Closed
Conversation
Member
|
From https://dev.azure.com/git/git/_build/results?buildId=1446&view=logs:
|
Contributor
Author
Thanks for the explanation and the tip, @dscho! |
Contributor
Author
|
/submit |
Contributor
Author
|
(The Travis CI build failed with "couldn't find gcc-8", which clearly isn't a bug in any changes I made, so I'm ignoring that spurious error.) |
|
Submitted as pull.676.git.git.1575924465.gitgitgadget@gmail.com WARNING: newren has no public email address set on GitHub |
| @@ -2083,14 +2083,12 @@ static int treat_leading_path(struct dir_struct *dir, | ||
| struct strbuf sb = STRBUF_INIT; |
There was a problem hiding this comment.
On the Git mailing list, Denton Liu wrote (reply to this):
Hi Elijah,
On Mon, Dec 09, 2019 at 08:47:39PM +0000, Elijah Newren via GitGitGadget wrote:
> diff --git a/t/t7061-wtstatus-ignore.sh b/t/t7061-wtstatus-ignore.sh
> index 0c394cf995..ded7f97181 100755
> --- a/t/t7061-wtstatus-ignore.sh
> +++ b/t/t7061-wtstatus-ignore.sh
> @@ -43,11 +43,14 @@ test_expect_success 'status untracked directory with --ignored -u' '
> test_cmp expected actual
> '
> cat >expected <<\EOF
> -?? untracked/uncommitted
> +?? untracked/
> !! untracked/ignored
> EOF
>
> -test_expect_success 'status prefixed untracked directory with --ignored' '
> +test_expect_failure 'status of untracked directory with --ignored works with or without prefix' '
> + git status --porcelain --ignored | grep untracked/ >actual &&
Can we break this pipe up into two invocations so that we don't have a
git command in the upstream of a pipe?
Thanks,
Denton
P.S. Perhaps in the future, we (I) could try to extend chainlint so that
it catches this and git commands in non-assignment command
substitutions... I think that would be pretty nice.
> + test_cmp expected actual &&
> +
> git status --porcelain --ignored untracked/ >actual &&
> test_cmp expected actual
> '
> --
> gitgitgadget
>
There was a problem hiding this comment.
On the Git mailing list, Elijah Newren wrote (reply to this):
On Mon, Dec 9, 2019 at 1:32 PM Denton Liu <liu.denton@gmail.com> wrote:
>
> Hi Elijah,
>
> On Mon, Dec 09, 2019 at 08:47:39PM +0000, Elijah Newren via GitGitGadget wrote:
> > diff --git a/t/t7061-wtstatus-ignore.sh b/t/t7061-wtstatus-ignore.sh
> > index 0c394cf995..ded7f97181 100755
> > --- a/t/t7061-wtstatus-ignore.sh
> > +++ b/t/t7061-wtstatus-ignore.sh
> > @@ -43,11 +43,14 @@ test_expect_success 'status untracked directory with --ignored -u' '
> > test_cmp expected actual
> > '
> > cat >expected <<\EOF
> > -?? untracked/uncommitted
> > +?? untracked/
> > !! untracked/ignored
> > EOF
> >
> > -test_expect_success 'status prefixed untracked directory with --ignored' '
> > +test_expect_failure 'status of untracked directory with --ignored works with or without prefix' '
> > + git status --porcelain --ignored | grep untracked/ >actual &&
>
> Can we break this pipe up into two invocations so that we don't have a
> git command in the upstream of a pipe?
Sigh...yeah, I keep doing this. And I'll probably keep doing it if
someone can't chainlint (or pipefail) it. I'll fix it up.
There was a problem hiding this comment.
On the Git mailing list, Eric Sunshine wrote (reply to this):
On Mon, Dec 9, 2019 at 4:32 PM Denton Liu <liu.denton@gmail.com> wrote:
> On Mon, Dec 09, 2019 at 08:47:39PM +0000, Elijah Newren via GitGitGadget wrote:
> > +test_expect_failure 'status of untracked directory with --ignored works with or without prefix' '
> > + git status --porcelain --ignored | grep untracked/ >actual &&
>
> Can we break this pipe up into two invocations so that we don't have a
> git command in the upstream of a pipe?
>
> P.S. Perhaps in the future, we (I) could try to extend chainlint so that
> it catches this and git commands in non-assignment command
> substitutions... I think that would be pretty nice.
Rather than getting mired down in chainlint (which could make your
eyeballs melt), an easier way to catch this sort of thing would be to
introduce a new script which checks test scripts for Git
best-practices non-conformity, similar to how
t/check-non-portable-shell.pl checks for non-portable shell
constructs. (You could even extend check-non-portable-shell.pl with
the functionality, but then the script would no longer be specific to
"non-portable shell", so either renaming it or making a new new script
is warranted.)
By the way, I have considered adding a best-practices linting script
like this, but it (at least at first) would need to have some sort of
opt-in or opt-out feature since there (likely) are still so many
instances of tests which don't follow best-practices, and it could
take a while to "fix" them all (and eat up a lot of reviewer time, so
it should be done in small batches).
Add several tests demonstrating directory traversal failures of various sorts in dir.c (and one similar looking test that turns out to be a git_fnmatch bug). A lot of these tests look like near duplicates of each other, but an optimization path in dir.c to pre-descend into a common prefix and the specialized treatment of trailing slashes in dir.c mean the tiny differences are sometimes important and potentially cause different codepaths to be explored. Of the 7 failing tests, 2 are new to git-2.24.0 (tweaked by side effects of the en/clean-nested-with-ignored-topic); the other 5 also failed under git-2.23.0 and earlier. Signed-off-by: Elijah Newren <newren@gmail.com>
…ories" Commit be8a84c ("dir.c: make 'git-status --ignored' work within leading directories", 2013-04-15) noted that git status --ignored <SOMEPATH> would not list ignored files and directories within <SOMEPATH> if <SOMEPATH> was untracked, and modified the behavior to make it show them. However, it did so via a hack that broke consistency; it would show paths under <SOMEPATH> differently than a simple git status --ignored | grep <SOMEPATH> would show them. A correct fix is slightly more involved, and complicated slightly by this hack, so we revert this commit (but keep corrected versions of the testcases) and will later fix the original bug with a subsequent patch. Some history may be helpful: A very, very similar case to the commit we are reverting was raised in commit 48ffef9 ("ls-files: fix overeager pathspec optimization", 2010-01-08); but it actually went in somewhat the opposite direction. In that commit, it mentioned how git ls-files -o --exclude-standard t/ used to show untracked files under t/ even when t/ was ignored, and then changed the behavior to stop showing untracked files under an ignored directory. More importantly, this commit considered keeping this behavior but noted that it would be inconsistent with the behavior when multiple pathspecs were specified and thus rejected it. The reason for this whole inconsistency when one pathspec is specified versus zero or two is because common prefixes of pathspecs are sent through a different set of checks (in treat_leading_path()) than normal file/directory traversal (those go through read_directory_recursive() and treat_path()). As such, for consistency, one needs to check that both codepaths produce the same result. Revert commit be8a84c, except instead of removing the testcase it added, modify it to check for correct and consistent behavior. A subsequent patch in this series will fix the testcase. Signed-off-by: Elijah Newren <newren@gmail.com>
Signed-off-by: Elijah Newren <newren@gmail.com>
The DO_MATCH_LEADING_PATHSPEC had a fall-through case for if there was a wildcard, noting that we don't yet have enough information to determine if a further paths under the current directory might match due to the presence of wildcards. But if we have no wildcards in our pathspec, then we shouldn't get to that fall-through case. Signed-off-by: Elijah Newren <newren@gmail.com>
Create an add_path_to_appropriate_result_list() function from the code at the end of read_directory_recursive() so we can use it elsewhere. Signed-off-by: Elijah Newren <newren@gmail.com>
Contributor
Just a heads up: Assuming this line was supposed to trigger that list of addresses to be cc'd, I didn't receive the series despite being included above. Looking at the message in public-inbox, it seems like none of the addresses are included aside from Junio's. |
Member
I think the reason is that the comparison is case-sensitive ( |
Contributor
Author
I didn't touch upload-pack or fetch; looks like some spurious error to me, so I'm going to go ahead and submit. |
Contributor
Author
|
/submit |
|
Submitted as pull.676.v2.git.git.1576008027.gitgitgadget@gmail.com WARNING: newren has no public email address set on GitHub |
Member
Yes, t5516 is still flaky on macOS. Actually, it seems that there is a very real bug in there that triggers (rarely) on macOS and @szeder is on it. |
|
This patch series was integrated into pu via 4d4d289. |
|
This branch is now known as |
|
This patch series was integrated into pu via 5b3c597. |
| @@ -373,12 +373,19 @@ static int match_pathspec_item(const struct index_state *istate, | ||
| !ps_strncmp(item, match, name, namelen)) |
There was a problem hiding this comment.
