
+static void pp_output(struct parallel_processes *pp)
+{
+       int i = pp->output_owner;
+       if (pp->children[i].state == GIT_CP_WORKING &&
+           pp->children[i].err.len) {
+               strbuf_write(&pp->children[i].err, stderr);
+               strbuf_reset(&pp->children[i].err);
+       }
+}
+
+static int pp_collect_finished(struct parallel_processes *pp)
+{
+       int i, code;
+       int n = pp->max_processes;
+       int result = 0;
+
+       while (pp->nr_processes > 0) {
+               for (i = 0; i < pp->max_processes; i++)
+                       if (pp->children[i].state == GIT_CP_WAIT_CLEANUP)
+                               break;
+               if (i == pp->max_processes)
+                       break;
+
+               code = finish_command(&pp->children[i].process);
+
+               code = pp->task_finished(code,
+                                        &pp->children[i].err, pp->data,
+                                        &pp->children[i].data);
+
+               if (code)
+                       result = code;
+               if (code < 0)
+                       break;
+
+               pp->nr_processes--;
+               pp->children[i].state = GIT_CP_FREE;
+               pp->pfd[i].fd = -1;
+               child_process_init(&pp->children[i].process);
+
+               if (i != pp->output_owner) {
+                       strbuf_addbuf(&pp->buffered_output, &pp->children[i].err);
+                       strbuf_reset(&pp->children[i].err);
+               } else {
+                       strbuf_write(&pp->children[i].err, stderr);
+                       strbuf_reset(&pp->children[i].err);
+
+                       /* Output all other finished child processes */
+                       strbuf_write(&pp->buffered_output, stderr);
+                       strbuf_reset(&pp->buffered_output);
+
+                       /*
+                        * Pick next process to output live.
+                        * NEEDSWORK:
+                        * For now we pick it randomly by doing a round
+                        * robin. Later we may want to pick the one with
+                        * the most output or the longest or shortest
+                        * running process time.
+                        */
+                       for (i = 0; i < n; i++)
+                               if (pp->children[(pp->output_owner + i) % n].state == GIT_CP_WORKING)
+                                       break;
+                       pp->output_owner = (pp->output_owner + i) % n;
+               }
+       }
+       return result;
+}
+
+int run_processes_parallel(int n,
+                          get_next_task_fn get_next_task,
+                          start_failure_fn start_failure,
+                          task_finished_fn task_finished,
+                          void *pp_cb)
+{
+       int i, code;
+       int output_timeout = 100;
+       int spawn_cap = 4;
+       struct parallel_processes pp;
+
+       pp_init(&pp, n, get_next_task, start_failure, task_finished, pp_cb);
+       while (1) {
+               for (i = 0;
+                   i < spawn_cap && !pp.shutdown &&
+                   pp.nr_processes < pp.max_processes;
+                   i++) {
+                       code = pp_start_one(&pp);
+                       if (!code)
+                               continue;
+                       if (code < 0) {
+                               pp.shutdown = 1;
+                               kill_children(&pp, -code);
+                       }
+                       break;
+               }
+               if (!pp.nr_processes)
+                       break;
+               pp_buffer_stderr(&pp, output_timeout);
+               pp_output(&pp);
+               code = pp_collect_finished(&pp);
+               if (code) {
+                       pp.shutdown = 1;
+                       if (code < 0)
+                               kill_children(&pp, -code);
+               }
+       }
+
+       pp_cleanup(&pp);
+       return 0;
+}