gitweb.git
ref_transaction_commit: bail out on failure to remove... Jonathan Nieder Fri, 29 Aug 2014 00:01:35 +0000 (17:01 -0700)

ref_transaction_commit: bail out on failure to remove a ref

When removal of a loose or packed ref fails, bail out instead of
trying to finish the transaction. This way, a single error message
can be printed (instead of multiple messages being concatenated by
mistake) and the operator can try to solve the underlying problem
before there is a chance to muck things up even more.

In particular, when git fails to remove a ref, git goes on to try to
delete the reflog. Exiting early lets us keep the reflog.

When git succeeds in deleting a ref A and fails to remove a ref B, it
goes on to try to delete both reflogs. It would be better to just
remove the reflog for A, but that would be a more invasive change.
Failing early means we keep both reflogs, which puts the operator in a
good position to understand the problem and recover.

A long term goal is to avoid these problems altogether and roll back
the transaction on failure. That kind of transactionality will have
to wait for a later series (the plan for which is to make all
destructive work happen in a single update of the packed-refs file).

Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Reviewed-by: Ronnie Sahlberg <sahlberg@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

lockfile: remove unable_to_lock_errorJonathan Nieder Thu, 28 Aug 2014 23:41:34 +0000 (16:41 -0700)

lockfile: remove unable_to_lock_error

The former caller uses unable_to_lock_message now.

Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Reviewed-by: Ronnie Sahlberg <sahlberg@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

refs.c: do not permit err == NULLJonathan Nieder Thu, 28 Aug 2014 23:42:37 +0000 (16:42 -0700)

refs.c: do not permit err == NULL

Some functions that take a strbuf argument to append an error treat
!err as an indication that the message should be suppressed (e.g.,
ref_update_reject_duplicates). Others write the message to stderr on
!err (e.g., repack_without_refs). Others crash (e.g.,
ref_transaction_update).

Some of these behaviors are for historical reasons and others were
accidents. Luckily no callers pass err == NULL any more. Simplify
by consistently requiring the strbuf argument.

Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Reviewed-by: Ronnie Sahlberg <sahlberg@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

remote rm/prune: print a message when writing packed... Ronnie Sahlberg Thu, 11 Sep 2014 15:42:57 +0000 (08:42 -0700)

remote rm/prune: print a message when writing packed-refs fails

Until v2.1.0-rc0~22^2~11 (refs.c: add an err argument to
repack_without_refs, 2014-06-20), repack_without_refs forgot to
provide an error message when commit_packed_refs fails. Even today,
it only provides a message for callers that pass a non-NULL err
parameter. Internal callers in refs.c pass non-NULL err but
"git remote" does not.

That means that "git remote rm" and "git remote prune" can fail
without printing a message about why. Fix them by passing in a
non-NULL err parameter and printing the returned message.

This is the last caller to a ref handling function passing err ==
NULL. A later patch can drop support for err == NULL, avoiding such
problems in the future.

Signed-off-by: Ronnie Sahlberg <sahlberg@google.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Reviewed-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

for-each-ref: skip and warn about broken ref namesRonnie Sahlberg Fri, 5 Sep 2014 21:35:17 +0000 (14:35 -0700)

for-each-ref: skip and warn about broken ref names

Print a warning message for any bad ref names we find in the repo and
skip them so callers don't have to deal with parsing them.

It might be useful in the future to have a flag where we would not
skip these refs for those callers that want to and are prepared (for
example by using a --format argument with %0 as a delimiter after the
ref name).

Signed-off-by: Ronnie Sahlberg <sahlberg@google.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

refs.c: allow listing and deleting badly named refsRonnie Sahlberg Wed, 3 Sep 2014 18:45:43 +0000 (11:45 -0700)

refs.c: allow listing and deleting badly named refs

We currently do not handle badly named refs well:

$ cp .git/refs/heads/master .git/refs/heads/master.....@\*@\\.
$ git branch
fatal: Reference has invalid format: 'refs/heads/master.....@*@\.'
$ git branch -D master.....@\*@\\.
error: branch 'master.....@*@\.' not found.

Users cannot recover from a badly named ref without manually finding
and deleting the loose ref file or appropriate line in packed-refs.
Making that easier will make it easier to tweak the ref naming rules
in the future, for example to forbid shell metacharacters like '`'
and '"', without putting people in a state that is hard to get out of.

So allow "branch --list" to show these refs and allow "branch -d/-D"
and "update-ref -d" to delete them. Other commands (for example to
rename refs) will continue to not handle these refs but can be changed
in later patches.

Details:

In resolving functions, refuse to resolve refs that don't pass the
git-check-ref-format(1) check unless the new RESOLVE_REF_ALLOW_BAD_NAME
flag is passed. Even with RESOLVE_REF_ALLOW_BAD_NAME, refuse to
resolve refs that escape the refs/ directory and do not match the
pattern [A-Z_]* (think "HEAD" and "MERGE_HEAD").

In locking functions, refuse to act on badly named refs unless they
are being deleted and either are in the refs/ directory or match [A-Z_]*.

Just like other invalid refs, flag resolved, badly named refs with the
REF_ISBROKEN flag, treat them as resolving to null_sha1, and skip them
in all iteration functions except for for_each_rawref.

Flag badly named refs (but not symrefs pointing to badly named refs)
with a REF_BAD_NAME flag to make it easier for future callers to
notice and handle them specially. For example, in a later patch
for-each-ref will use this flag to detect refs whose names can confuse
callers parsing for-each-ref output.

In the transaction API, refuse to create or update badly named refs,
but allow deleting them (unless they try to escape refs/ and don't match
[A-Z_]*).

Signed-off-by: Ronnie Sahlberg <sahlberg@google.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

test: put tests for handling of bad ref names in one... Ronnie Sahlberg Thu, 25 Sep 2014 22:02:39 +0000 (15:02 -0700)

test: put tests for handling of bad ref names in one place

There's no straightforward way to grep for all tests dealing with
invalid refs. Put them in a single test script so it is easy to see
what functionality has not been exercised with bad ref names yet.

Signed-off-by: Ronnie Sahlberg <sahlberg@google.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

packed-ref cache: forbid dot-components in refnamesJonathan Nieder Fri, 26 Sep 2014 19:22:22 +0000 (12:22 -0700)

packed-ref cache: forbid dot-components in refnames

Since v1.7.9-rc1~10^2 (write_head_info(): handle "extra refs" locally,
2012-01-06), this trick to keep track of ".have" refs that are only
valid on the wire and not on the filesystem is not needed any more.