On the Git mailing list, Johannes Schindelin wrote (reply to this):
Hi Elijah,
I have not had time to dive deeply into this, but I know that it _does_
cause a ton of segmentation faults in the `shears/pu` branch (where all of
Git for Windows' patches are rebased on top of `pu`):
On Tue, 10 Dec 2019, Elijah Newren via GitGitGadget wrote:
> diff --git a/dir.c b/dir.c
> index 645b44ea64..9c71a9ac21 100644
> --- a/dir.c
> +++ b/dir.c
> @@ -2102,37 +2102,69 @@ static int treat_leading_path(struct dir_struct *dir,
> const struct pathspec *pathspec)
> {
> struct strbuf sb = STRBUF_INIT;
> - int baselen, rc = 0;
> + int prevlen, baselen;
> const char *cp;
> + struct cached_dir cdir;
> + struct dirent de;
> + enum path_treatment state = path_none;
> +
> + /*
> + * For each directory component of path, we are going to check whether
> + * that path is relevant given the pathspec. For example, if path is
> + * foo/bar/baz/
> + * then we will ask treat_path() whether we should go into foo, then
> + * whether we should go into bar, then whether baz is relevant.
> + * Checking each is important because e.g. if path is
> + * .git/info/
> + * then we need to check .git to know we shouldn't traverse it.
> + * If the return from treat_path() is:
> + * * path_none, for any path, we return false.
> + * * path_recurse, for all path components, we return true
> + * * <anything else> for some intermediate component, we make sure
> + * to add that path to the relevant list but return false
> + * signifying that we shouldn't recurse into it.
> + */
>
> while (len && path[len - 1] == '/')
> len--;
> if (!len)
> return 1;
> +
> + memset(&cdir, 0, sizeof(cdir));
> + memset(&de, 0, sizeof(de));
> + cdir.de = &de;
> + de.d_type = DT_DIR;
So here, `de` is zeroed out, and therefore `de.d_name` is `NULL`.
> baselen = 0;
> + prevlen = 0;
> while (1) {
> - cp = path + baselen + !!baselen;
> + prevlen = baselen + !!baselen;
> + cp = path + prevlen;
> cp = memchr(cp, '/', path + len - cp);
> if (!cp)
> baselen = len;
> else
> baselen = cp - path;
> - strbuf_setlen(&sb, 0);
> + strbuf_reset(&sb);
> strbuf_add(&sb, path, baselen);
> if (!is_directory(sb.buf))
> break;
> - if (simplify_away(sb.buf, sb.len, pathspec))
> - break;
> - if (treat_one_path(dir, NULL, istate, &sb, baselen, pathspec,
> - DT_DIR, NULL) == path_none)
> + strbuf_reset(&sb);
> + strbuf_add(&sb, path, prevlen);
> + memcpy(de.d_name, path+prevlen, baselen-prevlen);
But here we try to copy a path into that `de.d_name`, which is still
`NULL`?
That can't be right, can it?
Thanks for your help,
Dscho
> + de.d_name[baselen-prevlen] = '\0';
> + state = treat_path(dir, NULL, &cdir, istate, &sb, prevlen,
> + pathspec);
> + if (state != path_recurse)
> break; /* do not recurse into it */
> - if (len <= baselen) {
> - rc = 1;
> + if (len <= baselen)
> break; /* finished checking */
> - }
> }
> + add_path_to_appropriate_result_list(dir, NULL, &cdir, istate,
> + &sb, baselen, pathspec,
> + state);
> +
> strbuf_release(&sb);
> - return rc;
> + return state == path_recurse;
> }
>
> static const char *get_ident_string(void)
> diff --git a/t/t3011-common-prefixes-and-directory-traversal.sh b/t/t3011-common-prefixes-and-directory-traversal.sh
> index d6e161ddd8..098fddc75b 100755
> --- a/t/t3011-common-prefixes-and-directory-traversal.sh
> +++ b/t/t3011-common-prefixes-and-directory-traversal.sh
> @@ -74,7 +74,7 @@ test_expect_success 'git ls-files -o --directory untracked_dir does not recurse'
> test_cmp expect actual
> '
>
> -test_expect_failure 'git ls-files -o --directory untracked_dir/ does not recurse' '
> +test_expect_success 'git ls-files -o --directory untracked_dir/ does not recurse' '
> echo untracked_dir/ >expect &&
> git ls-files -o --directory untracked_dir/ >actual &&
> test_cmp expect actual
> @@ -86,7 +86,7 @@ test_expect_success 'git ls-files -o untracked_repo does not recurse' '
> test_cmp expect actual
> '
>
> -test_expect_failure 'git ls-files -o untracked_repo/ does not recurse' '
> +test_expect_success 'git ls-files -o untracked_repo/ does not recurse' '
> echo untracked_repo/ >expect &&
> git ls-files -o untracked_repo/ >actual &&
> test_cmp expect actual
> @@ -133,7 +133,7 @@ test_expect_success 'git ls-files -o .git shows nothing' '
> test_must_be_empty actual
> '
>
> -test_expect_failure 'git ls-files -o .git/ shows nothing' '
> +test_expect_success 'git ls-files -o .git/ shows nothing' '
> git ls-files -o .git/ >actual &&
> test_must_be_empty actual
> '
> --
> gitgitgadget
>
>
>
There was a problem hiding this comment.
On the Git mailing list, Elijah Newren wrote (reply to this):
On Sun, Dec 15, 2019 at 2:29 AM Johannes Schindelin
<Johannes.Schindelin@gmx.de> wrote:
>
> Hi Elijah,
>
> I have not had time to dive deeply into this, but I know that it _does_
> cause a ton of segmentation faults in the `shears/pu` branch (where all of
> Git for Windows' patches are rebased on top of `pu`):
Weird. If it's going to cause segmentation faults at all, it would
certainly do it all over the place, but I tested the patches on the
major platforms using your Azure Pipelines setup on git.git so it
should be good on all the platforms. Did your shears/pu branch make
some other changes to the setup?
> On Tue, 10 Dec 2019, Elijah Newren via GitGitGadget wrote:
>
> > diff --git a/dir.c b/dir.c
> > index 645b44ea64..9c71a9ac21 100644
> > --- a/dir.c
> > +++ b/dir.c
> > @@ -2102,37 +2102,69 @@ static int treat_leading_path(struct dir_struct *dir,
> > const struct pathspec *pathspec)
> > {
> > struct strbuf sb = STRBUF_INIT;
> > - int baselen, rc = 0;
> > + int prevlen, baselen;
> > const char *cp;
> > + struct cached_dir cdir;
> > + struct dirent de;
> > + enum path_treatment state = path_none;
> > +
> > + /*
> > + * For each directory component of path, we are going to check whether
> > + * that path is relevant given the pathspec. For example, if path is
> > + * foo/bar/baz/
> > + * then we will ask treat_path() whether we should go into foo, then
> > + * whether we should go into bar, then whether baz is relevant.
> > + * Checking each is important because e.g. if path is
> > + * .git/info/
> > + * then we need to check .git to know we shouldn't traverse it.
> > + * If the return from treat_path() is:
> > + * * path_none, for any path, we return false.
> > + * * path_recurse, for all path components, we return true
> > + * * <anything else> for some intermediate component, we make sure
> > + * to add that path to the relevant list but return false
> > + * signifying that we shouldn't recurse into it.
> > + */
> >
> > while (len && path[len - 1] == '/')
> > len--;
> > if (!len)
> > return 1;
> > +
> > + memset(&cdir, 0, sizeof(cdir));
> > + memset(&de, 0, sizeof(de));
> > + cdir.de = &de;
> > + de.d_type = DT_DIR;
>
> So here, `de` is zeroed out, and therefore `de.d_name` is `NULL`.
Um, yeah...didn't I have an allocation of de.d_name here? It will
always have a subset of path copied into it, so an allocation of len+1
is plenty long enough.
> > baselen = 0;
> > + prevlen = 0;
> > while (1) {
> > - cp = path + baselen + !!baselen;
> > + prevlen = baselen + !!baselen;
> > + cp = path + prevlen;
> > cp = memchr(cp, '/', path + len - cp);
> > if (!cp)
> > baselen = len;
> > else
> > baselen = cp - path;
> > - strbuf_setlen(&sb, 0);
> > + strbuf_reset(&sb);
> > strbuf_add(&sb, path, baselen);
> > if (!is_directory(sb.buf))
> > break;
> > - if (simplify_away(sb.buf, sb.len, pathspec))
> > - break;
> > - if (treat_one_path(dir, NULL, istate, &sb, baselen, pathspec,
> > - DT_DIR, NULL) == path_none)
> > + strbuf_reset(&sb);
> > + strbuf_add(&sb, path, prevlen);
> > + memcpy(de.d_name, path+prevlen, baselen-prevlen);
>
> But here we try to copy a path into that `de.d_name`, which is still
> `NULL`?
>
> That can't be right, can it?
Yes, it can't be right. How did this possibly pass on any platform
let alone all of them?
(https://dev.azure.com/git/git/_build/results?buildId=1462&view=results).
This is absolutely an important codepath that is hit; otherwise it
couldn't fix the three tests from failure to success. Further, the
subsequent patch added code within this if-block after this memcpy and
fixed a few tests from failures to success. So it had to hit this
code path as well. How could it not have segfaulted? I'm very
confused...
There was a problem hiding this comment.
On the Git mailing list, Elijah Newren wrote (reply to this):
On Mon, Dec 16, 2019 at 5:51 AM Elijah Newren <newren@gmail.com> wrote:
>
> On Sun, Dec 15, 2019 at 2:29 AM Johannes Schindelin
> <Johannes.Schindelin@gmx.de> wrote:
> >
> > Hi Elijah,
> >
> > I have not had time to dive deeply into this, but I know that it _does_
> > cause a ton of segmentation faults in the `shears/pu` branch (where all of
> > Git for Windows' patches are rebased on top of `pu`):
>
> Weird. If it's going to cause segmentation faults at all, it would
> certainly do it all over the place, but I tested the patches on the
> major platforms using your Azure Pipelines setup on git.git so it
> should be good on all the platforms. Did your shears/pu branch make
> some other changes to the setup?
>
> > On Tue, 10 Dec 2019, Elijah Newren via GitGitGadget wrote:
> >
> > > diff --git a/dir.c b/dir.c
> > > index 645b44ea64..9c71a9ac21 100644
> > > --- a/dir.c
> > > +++ b/dir.c
> > > @@ -2102,37 +2102,69 @@ static int treat_leading_path(struct dir_struct *dir,
> > > const struct pathspec *pathspec)
> > > {
> > > struct strbuf sb = STRBUF_INIT;
> > > - int baselen, rc = 0;
> > > + int prevlen, baselen;
> > > const char *cp;
> > > + struct cached_dir cdir;
> > > + struct dirent de;
> > > + enum path_treatment state = path_none;
> > > +
> > > + /*
> > > + * For each directory component of path, we are going to check whether
> > > + * that path is relevant given the pathspec. For example, if path is
> > > + * foo/bar/baz/
> > > + * then we will ask treat_path() whether we should go into foo, then
> > > + * whether we should go into bar, then whether baz is relevant.
> > > + * Checking each is important because e.g. if path is
> > > + * .git/info/
> > > + * then we need to check .git to know we shouldn't traverse it.
> > > + * If the return from treat_path() is:
> > > + * * path_none, for any path, we return false.
> > > + * * path_recurse, for all path components, we return true
> > > + * * <anything else> for some intermediate component, we make sure
> > > + * to add that path to the relevant list but return false
> > > + * signifying that we shouldn't recurse into it.
> > > + */
> > >
> > > while (len && path[len - 1] == '/')
> > > len--;
> > > if (!len)
> > > return 1;
> > > +
> > > + memset(&cdir, 0, sizeof(cdir));
> > > + memset(&de, 0, sizeof(de));
> > > + cdir.de = &de;
> > > + de.d_type = DT_DIR;
> >
> > So here, `de` is zeroed out, and therefore `de.d_name` is `NULL`.
>
> Um, yeah...didn't I have an allocation of de.d_name here? It will
> always have a subset of path copied into it, so an allocation of len+1
> is plenty long enough.
Actually, it looks like I looked up the definition of dirent
previously and forgot by the time you emailed. On linux, from
/usr/include/bits/dirent.h:
struct dirent
{
....
unsigned char d_type;
char d_name[256]; /* We must not include limits.h! */
};
and from compat/win32/dirent.h defines it as:
struct dirent {
unsigned char d_type; /* file type to prevent lstat after
readdir */
char d_name[MAX_PATH * 3]; /* file name (* 3 for UTF-8 conversion) */
};
and 'man dirent' on Mac OS X says it's defined as:
struct dirent {
...
_uint8_t d_type;
_unit8_t d_namlen; /* length of string in d_name */
char d_name[255+1]; /* name must be no longer than this */
}
so, allocating it would be incorrect and my memset would just fill
d_name with nul characters.
But the raises the question...what kind of segfaults are you getting?
Can you link to any builds or post any stack traces? Can I duplicate
with some copy of git-for-windows on linux?
There was a problem hiding this comment.
On the Git mailing list, Junio C Hamano wrote (reply to this):
Elijah Newren <newren@gmail.com> writes:
>> > > + memset(&cdir, 0, sizeof(cdir));
>> > > + memset(&de, 0, sizeof(de));
>> > > + cdir.de = &de;
>> > > + de.d_type = DT_DIR;
>> >
>> > So here, `de` is zeroed out, and therefore `de.d_name` is `NULL`.
>>
>> Um, yeah...didn't I have an allocation of de.d_name here? It will
>> always have a subset of path copied into it, so an allocation of len+1
>> is plenty long enough.
>
> Actually, it looks like I looked up the definition of dirent
> previously and forgot by the time you emailed. On linux, from
> /usr/include/bits/dirent.h:
>
> struct dirent
> {
> ....
> unsigned char d_type;
> char d_name[256]; /* We must not include limits.h! */
> };
>
> ...
Uh, oh. The size of "struct dirent" is unspecified and it is asking
for trouble to allocate one yourself (iow, treat it pretty much as
something you can only get a pointer to an instance from readdir()).
For example, a dirent that comes back readdir() may have a lot
longer name than the sizeof(.d_name[]) above may imply.
Do you really need to manufacture a dirent yourself, or can you use
a more concrete type you invent yourself?
There was a problem hiding this comment.
On the Git mailing list, Elijah Newren wrote (reply to this):
On Mon, Dec 16, 2019 at 10:13 AM Junio C Hamano <gitster@pobox.com> wrote:
>
> Elijah Newren <newren@gmail.com> writes:
>
> >> > > + memset(&cdir, 0, sizeof(cdir));
> >> > > + memset(&de, 0, sizeof(de));
> >> > > + cdir.de = &de;
> >> > > + de.d_type = DT_DIR;
> >> >
> >> > So here, `de` is zeroed out, and therefore `de.d_name` is `NULL`.
> >>
> >> Um, yeah...didn't I have an allocation of de.d_name here? It will
> >> always have a subset of path copied into it, so an allocation of len+1
> >> is plenty long enough.
> >
> > Actually, it looks like I looked up the definition of dirent
> > previously and forgot by the time you emailed. On linux, from
> > /usr/include/bits/dirent.h:
> >
> > struct dirent
> > {
> > ....
> > unsigned char d_type;
> > char d_name[256]; /* We must not include limits.h! */
> > };
> >
> > ...