Simplify by removing support for the REFNAME_DOT_COMPONENT flag.

This means we'll be slightly stricter with invalid refs found in a
packed-refs file or during clone. read_loose_refs() already checks
for and skips refnames with .components so it is not affected.

Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Reviewed-by: Ronnie Sahlberg <sahlberg@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

branch -d: simplify by using RESOLVE_REF_READINGRonnie Sahlberg Thu, 11 Sep 2014 17:34:36 +0000 (10:34 -0700)

branch -d: simplify by using RESOLVE_REF_READING

When "git branch -d" reads the branch it is about to delete, it used
to avoid passing the RESOLVE_REF_READING ('treat missing ref as
error') flag because a symref pointing to a nonexistent ref would show
up as missing instead of as something that could be deleted. To check
if a ref is actually missing, we then check

- is it a symref?
- if not, did it resolve to null_sha1?

Now we pass RESOLVE_REF_NO_RECURSE and the correct information is
returned for a symref even when it points to a missing ref. Simplify
by relying on RESOLVE_REF_READING.

No functional change intended.

Signed-off-by: Ronnie Sahlberg <sahlberg@google.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

branch -d: avoid repeated symref resolutionJonathan Nieder Thu, 11 Sep 2014 01:22:48 +0000 (18:22 -0700)

branch -d: avoid repeated symref resolution

If a repository gets in a broken state with too much symref nesting,
it cannot be repaired with "git branch -d":

$ git symbolic-ref refs/heads/nonsense refs/heads/nonsense
$ git branch -d nonsense
error: branch 'nonsense' not found.

Worse, "git update-ref --no-deref -d" doesn't work for such repairs
either:

$ git update-ref -d refs/heads/nonsense
error: unable to resolve reference refs/heads/nonsense: Too many levels of symbolic links

Fix both by teaching resolve_ref_unsafe a new RESOLVE_REF_NO_RECURSE
flag and passing it when appropriate.

Callers can still read the value of a symref (for example to print a
message about it) with that flag set --- resolve_ref_unsafe will
resolve one level of symrefs and stop there.

Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Reviewed-by: Ronnie Sahlberg <sahlberg@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

reflog test: test interaction with detached HEADJunio C Hamano Sat, 13 Sep 2014 17:52:25 +0000 (10:52 -0700)

reflog test: test interaction with detached HEAD

A proposed patch produced broken HEAD reflog entries when checking out
anything other than a branch. The testsuite still passed, so it took
a few days for the bug to be noticed.

Add tests checking the content of the reflog after detaching and
reattaching HEAD so we don't have to rely on manual testing to catch
such problems in the future.

[jn: using 'log -g --format=%H' instead of parsing --oneline output,
resetting state in each test so they can be safely reordered or
skipped]

Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Reviewed-by: Ronnie Sahlberg <sahlberg@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

refs.c: change resolve_ref_unsafe reading argument... Ronnie Sahlberg Tue, 15 Jul 2014 19:59:36 +0000 (12:59 -0700)

refs.c: change resolve_ref_unsafe reading argument to be a flags field

resolve_ref_unsafe takes a boolean argument for reading (a nonexistent ref
resolves successfully for writing but not for reading). Change this to be
a flags field instead, and pass the new constant RESOLVE_REF_READING when
we want this behaviour.

While at it, swap two of the arguments in the function to put output
arguments at the end. As a nice side effect, this ensures that we can
catch callers that were unaware of the new API so they can be audited.

Give the wrapper functions resolve_refdup and read_ref_full the same
treatment for consistency.

Signed-off-by: Ronnie Sahlberg <sahlberg@google.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

refs.c: make write_ref_sha1 staticRonnie Sahlberg Mon, 28 Apr 2014 22:36:58 +0000 (15:36 -0700)

refs.c: make write_ref_sha1 static

No external users call write_ref_sha1 any more so let's declare it static.

Signed-off-by: Ronnie Sahlberg <sahlberg@google.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

fetch.c: change s_update_ref to use a ref transactionRonnie Sahlberg Mon, 28 Apr 2014 20:49:07 +0000 (13:49 -0700)

fetch.c: change s_update_ref to use a ref transaction

Change s_update_ref to use a ref transaction for the ref update.

Signed-off-by: Ronnie Sahlberg <sahlberg@google.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

refs.c: ref_transaction_commit: distinguish name confli... Ronnie Sahlberg Fri, 16 May 2014 21:14:38 +0000 (14:14 -0700)

refs.c: ref_transaction_commit: distinguish name conflicts from other errors

In _commit, ENOTDIR can happen in the call to lock_ref_sha1_basic, either
when we lstat the new refname or if the name checking function reports that
the same type of conflict happened. In both cases, it means that we can not
create the new ref due to a name conflict.

Start defining specific return codes for _commit. TRANSACTION_NAME_CONFLICT
refers to a failure to create a ref due to a name conflict with another ref.
TRANSACTION_GENERIC_ERROR is for all other errors.

When "git fetch" is creating refs, name conflicts differ from other errors in
that they are likely to be resolved by running "git remote prune <remote>".
"git fetch" currently inspects errno to decide whether to give that advice.
Once it switches to the transaction API, it can check for
TRANSACTION_NAME_CONFLICT instead.

Signed-off-by: Ronnie Sahlberg <sahlberg@google.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

refs.c: pass a list of names to skip to is_refname_avai... Ronnie Sahlberg Thu, 1 May 2014 18:16:07 +0000 (11:16 -0700)

refs.c: pass a list of names to skip to is_refname_available

Change is_refname_available to take a list of strings to exclude when
checking for conflicts instead of just one single name. We can already
exclude a single name for the sake of renames. This generalizes that support.

ref_transaction_commit already tracks a set of refs that are being deleted
in an array. This array is then used to exclude refs from being written to
the packed-refs file. At some stage we will want to change this array to a
struct string_list and then we can pass it to is_refname_available via the
call to lock_ref_sha1_basic. That will allow us to perform transactions
that perform multiple renames as long as there are no conflicts within the
starting or ending state.

For example, that would allow a single transaction that contains two
renames that are both individually conflicting:

m -> n/n
n -> m/m

No functional change intended yet.

Signed-off-by: Ronnie Sahlberg <sahlberg@google.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

refs.c: call lock_ref_sha1_basic directly from commitRonnie Sahlberg Thu, 1 May 2014 17:43:39 +0000 (10:43 -0700)

refs.c: call lock_ref_sha1_basic directly from commit

Skip using the lock_any_ref_for_update wrapper and call lock_ref_sha1_basic
directly from the commit function.