>
> Uh, oh. The size of "struct dirent" is unspecified and it is asking
> for trouble to allocate one yourself (iow, treat it pretty much as
> something you can only get a pointer to an instance from readdir()).
> For example, a dirent that comes back readdir() may have a lot
> longer name than the sizeof(.d_name[]) above may imply.
>
> Do you really need to manufacture a dirent yourself, or can you use
> a more concrete type you invent yourself?
I need to manufacture a dirent myself; short of that, the most likely
alternative is to drop patches 2 & 5-8 of this series and throw my
hands in the air and give up. That probably deserves an
explanation...
Years ago someone noticed that if a user ran "git ls-files -o
foo/bar/one foo/bar/two", that we could try to optimize by noticing
that we won't be interested in anything until we get to foo/bar/. So,
they tried to short-circuit the read_directory_recursive() and
readdir() calls, but couldn't reuse the same treat_path() logic to
check that we should even go into foo/bar/ at all. So there was some
copy & paste from treat_path() into a new treat_leading_path()...and
that both missed some important parts and the logic further diverged
over time.
This patch was about categorizing the suite of bugs that arose from
not using treat_path() for checks from both codepaths, and tried to
correct those problems. treat_path() takes a dirent, and several of
the functions it calls all take a dirent. It'd be an awful lot of
work to rip it out. So I manufactured a dirent myself so that we
could use the same codepaths and not only fix all these bugs but
prevent future ones as well. If we can't manufacture a dirent, then
unless someone else has some bright ideas about something clever we
can do, then I think this problem blows up in complexity to a level
where I don't think it's worth addressing.
I almost ripped the optimization out altogether (just how much do we
really save by not looking into the leading two directories?), except
that unpack_trees() calls into the same code with a leading path and I
didn't want to mess with that.
Any bright ideas about what to do here?
There was a problem hiding this comment.
On the Git mailing list, Johannes Schindelin wrote (reply to this):
Hi Junio,
On Mon, 16 Dec 2019, Junio C Hamano wrote:
> Johannes Schindelin <Johannes.Schindelin@gmx.de> writes:
>
> > If you care to look at our very own `compat/win32/dirent.h`, you will see
> > this:
> >
> > struct dirent {
> > unsigned char d_type; /* file type to prevent lstat after readdir */
> > char *d_name; /* file name */
> > };
> >
> > And looking at
> > https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/dirent.h.html, I
> > do not see any guarantee of that `[256]` at all:
> >
> > The <dirent.h> header shall [...] define the structure dirent which shall
> > include the following members:
> >
> > [XSI][Option Start]
> > ino_t d_ino File serial number.
> > [Option End]
> > char d_name[] Filename string of entry.
> >
> > You will notice that not even `d_type` is guaranteed.
>
> I am reasonably sure that the code (without Elijah's patches anyway)
> takes the possibility of missing d_type into account already.
>
> Doesn't the above mean d_name[] has to be an in-place array of some
> size (i.e. even a flex-array is OK)? It does not look to me that it
> allows for it to be a pointer pointing at elsewhere (possibly on
> heap), which may be asking for trouble.
You are right, of course.
I also was not _quite_ spot on, as I had looked at Git for Windows'
`shears/pu` branch, not at the `pu` branch. Alas, we have patches in Git
for Windows that allow for switching to a faster, caching way to access
the stat() and readdir() data (it is called the "FSCache" and it is
responsible for some rather dramatic speed-ups). And these patches change
`struct dirent` to the form that is quoted above, to allow switching back
and forth between two _different_ backends, storing the actual `d_name`
not in `struct dirent` but in `DIR`.
Is this compliant with POSIX? I guess not. Does it work? Yes, it does.
I can't know for sure that it makes a dent, but FSCache is designed for
speed, and it actually does not even store the `d_name` in the `DIR`, but
directly in the cache structure, avoiding copying at all.
In short: if we can allow FSCache to keep operating that way (i.e. keep
`d_name` as a pointer), then that would be helpful to keep the performance
on Windows somewhat within acceptable boundaries.
Ciao,
Dscho
There was a problem hiding this comment.
On the Git mailing list, Johannes Schindelin wrote (reply to this):
Hi Elijah,
On Mon, 16 Dec 2019, Elijah Newren wrote:
> On Mon, Dec 16, 2019 at 4:04 PM Johannes Schindelin
> <Johannes.Schindelin@gmx.de> wrote:
> > On Mon, 16 Dec 2019, Elijah Newren wrote:
> > > On Mon, Dec 16, 2019 at 5:51 AM Elijah Newren <newren@gmail.com> wrote:
> > > >
> > > > On Sun, Dec 15, 2019 at 2:29 AM Johannes Schindelin
> > > > <Johannes.Schindelin@gmx.de> wrote:
> > > > >
> > > > > Hi Elijah,
> > > > >
> > > > > I have not had time to dive deeply into this, but I know that it _does_
> > > > > cause a ton of segmentation faults in the `shears/pu` branch (where all of
> > > > > Git for Windows' patches are rebased on top of `pu`):
> > > >
> > > > Weird. If it's going to cause segmentation faults at all, it would
> > > > certainly do it all over the place, but I tested the patches on the
> > > > major platforms using your Azure Pipelines setup on git.git so it
> > > > should be good on all the platforms. Did your shears/pu branch make
> > > > some other changes to the setup?
> >
> > Not really.
> >
> > >
> > > Actually, it looks like I looked up the definition of dirent
> > > previously and forgot by the time you emailed. On linux, from
> > > /usr/include/bits/dirent.h:
> ...
> > > and from compat/win32/dirent.h defines it as:
> > >
> > > struct dirent {
> > > unsigned char d_type; /* file type to prevent lstat after
> > > readdir */
> > > char d_name[MAX_PATH * 3]; /* file name (* 3 for UTF-8 conversion) */
> > > };
> ...
> >
> > If you care to look at our very own `compat/win32/dirent.h`, you will see
> > this:
>
> Interesting, we both brought up compat/win32/dirent.h and quoted from
> it in our emails...
>
> > struct dirent {
> > unsigned char d_type; /* file type to prevent lstat after readdir */
> > char *d_name; /* file name */
> > };
>
> ...but the contents were different? Looks like git-for-windows forked
> compat/win32/dirent.h, possibly in a way that violates POSIX as
> pointed out by Junio.
Yep, I messed that up, sorry.
> Any reason those changes weren't sent back upstream, by chance? Feels
> odd having a compat/win32/ directory that our downstream windows users
> aren't actually using. It also means the testing I'm getting from
> gitgitgadget and your Azure setup (which all is really, really nice by
> the way), is far less reassuring and helpful than I hoped.
Yes. I was ready to submit the FSCache feature to the Git mailing list for
review some 2.5 years ago when along came Ben Peart, finding ways to speed
up FSCache even further. That is the reason why I held off, and I still
have to condense the patches (which currently form a topology of 17 patch
series!!!) into a nice small patch series that does not reflect the
meandering history of the FSCache history, but instead presents one neat
story.
> > And looking at
> > https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/dirent.h.html, I
> > do not see any guarantee of that `[256]` at all:
> >
> > The <dirent.h> header shall [...] define the structure dirent which shall
> > include the following members:
> >
> > [XSI][Option Start]
> > ino_t d_ino File serial number.
> > [Option End]
> > char d_name[] Filename string of entry.
> >
> > You will notice that not even `d_type` is guaranteed.
>
> Doh, yeah, I messed that up too.
>
> Anyway, as I mentioned to Junio, I'll resubmit after gutting the
> series. I'll still include a fix for the issue that a real world user
> reported, but all the other ancillary bugs I found that have been
> around for over a decade aren't important enough to merit a major
> refactor, IMO.
Hmm. I am really sorry that I nudged you to go down this route. Quite
honestly, I'd rather add an ugly work-around that is Windows-only just so
that you can fix those ancillary bugs.
I might even go so far as to adjust the FSCache's internal data structure
to _store_ `struct dirent` items, then the fast `readdir()` implementation
could be even faster by just pointing at those items.
What do you think? Can we strike a deal to keep those bug fixes?
Ciao,
Dscho
There was a problem hiding this comment.
On the Git mailing list, Elijah Newren wrote (reply to this):
Hi Dscho,
On Tue, Dec 17, 2019 at 3:16 AM Johannes Schindelin
<Johannes.Schindelin@gmx.de> wrote:
>
> Hi Elijah,
>
> On Mon, 16 Dec 2019, Elijah Newren wrote:
>
> > On Mon, Dec 16, 2019 at 4:04 PM Johannes Schindelin
> > <Johannes.Schindelin@gmx.de> wrote:
> > > On Mon, 16 Dec 2019, Elijah Newren wrote:
> > > > On Mon, Dec 16, 2019 at 5:51 AM Elijah Newren <newren@gmail.com> wrote:
> > > > >
> > > > > On Sun, Dec 15, 2019 at 2:29 AM Johannes Schindelin
> > > > > <Johannes.Schindelin@gmx.de> wrote:
> > > > > >
> > > > > > Hi Elijah,
> > > > > >
> > > > > > I have not had time to dive deeply into this, but I know that it _does_
> > > > > > cause a ton of segmentation faults in the `shears/pu` branch (where all of
> > > > > > Git for Windows' patches are rebased on top of `pu`):
> > > > >
> > > > > Weird. If it's going to cause segmentation faults at all, it would
> > > > > certainly do it all over the place, but I tested the patches on the
> > > > > major platforms using your Azure Pipelines setup on git.git so it
> > > > > should be good on all the platforms. Did your shears/pu branch make
> > > > > some other changes to the setup?
> > >
> > > Not really.
> > >
> > > >
> > > > Actually, it looks like I looked up the definition of dirent
> > > > previously and forgot by the time you emailed. On linux, from
> > > > /usr/include/bits/dirent.h:
> > ...
> > > > and from compat/win32/dirent.h defines it as:
> > > >
> > > > struct dirent {
> > > > unsigned char d_type; /* file type to prevent lstat after
> > > > readdir */
> > > > char d_name[MAX_PATH * 3]; /* file name (* 3 for UTF-8 conversion) */
> > > > };
> > ...
> > >
> > > If you care to look at our very own `compat/win32/dirent.h`, you will see
> > > this:
> >
> > Interesting, we both brought up compat/win32/dirent.h and quoted from
> > it in our emails...
> >
> > > struct dirent {
> > > unsigned char d_type; /* file type to prevent lstat after readdir */
> > > char *d_name; /* file name */
> > > };
> >
> > ...but the contents were different? Looks like git-for-windows forked
> > compat/win32/dirent.h, possibly in a way that violates POSIX as
> > pointed out by Junio.
>
> Yep, I messed that up, sorry.
>
> > Any reason those changes weren't sent back upstream, by chance? Feels
> > odd having a compat/win32/ directory that our downstream windows users
> > aren't actually using. It also means the testing I'm getting from
> > gitgitgadget and your Azure setup (which all is really, really nice by
> > the way), is far less reassuring and helpful than I hoped.
>
> Yes. I was ready to submit the FSCache feature to the Git mailing list for
> review some 2.5 years ago when along came Ben Peart, finding ways to speed
> up FSCache even further. That is the reason why I held off, and I still
> have to condense the patches (which currently form a topology of 17 patch
> series!!!) into a nice small patch series that does not reflect the
> meandering history of the FSCache history, but instead presents one neat
> story.
>
> > > And looking at
> > > https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/dirent.h.html, I
> > > do not see any guarantee of that `[256]` at all:
> > >
> > > The <dirent.h> header shall [...] define the structure dirent which shall
> > > include the following members:
> > >
> > > [XSI][Option Start]
> > > ino_t d_ino File serial number.
> > > [Option End]
> > > char d_name[] Filename string of entry.
> > >
> > > You will notice that not even `d_type` is guaranteed.
> >
> > Doh, yeah, I messed that up too.
> >
> > Anyway, as I mentioned to Junio, I'll resubmit after gutting the
> > series. I'll still include a fix for the issue that a real world user
> > reported, but all the other ancillary bugs I found that have been
> > around for over a decade aren't important enough to merit a major
> > refactor, IMO.
>
> Hmm. I am really sorry that I nudged you to go down this route. Quite
> honestly, I'd rather add an ugly work-around that is Windows-only just so
> that you can fix those ancillary bugs.
You brought up issues; that's what you're supposed to do. You
shouldn't feel bad about that. Besides, the d_type one is real, and
means the patches at least need a
#if defined(DT_UNKNOWN) && !defined(NO_D_TYPE_IN_DIRENT)
surrounding my explicit setting of d_type. The problem wasn't what
you brought up or how you brought it up, it's massive fatigue on my
end from dir.c, from before even submitting this series[*]. I'm not
giving up on these changes or trying to discourage anyone else from
picking them up and extending them, I just don't want to touch them
right now and would rather put them on the shelf for a while.
Elijah
[*] If you're really curious...I got involved in dir.c because of a
simple bug report nearly two years ago[1], and found myself working on
a foundation that was error-prone by design[2], with ambiguous or even
wrong documentation[3] about not just what the code does but the
intent. Further, it was a place where not only is the correct fix
unclear, and not only is the "right" behavior unclear, but the cases
in question affect so few people that pinging the list periodically
over more than a year can't generate enough interest for anyone else
to hazard a guess as to what "correct" behavior is[4]. Stack on that
the fact that every time I touch this area, I think I'm really close
to having a fix, only to find I never, ever am. There's always
one-more-thing before I can finally get back to something I really
wanted to work on instead. Speaking of which, I've only managed to
work on my new merge strategy like once every 3-6 months for a small
amount of time each time. Yes, part of that's my fault with
git-filter-repo (another case of perpetually thinking I'm close to
done), rebase changes, and whatnot. But this series arose right when
I had my calendar nearly cleared so that I could work on the merge
strategy again (and of course the rebase bug report came in about the
same time too). But at least git-filter-repo and rebase are generally
useful; dir.c at most generates "meh, this seems annoying" reports.
And I've already fixed all of those, the remaining fixes are stuff
that it appears I'm the only one to have reported, and I only reported
it because I was digging into the other "meh, seems annoying" reports.
I'm usually happy when I have a patch series ready to submit to git;
it means I think I'll make things better for others. I didn't feel
that way with this series; I kind of wanted to just drop it entirely
and not even turn it in. But I figured I should to at least document
my findings, so I pushed myself to submit and hoped no one would
respond. Then this issue arose and when I mentioned in my
possibilities of fixing it that ripping the usage of dirent out would
be a lot of work and would probably cause me to give up and asked for
ideas, Junio responded that we should rip out dirent. I think he's
right, and it's important the he defend code quality and point out the
right way to do things, it's just that I want out of this rabbit hole
right now.
[1] https://lore.kernel.org/git/20180405173446.32372-1-newren@gmail.com/
[2] https://lore.kernel.org/git/xmqqefjp6sko.fsf@gitster-ct.c.googlers.com/
[3] e.g. https://lore.kernel.org/git/20190905154735.29784-10-newren@gmail.com/
[4] https://lore.kernel.org/git/20190905154735.29784-1-newren@gmail.com/
and links referenced therein
There was a problem hiding this comment.
On the Git mailing list, Junio C Hamano wrote (reply to this):
Johannes Schindelin <Johannes.Schindelin@gmx.de> writes:
>> > [XSI][Option Start]
>> > ino_t d_ino File serial number.
>> > [Option End]
>> > char d_name[] Filename string of entry.
>> >
>> > You will notice that not even `d_type` is guaranteed.
>>
>> I am reasonably sure that the code (without Elijah's patches anyway)
>> takes the possibility of missing d_type into account already.
>>
>> Doesn't the above mean d_name[] has to be an in-place array of some
>> size (i.e. even a flex-array is OK)? It does not look to me that it
>> allows for it to be a pointer pointing at elsewhere (possibly on
>> heap), which may be asking for trouble.
>
> You are right, of course.
>
> ...
>
> Is this compliant with POSIX? I guess not. Does it work? Yes, it does.