Signed-off-by: Ronnie Sahlberg <sahlberg@google.com>
Reviewed-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

refs.c: refuse to lock badly named refs in lock_ref_sha... Ronnie Sahlberg Thu, 1 May 2014 17:40:10 +0000 (10:40 -0700)

refs.c: refuse to lock badly named refs in lock_ref_sha1_basic

Move the check for check_refname_format from lock_any_ref_for_update to
lock_ref_sha1_basic. At some later stage we will get rid of
lock_any_ref_for_update completely. This has no visible impact to callers
except for the inability to lock badly named refs, which is not possible
today already for other reasons.(*)

Keep lock_any_ref_for_update as a no-op wrapper. It is the public facing
version of this interface and keeping it as a separate function will make
it easier to experiment with the internal lock_ref_sha1_basic signature.

(*) For example, if lock_ref_sha1_basic checks the refname format and
refuses to lock badly named refs, it will not be possible to delete
such refs because the first step of deletion is to lock the ref. We
currently already fail in that case because these refs are not recognized
to exist:

$ cp .git/refs/heads/master .git/refs/heads/echo...\*\*
$ git branch -D .git/refs/heads/echo...\*\*
error: branch '.git/refs/heads/echo...**' not found.

This has been broken for a while. Later patches in the series will start
repairing the handling of badly named refs.

Signed-off-by: Ronnie Sahlberg <sahlberg@google.com>
Reviewed-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

rename_ref: don't ask read_ref_full where the ref came... Ronnie Sahlberg Wed, 30 Apr 2014 19:41:04 +0000 (12:41 -0700)

rename_ref: don't ask read_ref_full where the ref came from

We call read_ref_full with a pointer to flags from rename_ref but since
we never actually use the returned flags we can just pass NULL here instead.

Signed-off-by: Ronnie Sahlberg <sahlberg@google.com>
Reviewed-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

refs.c: pass the ref log message to _create/delete... Ronnie Sahlberg Wed, 30 Apr 2014 19:22:42 +0000 (12:22 -0700)

refs.c: pass the ref log message to _create/delete/update instead of _commit

Change the ref transaction API so that we pass the reflog message to the
create/delete/update functions instead of to ref_transaction_commit.
This allows different reflog messages for each ref update in a multi-ref
transaction.

Signed-off-by: Ronnie Sahlberg <sahlberg@google.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

refs.c: add an err argument to delete_ref_looseRonnie Sahlberg Thu, 15 May 2014 15:25:23 +0000 (08:25 -0700)

refs.c: add an err argument to delete_ref_loose

Add an err argument to delete_ref_loose so that we can pass a descriptive
error string back to the caller. Pass the err argument from transaction
commit to this function so that transaction users will have a nice error
string if the transaction failed due to delete_ref_loose.

Signed-off-by: Ronnie Sahlberg <sahlberg@google.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

wrapper.c: add a new function unlink_or_msgRonnie Sahlberg Wed, 16 Jul 2014 18:20:36 +0000 (11:20 -0700)

wrapper.c: add a new function unlink_or_msg

This behaves like unlink_or_warn except that on failure it writes the message
to its 'err' argument, which the caller can display in an appropriate way or
ignore.

Signed-off-by: Ronnie Sahlberg <sahlberg@google.com>
Reviewed-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

refs.c: lock_ref_sha1_basic is used for all refsRonnie Sahlberg Thu, 2 Oct 2014 14:59:02 +0000 (07:59 -0700)

refs.c: lock_ref_sha1_basic is used for all refs

lock_ref_sha1_basic is used to lock refs that sit directly in the .git
dir such as HEAD and MERGE_HEAD in addition to the more ordinary refs
under "refs/". Remove the note claiming otherwise.

Signed-off-by: Ronnie Sahlberg <sahlberg@google.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

wrapper.c: remove/unlink_or_warn: simplify, treat ENOEN... Ronnie Sahlberg Wed, 16 Jul 2014 18:01:18 +0000 (11:01 -0700)

wrapper.c: remove/unlink_or_warn: simplify, treat ENOENT as success

Simplify the function warn_if_unremovable slightly. Additionally, change
behaviour slightly. If we failed to remove the object because the object
does not exist, we can still return success back to the caller since none of
the callers depend on "fail if the file did not exist".

Signed-off-by: Ronnie Sahlberg <sahlberg@google.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

mv test: recreate mod/ directory instead of relying... Jonathan Nieder Wed, 10 Sep 2014 21:01:46 +0000 (14:01 -0700)

mv test: recreate mod/ directory instead of relying on stale copy

The tests for 'git mv moves a submodule' functionality often run
commands like

git mv sub mod/sub

to move a submodule into a subdirectory. Just like plain /bin/mv,
this is supposed to succeed if the mod/ parent directory exists
and fail if it doesn't exist.

Usually these tests mkdir the parent directory beforehand, but some
instead rely on it being left behind by previous tests.

More precisely, when 'git reset --hard' tries to move to a state where
mod/sub is not present any more, it would perform the following
operations:

rmdir("mod/sub")
rmdir("mod")

The first fails with ENOENT because the test script removed mod/sub
with "rm -rf" already, so 'reset --hard' doesn't bother to move on to
the second, and the mod/ directory is kept around.

Better to explicitly remove and re-create the mod/ directory so later
tests don't have to depend on the directory left behind by the earlier
ones at all (making it easier to rearrange or skip some tests in the
file or to tweak 'reset --hard' behavior without breaking unrelated
tests).

Noticed while testing a patch that fixes the reset --hard behavior
described above.

Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Reviewed-by: Ronnie Sahlberg <sahlberg@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

Update draft release notes to 2.2Junio C Hamano Tue, 14 Oct 2014 17:59:04 +0000 (10:59 -0700)

Update draft release notes to 2.2

Signed-off-by: Junio C Hamano <gitster@pobox.com>

Merge branch 'bc/asciidoc-pretty-formats-fix'Junio C Hamano Tue, 14 Oct 2014 17:50:14 +0000 (10:50 -0700)

Merge branch 'bc/asciidoc-pretty-formats-fix'

* bc/asciidoc-pretty-formats-fix:
Documentation: fix misrender of pretty-formats in Asciidoctor

Merge branch 'rs/plug-leak-in-bundle'Junio C Hamano Tue, 14 Oct 2014 17:50:09 +0000 (10:50 -0700)

Merge branch 'rs/plug-leak-in-bundle'

* rs/plug-leak-in-bundle:
bundle: plug minor memory leak in is_tag_in_date_range()

Merge branch 'rs/more-uses-of-skip-prefix'Junio C Hamano Tue, 14 Oct 2014 17:50:07 +0000 (10:50 -0700)

Merge branch 'rs/more-uses-of-skip-prefix'

* rs/more-uses-of-skip-prefix:
use skip_prefix() to avoid more magic numbers

Merge branch 'rs/mailsplit'Junio C Hamano Tue, 14 Oct 2014 17:50:00 +0000 (10:50 -0700)

Merge branch 'rs/mailsplit'

* rs/mailsplit:
mailsplit: remove unnecessary unlink(2) call

Merge branch 'rs/sha1-array-test'Junio C Hamano Tue, 14 Oct 2014 17:49:56 +0000 (10:49 -0700)

Merge branch 'rs/sha1-array-test'

* rs/sha1-array-test:
sha1-lookup: handle duplicates in sha1_pos()
sha1-array: add test-sha1-array and basic tests

Merge branch 'mh/lockfile-stdio'Junio C Hamano Tue, 14 Oct 2014 17:49:51 +0000 (10:49 -0700)

Merge branch 'mh/lockfile-stdio'

* mh/lockfile-stdio:
commit_packed_refs(): reimplement using fdopen_lock_file()
dump_marks(): reimplement using fdopen_lock_file()
fdopen_lock_file(): access a lockfile using stdio

Merge branch 'mh/lockfile'Junio C Hamano Tue, 14 Oct 2014 17:49:45 +0000 (10:49 -0700)

Merge branch 'mh/lockfile'

The lockfile API and its users have been cleaned up.

* mh/lockfile: (38 commits)
lockfile.h: extract new header file for the functions in lockfile.c
hold_locked_index(): move from lockfile.c to read-cache.c
hold_lock_file_for_append(): restore errno before returning
get_locked_file_path(): new function
lockfile.c: rename static functions
lockfile: rename LOCK_NODEREF to LOCK_NO_DEREF
commit_lock_file_to(): refactor a helper out of commit_lock_file()
trim_last_path_component(): replace last_path_elm()
resolve_symlink(): take a strbuf parameter
resolve_symlink(): use a strbuf for internal scratch space
lockfile: change lock_file::filename into a strbuf
commit_lock_file(): use a strbuf to manage temporary space
try_merge_strategy(): use a statically-allocated lock_file object
try_merge_strategy(): remove redundant lock_file allocation
struct lock_file: declare some fields volatile
lockfile: avoid transitory invalid states
git_config_set_multivar_in_file(): avoid call to rollback_lock_file()
dump_marks(): remove a redundant call to rollback_lock_file()
api-lockfile: document edge cases
commit_lock_file(): rollback lock file on failure to rename
...

Merge branch 'sk/tag-contains-wo-recursion'Junio C Hamano Tue, 14 Oct 2014 17:49:41 +0000 (10:49 -0700)

Merge branch 'sk/tag-contains-wo-recursion'

* sk/tag-contains-wo-recursion:
t7004: give the test a bit more stack space

Merge branch 'da/completion-show-signature'Junio C Hamano Tue, 14 Oct 2014 17:49:35 +0000 (10:49 -0700)

Merge branch 'da/completion-show-signature'

* da/completion-show-signature:
completion: add --show-signature for log and show

Merge branch 'rs/daemon-fixes'Junio C Hamano Tue, 14 Oct 2014 17:49:22 +0000 (10:49 -0700)

Merge branch 'rs/daemon-fixes'

"git daemon" (with NO_IPV6 build configuration) used to incorrectly
use the hostname even when gethostbyname() reported that the given
hostname is not found.

* rs/daemon-fixes:
daemon: remove write-only variable maxfd
daemon: fix error message after bind()
daemon: handle gethostbyname() error

Merge branch 'dt/cache-tree-repair'Junio C Hamano Tue, 14 Oct 2014 17:49:11 +0000 (10:49 -0700)

Merge branch 'dt/cache-tree-repair'

This fixes a topic that has graduated to 'master'.

* dt/cache-tree-repair:
t0090: avoid passing empty string to printf %d

Merge branch 'so/rebase-doc-fork-point'Junio C Hamano Tue, 14 Oct 2014 17:49:06 +0000 (10:49 -0700)

Merge branch 'so/rebase-doc-fork-point'

* so/rebase-doc-fork-point:
Documentation/git-rebase.txt: document when --fork-point is auto-enabled

Merge branch 'da/include-compat-util-first-in-c'Junio C Hamano Tue, 14 Oct 2014 17:49:00 +0000 (10:49 -0700)

Merge branch 'da/include-compat-util-first-in-c'

Code clean-up.

* da/include-compat-util-first-in-c:
cleanups: ensure that git-compat-util.h is included first

Documentation: fix misrender of pretty-formats in Ascii... brian m. carlson Wed, 8 Oct 2014 20:46:10 +0000 (20:46 +0000)

Documentation: fix misrender of pretty-formats in Asciidoctor

Neither the AsciiDoc nor the Asciidoctor documentation specify whether
the same number of delimiter characters must be used to end a block as
to begin it, although both sets of documentation show exactly matching
pairs. AsciiDoc allows mismatches, but AsciiDoctor apparently does not.
Adjust the pretty formats documentation to use matching pairs to prevent
a misrendering where the remainder of the document was rendered as a
listing block.

Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

Update draft release notes to 2.2Junio C Hamano Wed, 8 Oct 2014 20:08:55 +0000 (13:08 -0700)

Update draft release notes to 2.2

Signed-off-by: Junio C Hamano <gitster@pobox.com>

Merge branch 'sp/stream-clean-filter'Junio C Hamano Wed, 8 Oct 2014 20:05:32 +0000 (13:05 -0700)

Merge branch 'sp/stream-clean-filter'

When running a required clean filter, we do not have to mmap the
original before feeding the filter. Instead, stream the file
contents directly to the filter and process its output.