I actually would not throw it into "it works" category. The obvious
implication is that a program like this:
static struct dirent *fabricate(const char *name)
{
/* over-allocate as we do not know how long the d_name[] is */
struct dirent *ent = calloc(1, sizeof(*ent) + strlen(name) + 1);
strcpy(ent->d_name, name);
return ent;
}
static void show_name(const struct dirent *ent)
{
printf("%s\n", ent->d_name);
}
int main(int ac, char **av)
{
struct dirent *mine = fabricate("mine");
show_name(mine);
free(mine);
return 0;
}
would be broken if you do not have d_name as an array.
I would not be surprised if the segfaults you saw with Elijah's
series all were caused by your d_name not being an array, and if
that is the case, I'd rather see it fixed on your end than fixes
withdrawn.
Thanks.
There was a problem hiding this comment.
On the Git mailing list, Johannes Schindelin wrote (reply to this):
Hi Junio,
On Tue, 17 Dec 2019, Junio C Hamano wrote:
> Johannes Schindelin <Johannes.Schindelin@gmx.de> writes:
>
> >> > [XSI][Option Start]
> >> > ino_t d_ino File serial number.
> >> > [Option End]
> >> > char d_name[] Filename string of entry.
> >> >
> >> > You will notice that not even `d_type` is guaranteed.
> >>
> >> I am reasonably sure that the code (without Elijah's patches anyway)
> >> takes the possibility of missing d_type into account already.
> >>
> >> Doesn't the above mean d_name[] has to be an in-place array of some
> >> size (i.e. even a flex-array is OK)? It does not look to me that it
> >> allows for it to be a pointer pointing at elsewhere (possibly on
> >> heap), which may be asking for trouble.
> >
> > You are right, of course.
> >
> > ...
> >
> > Is this compliant with POSIX? I guess not. Does it work? Yes, it does.
>
> I actually would not throw it into "it works" category. The obvious
> implication is that a program like this:
>
> static struct dirent *fabricate(const char *name)
> {
> /* over-allocate as we do not know how long the d_name[] is */
> struct dirent *ent = calloc(1, sizeof(*ent) + strlen(name) + 1);
> strcpy(ent->d_name, name);
> return ent;
> }
>
> static void show_name(const struct dirent *ent)
> {
> printf("%s\n", ent->d_name);
> }
>
> int main(int ac, char **av)
> {
> struct dirent *mine = fabricate("mine");
> show_name(mine);
> free(mine);
> return 0;
> }
>
> would be broken if you do not have d_name as an array.
>
> I would not be surprised if the segfaults you saw with Elijah's
> series all were caused by your d_name not being an array, and if
> that is the case, I'd rather see it fixed on your end than fixes
> withdrawn.
I agree with this reasoning.
Ciao,
Dscho
dscho
added a commit
to SyntevoAlex/gitgitgadget
that referenced
this pull request
Dec 16, 2019
It is all too easy to write `CC:` (i.e. write the second `c` in upper case) by mistake. This is not hypothetical, it happened, see e.g. git/git#676 (comment) Let's be lenient and allow for mixed case, upper case and lower case. In fact, just make the comparison case-insensitive. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
|
This patch series was integrated into pu via bcba8ec. |
Contributor
Author
|
/submit |
|
Submitted as pull.676.v3.git.git.1576571586.gitgitgadget@gmail.com WARNING: newren has no public email address set on GitHub |
|
On the Git mailing list, Johannes Schindelin wrote (reply to this): |
|
On the Git mailing list, Junio C Hamano wrote (reply to this): |
|
This patch series was integrated into pu via 6d5ded2. |
Contributor
Author
|
The osx-gcc, osx-clang, and travis (the macos piece) all failed at installing perforce, which is unrelated to my change. I was able to run the tests separately on a different mac os system, and they passed, so I'm ignoring those failures. |
Contributor
Author
|
/submit |
|
Submitted as pull.676.v4.git.git.1576697386.gitgitgadget@gmail.com WARNING: newren has no public email address set on GitHub |
| @@ -373,12 +373,19 @@ static int match_pathspec_item(const struct index_state *istate, | ||
| !ps_strncmp(item, match, name, namelen)) |
There was a problem hiding this comment.
On the Git mailing list, Junio C Hamano wrote (reply to this):
"Elijah Newren via GitGitGadget" <gitgitgadget@gmail.com> writes:
> ...
> Fix most these problems by making treat_leading_path() not only loop
> over each leading path component, but calling treat_path() directly on
> each. To do so, we have to create a synthetic dir_entry, but that only
> takes a few lines. Then, pay attention to the path_treatment result we
> get from treat_path() and don't treat path_excluded, path_untracked, and
> path_recurse all the same as path_recurse.
>
> This leaves one remaining problem, the new inconsistency from commit
> df5bcdf83ae. That will be addressed in a subsequent commit.
>
> Signed-off-by: Elijah Newren <newren@gmail.com>
> ---
> dir.c | 57 +++++++++++++++----
> ...common-prefixes-and-directory-traversal.sh | 6 +-
> 2 files changed, 49 insertions(+), 14 deletions(-)
>
> diff --git a/dir.c b/dir.c
> index 645b44ea64..1de5d7ad33 100644
> --- a/dir.c
> +++ b/dir.c
> @@ -2102,37 +2102,72 @@ static int treat_leading_path(struct dir_struct *dir,
> const struct pathspec *pathspec)
> {
> struct strbuf sb = STRBUF_INIT;
> - int baselen, rc = 0;
> + int prevlen, baselen;
> const char *cp;
> + struct cached_dir cdir;
> + struct dirent *de;
> + enum path_treatment state = path_none;
> +
> + /*
> + * For each directory component of path, we are going to check whether
> + * that path is relevant given the pathspec. For example, if path is
> + * foo/bar/baz/
> + * then we will ask treat_path() whether we should go into foo, then
> + * whether we should go into bar, then whether baz is relevant.
> + * Checking each is important because e.g. if path is
> + * .git/info/
> + * then we need to check .git to know we shouldn't traverse it.
> + * If the return from treat_path() is:
> + * * path_none, for any path, we return false.
> + * * path_recurse, for all path components, we return true
> + * * <anything else> for some intermediate component, we make sure
> + * to add that path to the relevant list but return false
> + * signifying that we shouldn't recurse into it.
> + */
>
> while (len && path[len - 1] == '/')
> len--;
> if (!len)
> return 1;
> +
> + de = xcalloc(1, sizeof(struct dirent)+len+1);
That "+len+1" may deserve a comment? If we wanted to shoot for the
minimum memory consumption (and we do not), we would probably
allocate
(sizeof(struct dirent) - sizeof(de->d_name)) +
max(sizeof(de->d_name), len + 1)
bytes, but unconditionally adding len+1 is simpler and easier to
understand. Either way, we *are* relying on the assumption that
either:
(1) the "struct dirent" would have d_name[] array at the end of the
struct, and by over-allocating, we can safely fit and carry a
name that is much longer than sizeof(.d_name[]); OR
(2) the "struct dirent" has d_name[] that is large enough to hold len+1
bytes, if the assumption (1) does not hold.
is true.
> + memset(&cdir, 0, sizeof(cdir));
> + cdir.de = de;
> +#if defined(DT_UNKNOWN) && !defined(NO_D_TYPE_IN_DIRENT)
> + de->d_type = DT_DIR;
> +#endif
> baselen = 0;
> + prevlen = 0;
> while (1) {
> - cp = path + baselen + !!baselen;
> + prevlen = baselen + !!baselen;
> + cp = path + prevlen;
> cp = memchr(cp, '/', path + len - cp);
> if (!cp)
> baselen = len;
> else
> baselen = cp - path;
> - strbuf_setlen(&sb, 0);
> + strbuf_reset(&sb);
> strbuf_add(&sb, path, baselen);
> if (!is_directory(sb.buf))
> break;
> - if (simplify_away(sb.buf, sb.len, pathspec))
> - break;
> - if (treat_one_path(dir, NULL, istate, &sb, baselen, pathspec,
> - DT_DIR, NULL) == path_none)
> + strbuf_reset(&sb);
> + strbuf_add(&sb, path, prevlen);
> + memcpy(de->d_name, path+prevlen, baselen-prevlen);
> + de->d_name[baselen-prevlen] = '\0';
> + state = treat_path(dir, NULL, &cdir, istate, &sb, prevlen,
> + pathspec);
So this is the crux fo the fix---instead of doing a (poor) imitation
of what treat_path() does by calling simplify_away() and
treat_one_path() ourselves, we make a call to the real thing.
Looking good. Thanks.
There was a problem hiding this comment.
On the Git mailing list, Elijah Newren wrote (reply to this):
On Wed, Dec 18, 2019 at 1:29 PM Junio C Hamano <gitster@pobox.com> wrote:
>
> "Elijah Newren via GitGitGadget" <gitgitgadget@gmail.com> writes:
>
...
> > while (len && path[len - 1] == '/')
> > len--;
> > if (!len)
> > return 1;
> > +
> > + de = xcalloc(1, sizeof(struct dirent)+len+1);
>
> That "+len+1" may deserve a comment?
Good point, I'll add one and send a re-roll.
> If we wanted to shoot for the
> minimum memory consumption (and we do not), we would probably
> allocate
>
> (sizeof(struct dirent) - sizeof(de->d_name)) +
> max(sizeof(de->d_name), len + 1)
>
> bytes, but unconditionally adding len+1 is simpler and easier to
> understand. Either way, we *are* relying on the assumption that
> either:
>
> (1) the "struct dirent" would have d_name[] array at the end of the
> struct, and by over-allocating, we can safely fit and carry a
> name that is much longer than sizeof(.d_name[]); OR
>
> (2) the "struct dirent" has d_name[] that is large enough to hold len+1
> bytes, if the assumption (1) does not hold.
>
> is true.
>
> > + memset(&cdir, 0, sizeof(cdir));
> > + cdir.de = de;
> > +#if defined(DT_UNKNOWN) && !defined(NO_D_TYPE_IN_DIRENT)
> > + de->d_type = DT_DIR;
> > +#endif
> > baselen = 0;
> > + prevlen = 0;
> > while (1) {
> > - cp = path + baselen + !!baselen;
> > + prevlen = baselen + !!baselen;
> > + cp = path + prevlen;
> > cp = memchr(cp, '/', path + len - cp);
> > if (!cp)
> > baselen = len;
> > else
> > baselen = cp - path;
> > - strbuf_setlen(&sb, 0);
> > + strbuf_reset(&sb);
> > strbuf_add(&sb, path, baselen);
> > if (!is_directory(sb.buf))
> > break;
>
>
>
> > - if (simplify_away(sb.buf, sb.len, pathspec))
> > - break;
> > - if (treat_one_path(dir, NULL, istate, &sb, baselen, pathspec,
> > - DT_DIR, NULL) == path_none)
> > + strbuf_reset(&sb);
> > + strbuf_add(&sb, path, prevlen);
> > + memcpy(de->d_name, path+prevlen, baselen-prevlen);
> > + de->d_name[baselen-prevlen] = '\0';
> > + state = treat_path(dir, NULL, &cdir, istate, &sb, prevlen,
> > + pathspec);
>
> So this is the crux fo the fix---instead of doing a (poor) imitation
> of what treat_path() does by calling simplify_away() and
> treat_one_path() ourselves, we make a call to the real thing.
>
> Looking good. Thanks.
There was a problem hiding this comment.
On the Git mailing list, Jeff King wrote (reply to this):
On Thu, Dec 19, 2019 at 12:23:29PM -0800, Elijah Newren wrote:
> > > while (len && path[len - 1] == '/')
> > > len--;
> > > if (!len)
> > > return 1;
> > > +
> > > + de = xcalloc(1, sizeof(struct dirent)+len+1);
> >
> > That "+len+1" may deserve a comment?
>
> Good point, I'll add one and send a re-roll.
Please use st_add3() while you are at it.
I'd also usually suggest FLEX_ALLOC_MEM() for even more simplicity, but
it looks like filling the string is handled separately (and done many
times).
I have to wonder, though, if it wouldn't be simpler to move away from
"struct dirent" here (and it looks like Junio suggested the same earlier
in the thread). I don't know this code very well, but it looks
like it could easily get by passing around a name pointer and a dtype
through the cached_dir. The patch below seems like it's not too bad a
cleanup, but possibly the names could be better.
---
dir.c | 48 ++++++++++++++++++-----------------
1 file changed, 25 insertions(+), 23 deletions(-)
diff --git a/dir.c b/dir.c
index 43e2f47f66..e1cba688f3 100644
--- a/dir.c
+++ b/dir.c
@@ -41,7 +41,8 @@ struct cached_dir {
int nr_files;
int nr_dirs;
- struct dirent *de;
+ const char *d_name;
+ int d_type;
const char *file;
struct untracked_cache_dir *ucd;
};
@@ -50,8 +51,8 @@ static enum path_treatment read_directory_recursive(struct dir_struct *dir,
struct index_state *istate, const char *path, int len,
struct untracked_cache_dir *untracked,
int check_only, int stop_at_first_file, const struct pathspec *pathspec);
-static int get_dtype(struct dirent *de, struct index_state *istate,
- const char *path, int len);
+static int resolve_dtype(int dtype, struct index_state *istate,
+ const char *path, int len);
int count_slashes(const char *s)
{
@@ -1050,8 +1051,7 @@ static struct path_pattern *last_matching_pattern_from_list(const char *pathname
int prefix = pattern->nowildcardlen;
if (pattern->flags & PATTERN_FLAG_MUSTBEDIR) {
- if (*dtype == DT_UNKNOWN)
- *dtype = get_dtype(NULL, istate, pathname, pathlen);
+ *dtype = resolve_dtype(*dtype, istate, pathname, pathlen);
if (*dtype != DT_DIR)
continue;
}
@@ -1639,10 +1639,9 @@ static int get_index_dtype(struct index_state *istate,
return DT_UNKNOWN;
}
-static int get_dtype(struct dirent *de, struct index_state *istate,
- const char *path, int len)
+static int resolve_dtype(int dtype, struct index_state *istate,
+ const char *path, int len)
{
- int dtype = de ? DTYPE(de) : DT_UNKNOWN;
struct stat st;
if (dtype != DT_UNKNOWN)
@@ -1667,14 +1666,13 @@ static enum path_treatment treat_one_path(struct dir_struct *dir,
struct strbuf *path,
int baselen,
const struct pathspec *pathspec,
- int dtype, struct dirent *de)
+ int dtype)
{
int exclude;
int has_path_in_index = !!index_file_exists(istate, path->buf, path->len, ignore_case);
enum path_treatment path_treatment;
- if (dtype == DT_UNKNOWN)
- dtype = get_dtype(de, istate, path->buf, path->len);
+ dtype = resolve_dtype(dtype, istate, path->buf, path->len);
/* Always exclude indexed files */
if (dtype != DT_DIR && has_path_in_index)
@@ -1782,21 +1780,18 @@ static enum path_treatment treat_path(struct dir_struct *dir,
int baselen,
const struct pathspec *pathspec)
{
- int dtype;
- struct dirent *de = cdir->de;
-
- if (!de)
+ if (!cdir->d_name)
return treat_path_fast(dir, untracked, cdir, istate, path,
baselen, pathspec);
- if (is_dot_or_dotdot(de->d_name) || !fspathcmp(de->d_name, ".git"))
+ if (is_dot_or_dotdot(cdir->d_name) || !fspathcmp(cdir->d_name, ".git"))
return path_none;
strbuf_setlen(path, baselen);
- strbuf_addstr(path, de->d_name);
+ strbuf_addstr(path, cdir->d_name);
if (simplify_away(path->buf, path->len, pathspec))
return path_none;
- dtype = DTYPE(de);
- return treat_one_path(dir, untracked, istate, path, baselen, pathspec, dtype, de);
+ return treat_one_path(dir, untracked, istate, path, baselen, pathspec,
+ cdir->d_type);
}
static void add_untracked(struct untracked_cache_dir *dir, const char *name)
@@ -1884,10 +1879,17 @@ static int open_cached_dir(struct cached_dir *cdir,
static int read_cached_dir(struct cached_dir *cdir)
{
+ struct dirent *de;
+
if (cdir->fdir) {
- cdir->de = readdir(cdir->fdir);
- if (!cdir->de)
+ de = readdir(cdir->fdir);
+ if (!de) {
+ cdir->d_name = NULL;
+ cdir->d_type = DT_UNKNOWN;
return -1;
+ }
+ cdir->d_name = de->d_name;
+ cdir->d_type = DTYPE(de);
return 0;
}
while (cdir->nr_dirs < cdir->untracked->dirs_nr) {
@@ -1970,7 +1972,7 @@ static enum path_treatment read_directory_recursive(struct dir_struct *dir,
/* recurse into subdir if instructed by treat_path */
if ((state == path_recurse) ||
((state == path_untracked) &&
- (get_dtype(cdir.de, istate, path.buf, path.len) == DT_DIR) &&
+ (resolve_dtype(cdir.d_type, istate, path.buf, path.len) == DT_DIR) &&
((dir->flags & DIR_SHOW_IGNORED_TOO) ||
(pathspec &&
do_match_pathspec(istate, pathspec, path.buf, path.len,
@@ -2103,7 +2105,7 @@ static int treat_leading_path(struct dir_struct *dir,
if (simplify_away(sb.buf, sb.len, pathspec))
break;
if (treat_one_path(dir, NULL, istate, &sb, baselen, pathspec,
- DT_DIR, NULL) == path_none)
+ DT_DIR) == path_none)
break; /* do not recurse into it */
if (len <= baselen) {
rc = 1;
There was a problem hiding this comment.