* sp/stream-clean-filter:
sha1_file: don't convert off_t to size_t too early to avoid potential die()
convert: stream from fd to required clean filter to reduce used address space
copy_fd(): do not close the input file descriptor
mmap_limit: introduce GIT_MMAP_LIMIT to allow testing expected mmap size
memory_limit: use git_env_ulong() to parse GIT_ALLOC_LIMIT
config.c: add git_env_ulong() to parse environment variable
convert: drop arguments other than 'path' from would_convert_to_git()

Merge branch 'bw/use-write-script-in-tests'Junio C Hamano Wed, 8 Oct 2014 20:05:29 +0000 (13:05 -0700)

Merge branch 'bw/use-write-script-in-tests'

* bw/use-write-script-in-tests:
t/lib-credential: use write_script

Merge branch 'nd/archive-pathspec'Junio C Hamano Wed, 8 Oct 2014 20:05:25 +0000 (13:05 -0700)

Merge branch 'nd/archive-pathspec'

"git archive" learned to filter what gets archived with pathspec.

* nd/archive-pathspec:
archive: support filtering paths with glob

Merge branch 'jc/push-cert'Junio C Hamano Wed, 8 Oct 2014 20:05:15 +0000 (13:05 -0700)

Merge branch 'jc/push-cert'

Allow "git push" request to be signed, so that it can be verified and
audited, using the GPG signature of the person who pushed, that the
tips of branches at a public repository really point the commits
the pusher wanted to, without having to "trust" the server.

* jc/push-cert: (24 commits)
receive-pack::hmac_sha1(): copy the entire SHA-1 hash out
signed push: allow stale nonce in stateless mode
signed push: teach smart-HTTP to pass "git push --signed" around
signed push: fortify against replay attacks
signed push: add "pushee" header to push certificate
signed push: remove duplicated protocol info
send-pack: send feature request on push-cert packet
receive-pack: GPG-validate push certificates
push: the beginning of "git push --signed"
pack-protocol doc: typofix for PKT-LINE
gpg-interface: move parse_signature() to where it should be
gpg-interface: move parse_gpg_output() to where it should be
send-pack: clarify that cmds_sent is a boolean
send-pack: refactor inspecting and resetting status and sending commands
send-pack: rename "new_refs" to "need_pack_data"
receive-pack: factor out capability string generation
send-pack: factor out capability string generation
send-pack: always send capabilities
send-pack: refactor decision to send update per ref
send-pack: move REF_STATUS_REJECT_NODELETE logic a bit higher
...

Sync with maintJunio C Hamano Tue, 7 Oct 2014 20:41:03 +0000 (13:41 -0700)

Sync with maint

* maint:
git-tag.txt: Add a missing hyphen to `-s`

Merge branch 'maint-2.0' into maintJunio C Hamano Tue, 7 Oct 2014 20:40:51 +0000 (13:40 -0700)

Merge branch 'maint-2.0' into maint

* maint-2.0:
git-tag.txt: Add a missing hyphen to `-s`

Merge branch 'maint-1.9' into maint-2.0Junio C Hamano Tue, 7 Oct 2014 20:40:39 +0000 (13:40 -0700)

Merge branch 'maint-1.9' into maint-2.0

* maint-1.9:
git-tag.txt: Add a missing hyphen to `-s`

Merge branch 'maint-1.8.5' into maint-1.9Junio C Hamano Tue, 7 Oct 2014 20:40:19 +0000 (13:40 -0700)

Merge branch 'maint-1.8.5' into maint-1.9

* maint-1.8.5:
git-tag.txt: Add a missing hyphen to `-s`

Merge branch 'jk/mbox-from-line' into maintJunio C Hamano Tue, 7 Oct 2014 20:39:24 +0000 (13:39 -0700)

Merge branch 'jk/mbox-from-line' into maint

Some MUAs mangled a line in a message that begins with "From " to
">From " when writing to a mailbox file and feeding such an input to
"git am" used to lose such a line.

* jk/mbox-from-line:
mailinfo: work around -Wstring-plus-int warning
mailinfo: make ">From" in-body header check more robust

completion: add --show-signature for log and showDavid Aguilar Sat, 4 Oct 2014 23:20:38 +0000 (16:20 -0700)

completion: add --show-signature for log and show

Signed-off-by: David Aguilar <davvid@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

use skip_prefix() to avoid more magic numbersRené Scharfe Sat, 4 Oct 2014 18:54:50 +0000 (20:54 +0200)

use skip_prefix() to avoid more magic numbers

Continue where ae021d87 (use skip_prefix to avoid magic numbers) left off
and use skip_prefix() in more places for determining the lengths of prefix
strings to avoid using dependent constants and other indirect methods.

Signed-off-by: Rene Scharfe <l.s.r@web.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

git-tag.txt: Add a missing hyphen to `-s`Wieland Hoffmann Sat, 4 Oct 2014 16:27:16 +0000 (18:27 +0200)

git-tag.txt: Add a missing hyphen to `-s`

Signed-off-by: Wieland Hoffmann <themineo@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

mailsplit: remove unnecessary unlink(2) callRené Scharfe Sat, 4 Oct 2014 08:41:13 +0000 (10:41 +0200)

mailsplit: remove unnecessary unlink(2) call

The output file hasn't been created at this point, yet, so there is no
need to delete it when exiting early.

Suggested-by: Jeff King <peff@peff.net>
Signed-off-by: Rene Scharfe <l.s.r@web.de>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

bundle: plug minor memory leak in is_tag_in_date_range()René Scharfe Fri, 3 Oct 2014 22:40:24 +0000 (00:40 +0200)

bundle: plug minor memory leak in is_tag_in_date_range()

Free the buffer returned by read_sha1_file() even if no valid tagger
line is found.

Signed-off-by: Rene Scharfe <l.s.r@web.de>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

commit_packed_refs(): reimplement using fdopen_lock_file()Michael Haggerty Wed, 1 Oct 2014 11:14:49 +0000 (13:14 +0200)

commit_packed_refs(): reimplement using fdopen_lock_file()

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

dump_marks(): reimplement using fdopen_lock_file()Michael Haggerty Wed, 1 Oct 2014 11:14:48 +0000 (13:14 +0200)

dump_marks(): reimplement using fdopen_lock_file()

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

fdopen_lock_file(): access a lockfile using stdioMichael Haggerty Wed, 1 Oct 2014 11:14:47 +0000 (13:14 +0200)

fdopen_lock_file(): access a lockfile using stdio

Add a new function, fdopen_lock_file(), which returns a FILE pointer
open to the lockfile. If a stream is open on a lock_file object, it is
closed using fclose() on commit, rollback, or close_lock_file().

This change will allow callers to use stdio to write to a lockfile
without having to muck around in the internal representation of the
lock_file object (callers will be rewritten in upcoming commits).

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

lockfile.h: extract new header file for the functions... Michael Haggerty Wed, 1 Oct 2014 10:28:42 +0000 (12:28 +0200)

lockfile.h: extract new header file for the functions in lockfile.c

Move the interface declaration for the functions in lockfile.c from
cache.h to a new file, lockfile.h. Add #includes where necessary (and
remove some redundant includes of cache.h by files that already
include builtin.h).

Move the documentation of the lock_file state diagram from lockfile.c
to the new header file.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

hold_locked_index(): move from lockfile.c to read-cache.cMichael Haggerty Wed, 1 Oct 2014 10:28:41 +0000 (12:28 +0200)

hold_locked_index(): move from lockfile.c to read-cache.c

lockfile.c contains the general API for locking any file. Code
specifically about the index file doesn't belong here.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

hold_lock_file_for_append(): restore errno before returningMichael Haggerty Wed, 1 Oct 2014 10:28:40 +0000 (12:28 +0200)

hold_lock_file_for_append(): restore errno before returning

Callers who don't pass LOCK_DIE_ON_ERROR might want to examine errno
to see what went wrong, so restore errno before returning.

In fact this function only has one caller, add_to_alternates_file(),
and it *does* use LOCK_DIE_ON_ERROR, but, you know, think of future
generations.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

get_locked_file_path(): new functionMichael Haggerty Wed, 1 Oct 2014 10:28:39 +0000 (12:28 +0200)

get_locked_file_path(): new function

Add a function to return the path of the file that is locked by a
lock_file object. This reduces the knowledge that callers have to have
about the lock_file layout.

Suggested-by: Ronnie Sahlberg <sahlberg@google.com>
Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

lockfile.c: rename static functionsMichael Haggerty Wed, 1 Oct 2014 10:28:38 +0000 (12:28 +0200)

lockfile.c: rename static functions

* remove_lock_file() -> remove_lock_files()
* remove_lock_file_on_signal() -> remove_lock_files_on_signal()

Suggested-by: Torsten Bögershausen <tboegi@web.de>
Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

lockfile: rename LOCK_NODEREF to LOCK_NO_DEREFMichael Haggerty Wed, 1 Oct 2014 10:28:37 +0000 (12:28 +0200)

lockfile: rename LOCK_NODEREF to LOCK_NO_DEREF

This makes it harder to misread the name as LOCK_NODE_REF.

Suggested-by: Torsten Bögershausen <tboegi@web.de>
Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

commit_lock_file_to(): refactor a helper out of commit_... Michael Haggerty Wed, 1 Oct 2014 10:28:36 +0000 (12:28 +0200)

commit_lock_file_to(): refactor a helper out of commit_lock_file()

commit_locked_index(), when writing to an alternate index file,
duplicates (poorly) the code in commit_lock_file(). And anyway, it
shouldn't have to know so much about the internal workings of lockfile
objects. So extract a new function commit_lock_file_to() that does the
work common to the two functions, and call it from both
commit_lock_file() and commit_locked_index().

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

trim_last_path_component(): replace last_path_elm()Michael Haggerty Wed, 1 Oct 2014 10:28:35 +0000 (12:28 +0200)

trim_last_path_component(): replace last_path_elm()

Rewrite last_path_elm() to take a strbuf parameter and to trim off the
last path name element in place rather than returning a pointer to the
beginning of the last path name element. This simplifies the function
a bit and makes it integrate better with its caller, which is now also
strbuf-based. Rename the function accordingly and a bit less tersely.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

resolve_symlink(): take a strbuf parameterMichael Haggerty Wed, 1 Oct 2014 10:28:34 +0000 (12:28 +0200)

resolve_symlink(): take a strbuf parameter

Change resolve_symlink() to take a strbuf rather than a string as
parameter. This simplifies the code and removes an arbitrary pathname
length restriction. It also means that lock_file's filename field no
longer needs to be initialized to a large size.

Helped-by: Torsten Bögershausen <tboegi@web.de>
Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

resolve_symlink(): use a strbuf for internal scratch... Michael Haggerty Wed, 1 Oct 2014 10:28:33 +0000 (12:28 +0200)

resolve_symlink(): use a strbuf for internal scratch space

Aside from shortening and simplifying the code, this removes another
place where the path name length is arbitrarily limited.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

lockfile: change lock_file::filename into a strbufMichael Haggerty Wed, 1 Oct 2014 10:28:32 +0000 (12:28 +0200)

lockfile: change lock_file::filename into a strbuf

For now, we still make sure to allocate at least PATH_MAX characters
for the strbuf because resolve_symlink() doesn't know how to expand
the space for its return value. (That will be fixed in a moment.)

Another alternative would be to just use a strbuf as scratch space in
lock_file() but then store a pointer to the naked string in struct
lock_file. But lock_file objects are often reused. By reusing the
same strbuf, we can avoid having to reallocate the string most times
when a lock_file object is reused.

Helped-by: Torsten Bögershausen <tboegi@web.de>
Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

commit_lock_file(): use a strbuf to manage temporary... Michael Haggerty Wed, 1 Oct 2014 10:28:31 +0000 (12:28 +0200)

commit_lock_file(): use a strbuf to manage temporary space

Avoid relying on the filename length restrictions that are currently
checked by lock_file().

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

try_merge_strategy(): use a statically-allocated lock_f... Michael Haggerty Wed, 1 Oct 2014 10:28:30 +0000 (12:28 +0200)

try_merge_strategy(): use a statically-allocated lock_file object

Even the one lockfile object needn't be allocated each time the
function is called. Instead, define one statically-allocated
lock_file object and reuse it for every call.

Suggested-by: Jeff King <peff@peff.net>
Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

try_merge_strategy(): remove redundant lock_file allocationMichael Haggerty Wed, 1 Oct 2014 10:28:29 +0000 (12:28 +0200)

try_merge_strategy(): remove redundant lock_file allocation

By the time the "if" block is entered, the lock_file instance from the
main function block is no longer in use, so re-use that one instead of
allocating a second one.

Note that the "lock" variable in the "if" block shadowed the "lock"
variable at function scope, so the only change needed is to remove the
inner definition.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

struct lock_file: declare some fields volatileMichael Haggerty Wed, 1 Oct 2014 10:28:28 +0000 (12:28 +0200)

struct lock_file: declare some fields volatile

The function remove_lock_file_on_signal() is used as a signal handler.
It is not realistic to make the signal handler conform strictly to the
C standard, which is very restrictive about what a signal handler is
allowed to do. But let's increase the likelihood that it will work:

The lock_file_list global variable and several fields from struct
lock_file are used by the signal handler. Declare those values
"volatile" to (1) force the main process to write the values to RAM
promptly, and (2) prevent updates to these fields from being reordered
in a way that leaves an opportunity for a jump to the signal handler
while the object is in an inconsistent state.

We don't mark the filename field volatile because that would prevent
the use of strcpy(), and it is anyway unlikely that a compiler
re-orders a strcpy() call across other expressions. So in practice it
should be possible to get away without "volatile" in the "filename"
case.

Suggested-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

lockfile: avoid transitory invalid statesMichael Haggerty Wed, 1 Oct 2014 10:28:27 +0000 (12:28 +0200)

lockfile: avoid transitory invalid states

Because remove_lock_file() can be called any time by the signal
handler, it is important that any lock_file objects that are in the
lock_file_list are always in a valid state. And since lock_file
objects are often reused (but are never removed from lock_file_list),
that means we have to be careful whenever mutating a lock_file object
to always keep it in a well-defined state.

This was formerly not the case, because part of the state was encoded
by setting lk->filename to the empty string vs. a valid filename. It
is wrong to assume that this string can be updated atomically; for
example, even

strcpy(lk->filename, value)

is unsafe. But the old code was even more reckless; for example,

strcpy(lk->filename, path);
if (!(flags & LOCK_NODEREF))
resolve_symlink(lk->filename, max_path_len);
strcat(lk->filename, ".lock");

During the call to resolve_symlink(), lk->filename contained the name
of the file that was being locked, not the name of the lockfile. If a
signal were raised during that interval, then the signal handler would
have deleted the valuable file!

We could probably continue to use the filename field to encode the
state by being careful to write characters 1..N-1 of the filename
first, and then overwrite the NUL at filename[0] with the first
character of the filename, but that would be awkward and error-prone.

So, instead of using the filename field to determine whether the
lock_file object is active, add a new field "lock_file::active" for
this purpose. Be careful to set this field only when filename really
contains the name of a file that should be deleted on cleanup.

Helped-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

git_config_set_multivar_in_file(): avoid call to rollba... Michael Haggerty Wed, 1 Oct 2014 10:28:26 +0000 (12:28 +0200)

git_config_set_multivar_in_file(): avoid call to rollback_lock_file()

After commit_lock_file() is called, then the lock_file object is
necessarily either committed or rolled back. So there is no need to
call rollback_lock_file() again in either of these cases.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

dump_marks(): remove a redundant call to rollback_lock_... Michael Haggerty Wed, 1 Oct 2014 10:28:25 +0000 (12:28 +0200)

dump_marks(): remove a redundant call to rollback_lock_file()

When commit_lock_file() fails, it now always calls
rollback_lock_file() internally, so there is no need to call that
function here.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

api-lockfile: document edge casesMichael Haggerty Wed, 1 Oct 2014 10:28:24 +0000 (12:28 +0200)

api-lockfile: document edge cases

* Document the behavior of commit_lock_file() when it fails, namely
that it rolls back the lock_file object and sets errno
appropriately.

* Document the behavior of rollback_lock_file() when called for a
lock_file object that has already been committed or rolled back,
namely that it is a NOOP.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

commit_lock_file(): rollback lock file on failure to... Michael Haggerty Wed, 1 Oct 2014 10:28:23 +0000 (12:28 +0200)

commit_lock_file(): rollback lock file on failure to rename

If rename() fails, call rollback_lock_file() to delete the lock file
(in case it is still present) and reset the filename field to the
empty string so that the lockfile object is left in a valid state.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

close_lock_file(): if close fails, roll backMichael Haggerty Wed, 1 Oct 2014 10:28:22 +0000 (12:28 +0200)

close_lock_file(): if close fails, roll back

If closing an open lockfile fails, then we cannot be sure of the
contents of the lockfile, so there is nothing sensible to do but
delete it. This change also insures that the lock_file object is left
in a defined state in this error path (namely, unlocked).

The only caller that is ultimately affected by this change is
try_merge_strategy() -> write_locked_index(), which can call
close_lock_file() via various execution paths. This caller uses a
static lock_file object which previously could have been reused after
a failed close_lock_file() even though it was still in locked state.
This change causes the lock_file object to be unlocked on failure,
thus fixing this error-handling path.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

commit_lock_file(): die() if called for unlocked lockfi... Michael Haggerty Wed, 1 Oct 2014 10:28:21 +0000 (12:28 +0200)

commit_lock_file(): die() if called for unlocked lockfile object

It was previously a bug to call commit_lock_file() with a lock_file
object that was not active (an illegal access would happen within the
function). It was presumably never done, but this would be an easy
programming error to overlook. So before continuing, do a consistency
check that the lock_file object really is locked.

Helped-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

commit_lock_file(): inline temporary variableMichael Haggerty Wed, 1 Oct 2014 10:28:20 +0000 (12:28 +0200)

commit_lock_file(): inline temporary variable

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

remove_lock_file(): call rollback_lock_file()Michael Haggerty Wed, 1 Oct 2014 10:28:19 +0000 (12:28 +0200)

remove_lock_file(): call rollback_lock_file()

It does just what we need.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

lock_file(): exit early if lockfile cannot be openedMichael Haggerty Wed, 1 Oct 2014 10:28:18 +0000 (12:28 +0200)

lock_file(): exit early if lockfile cannot be opened

This is a bit easier to read than the old version, which nested part
of the non-error code in an "if" block.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Reviewed-by: Ronnie Sahlberg <sahlberg@google.com>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

prepare_index(): declare return value to be (const... Michael Haggerty Wed, 1 Oct 2014 10:28:17 +0000 (12:28 +0200)

prepare_index(): declare return value to be (const char *)

Declare the return value to be const to make it clear that we aren't
giving callers permission to write over the string that it points at.
(The return value is the filename field of a struct lock_file, which
can be used by a signal handler at any time and therefore shouldn't be
tampered with.)

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

delete_ref_loose(): don't muck around in the lock_file... Michael Haggerty Wed, 1 Oct 2014 10:28:16 +0000 (12:28 +0200)

delete_ref_loose(): don't muck around in the lock_file's filename

It's bad manners. Especially since there could be a signal during the
call to unlink_or_warn(), in which case the signal handler will see
the wrong filename and delete the reference file, leaving the lockfile
behind.

So make our own copy to work with.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

cache.h: define constants LOCK_SUFFIX and LOCK_SUFFIX_LENMichael Haggerty Wed, 1 Oct 2014 10:28:15 +0000 (12:28 +0200)

cache.h: define constants LOCK_SUFFIX and LOCK_SUFFIX_LEN

There are a few places that use these values, so define constants for
them.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

lockfile.c: document the various states of lock_file... Michael Haggerty Wed, 1 Oct 2014 10:28:14 +0000 (12:28 +0200)

lockfile.c: document the various states of lock_file objects

Document the valid states of lock_file objects, how they get into each
state, and how the state is encoded in the object's fields.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Reviewed-by: Ronnie Sahlberg <sahlberg@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

lock_file(): always initialize and register lock_file... Michael Haggerty Wed, 1 Oct 2014 10:28:13 +0000 (12:28 +0200)

lock_file(): always initialize and register lock_file object

The purpose of this change is to make the state diagram for
lock_file objects simpler and deterministic.

If locking fails, lock_file() sometimes leaves the lock_file object
partly initialized, but sometimes not. It sometimes registers the
object in lock_file_list, but sometimes not. This makes the state
diagram for lock_file objects effectively indeterministic and hard
to reason about. A future patch will also change the filename field
into a strbuf, which needs more involved initialization, so it will
become even more important that the state of a lock_file object is
well-defined after a failed attempt to lock.

The ambiguity doesn't currently have any ill effects, because
lock_file objects cannot be removed from the lock_file_list anyway.
But to make it easier to document and reason about the code, make
this behavior consistent: *always* initialize the lock_file object
and *always* register it in lock_file_list the first time it is
used, regardless of whether an error occurs.

While we're at it, make sure that all of the lock_file fields are
initialized to values appropriate for an unlocked object; the caller
is only responsible for making sure that on_list is set to zero before
the first time it is used.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

hold_lock_file_for_append(): release lock on errorsMichael Haggerty Wed, 1 Oct 2014 10:28:12 +0000 (12:28 +0200)

hold_lock_file_for_append(): release lock on errors

If there is an error copying the old contents to the lockfile, roll
back the lockfile before exiting so that the lockfile is not held
until process cleanup.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

lockfile: unlock file if lockfile permissions cannot... Michael Haggerty Wed, 1 Oct 2014 10:28:11 +0000 (12:28 +0200)

lockfile: unlock file if lockfile permissions cannot be adjusted

If the call to adjust_shared_perm() fails, lock_file returns -1, which
to the caller looks like any other failure to lock the file. So in
this case, roll back the lockfile before returning so that the lock
file is deleted immediately and the lockfile object is left in a
predictable state (namely, unlocked). Previously, the lockfile was
retained until process cleanup in this situation.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

rollback_lock_file(): set fd to -1Michael Haggerty Wed, 1 Oct 2014 10:28:10 +0000 (12:28 +0200)

rollback_lock_file(): set fd to -1

When rolling back the lockfile, call close_lock_file() so that the
lock_file's fd field gets set back to -1. This keeps the lock_file
object in a valid state, which is important because these objects are
allowed to be reused. It also makes it unnecessary to check whether
the file has already been closed, because close_lock_file() takes care
of that.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

rollback_lock_file(): exit early if lock is not activeMichael Haggerty Wed, 1 Oct 2014 10:28:09 +0000 (12:28 +0200)

rollback_lock_file(): exit early if lock is not active

Eliminate a layer of nesting.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Reviewed-by: Ronnie Sahlberg <sahlberg@google.com>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

rollback_lock_file(): do not clear filename redundantlyMichael Haggerty Wed, 1 Oct 2014 10:28:08 +0000 (12:28 +0200)

rollback_lock_file(): do not clear filename redundantly

It is only necessary to clear the lock_file's filename field if it was
not already clear.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Reviewed-by: Ronnie Sahlberg <sahlberg@google.com>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

close_lock_file(): exit (successfully) if file is alrea... Michael Haggerty Wed, 1 Oct 2014 10:28:07 +0000 (12:28 +0200)

close_lock_file(): exit (successfully) if file is already closed

Suggested-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

api-lockfile: revise and expand the documentationMichael Haggerty Wed, 1 Oct 2014 10:28:06 +0000 (12:28 +0200)

api-lockfile: revise and expand the documentation

Document a couple more functions and the flags argument as used by
hold_lock_file_for_update() and hold_lock_file_for_append().
Reorganize the document to make it more accessible.

Helped-by: Jonathan Nieder <jrnieder@gmail.com>
Helped-by: Junio Hamano <gitster@pobox.com>
Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

unable_to_lock_die(): rename function from unable_to_lo... Michael Haggerty Wed, 1 Oct 2014 10:28:05 +0000 (12:28 +0200)

unable_to_lock_die(): rename function from unable_to_lock_index_die()

This function is used for other things besides the index, so rename it
accordingly.

Suggested-by: Jeff King <peff@peff.net>
Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Reviewed-by: Ronnie Sahlberg <sahlberg@google.com>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

daemon: remove write-only variable maxfdRené Scharfe Wed, 1 Oct 2014 10:21:57 +0000 (12:21 +0200)

daemon: remove write-only variable maxfd

It became unused when 6573faff (NO_IPV6 support for git daemon) replaced
select() with poll().

Signed-off-by: Rene Scharfe <l.s.r@web.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

daemon: fix error message after bind()René Scharfe Wed, 1 Oct 2014 10:18:15 +0000 (12:18 +0200)

daemon: fix error message after bind()

Signed-off-by: Rene Scharfe <l.s.r@web.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

daemon: handle gethostbyname() errorRené Scharfe Wed, 1 Oct 2014 10:16:17 +0000 (12:16 +0200)

daemon: handle gethostbyname() error

If the user-supplied hostname can't be found then we should not use it.
We already avoid doing that in the non-NO_IPV6 case by checking if the
return value of getaddrinfo() is zero (success). Do the same in the
NO_IPV6 case and make sure the return value of gethostbyname() isn't
NULL before dereferencing this pointer.

Signed-off-by: Rene Scharfe <l.s.r@web.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

sha1-lookup: handle duplicates in sha1_pos()René Scharfe Wed, 1 Oct 2014 15:02:37 +0000 (17:02 +0200)

sha1-lookup: handle duplicates in sha1_pos()

If the first 18 bytes of the SHA1's of all entries are the same then
sha1_pos() dies and reports that the lower and upper limits of the
binary search were the same that this wasn't supposed to happen. This
is wrong because the remaining two bytes could still differ.

Furthermore: It wouldn't be a problem if they actually were the same,
i.e. if all entries have the same SHA1. The code already handles
duplicates just fine. Simply remove the erroneous check.

Signed-off-by: Rene Scharfe <l.s.r@web.de>
Acked-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>