On the Git mailing list, Elijah Newren wrote (reply to this):
Hi Peff,
On Thu, Dec 19, 2019 at 2:24 PM Jeff King <peff@peff.net> wrote:
>
> On Thu, Dec 19, 2019 at 12:23:29PM -0800, Elijah Newren wrote:
>
> > > > while (len && path[len - 1] == '/')
> > > > len--;
> > > > if (!len)
> > > > return 1;
> > > > +
> > > > + de = xcalloc(1, sizeof(struct dirent)+len+1);
> > >
> > > That "+len+1" may deserve a comment?
> >
> > Good point, I'll add one and send a re-roll.
>
> Please use st_add3() while you are at it.
I would, but Junio already took the patches and applied them to next
already. (I am curious, though, why we're worried about overflow in a
context like this?)
> I'd also usually suggest FLEX_ALLOC_MEM() for even more simplicity, but
> it looks like filling the string is handled separately (and done many
> times).
Yes, the string is handled separately; I don't manufacture a dirent
per leading directory component of the common prefix, but just
allocate one and re-use it.
> I have to wonder, though, if it wouldn't be simpler to move away from
> "struct dirent" here (and it looks like Junio suggested the same earlier
> in the thread). I don't know this code very well, but it looks
> like it could easily get by passing around a name pointer and a dtype
> through the cached_dir. The patch below seems like it's not too bad a
> cleanup, but possibly the names could be better.
This was mentioned twice upthread, first by me then by Junio (and I'll
include my final response too):
>>> I need to manufacture a dirent myself; short of that, the most
>>> likely alternative is to drop patches 2 & 5-8 of this series and
>>> throw my hands in the air and give up.
>>> ...
>>> It'd be an awful lot of work to rip [dirent] out...unless someone
>>> else has some bright ideas about something clever we can do, then I
>>> think this problem blows up in complexity to a level where I don't
>>> think it's worth addressing.
>>> ...
>>> Any bright ideas about what to do here?
>>
>> Restructuring the code so that we do not use "struct dirent" in the
>> first place, even in the original code that used only those obtained
>> from readdir(), perhaps?
>
> Okay, I'll submit a new series dropping most the patches.
It's possible I vastly overestimated how much work ripping out the
dirent would be; I mean I've mis-estimated absolutely everything in
dir.c and assumed each "little" thing would all be a small amount of
work, so maybe I'm just swinging the pendulum too far the other way.
But, although I think this alternative would be the cleanest, I saw a
couple things that looked like this was going to turn into a huge can
of worms when I started to peek at what it all touched. I'd be happy
for someone to take this route, but it won't be me (see also
https://lore.kernel.org/git/CABPp-BEkX9cH1=r3dJ4WLzcJKVcF-KpGUkshL34MMp3Xhhhpuw@mail.gmail.com/).
Elijah
There was a problem hiding this comment.
On the Git mailing list, Junio C Hamano wrote (reply to this):
Jeff King <peff@peff.net> writes:
> Please use st_add3() while you are at it.
>
> I'd also usually suggest FLEX_ALLOC_MEM() for even more simplicity, but
> it looks like filling the string is handled separately (and done many
> times).
>
> I have to wonder, though, if it wouldn't be simpler to move away from
> "struct dirent" here (and it looks like Junio suggested the same earlier
> in the thread). I don't know this code very well, but it looks
> like it could easily get by passing around a name pointer and a dtype
> through the cached_dir. The patch below seems like it's not too bad a
> cleanup, but possibly the names could be better.
It does look like a good clean-up.
In the meantime, here is to apologize for merging the patch a bit
too early to 'next'.
-- >8 --
From: Junio C Hamano <gitster@pobox.com>
Date: Fri, 20 Dec 2019 09:55:53 -0800
Subject: [PATCH] dir.c: use st_add3() for allocation size
When preparing a manufactured dirent instance, we add a length of
path to the size of struct to decide how many bytes to allocate.
Make sure this addition does not wrap-around to cause us
underallocate.
Suggested-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
dir.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dir.c b/dir.c
index e1b74f6478..113170aeb9 100644
--- a/dir.c
+++ b/dir.c
@@ -2154,7 +2154,7 @@ static int treat_leading_path(struct dir_struct *dir,
* For either case, padding with len+1 bytes at the end will ensure
* sufficient storage space.
*/
- de = xcalloc(1, sizeof(struct dirent)+len+1);
+ de = xcalloc(1, st_add3(sizeof(struct dirent), len, 1));
memset(&cdir, 0, sizeof(cdir));
cdir.de = de;
#if defined(DT_UNKNOWN) && !defined(NO_D_TYPE_IN_DIRENT)
--
2.24.1-769-g187e15c71d
There was a problem hiding this comment.
On the Git mailing list, Jeff King wrote (reply to this):
On Fri, Dec 20, 2019 at 09:00:40AM -0800, Elijah Newren wrote:
> > > > > + de = xcalloc(1, sizeof(struct dirent)+len+1);
> > > >
> > > > That "+len+1" may deserve a comment?
> > >
> > > Good point, I'll add one and send a re-roll.
> >
> > Please use st_add3() while you are at it.
>
> I would, but Junio already took the patches and applied them to next
> already. (I am curious, though, why we're worried about overflow in a
> context like this?)
If len is large enough to cause integer overflow when computing the
total size, then we'd allocate a too-small buffer (and then later
overflow the buffer when writing into it).
I'm not sure how possible that is here. On 32-bit systems, overflowing
size_t only needs 4GB. you're not likely to have a 4GB path on a
filesystem, but malicious folks could shove them into a tree. I'm not
sure if this code could be triggered for anything that doesn't actually
exist on the filesystem, though.
You're also not likely to actually manage to store a 4GB string in
"path" on a 32-bit system in the first place. But "len" is actually an
"int". On a 64-bit system it would be easy to do, though, and int is
still 32 bits there. But because the result of sizeof() is a size_t, I
think the int will be promoted as well during the addition (and assuming
it's not negative, will be too small to overflow). (Also, the "len"
parameter probably should to be a size_t in the first place, but that's
not new).
So I don't think it's exploitable, but as you can see there's a bit of
pondering to see that it's so. When I audit I usually look for something
like /x[mc]alloc.*[+*] / to find potential problem spots. Even if we're
pretty sure a particular site isn't vulnerable, marking it with st_add()
errs on the safe side, and makes those audits easier.
> It's possible I vastly overestimated how much work ripping out the
> dirent would be; I mean I've mis-estimated absolutely everything in
> dir.c and assumed each "little" thing would all be a small amount of
> work, so maybe I'm just swinging the pendulum too far the other way.
> But, although I think this alternative would be the cleanest, I saw a
> couple things that looked like this was going to turn into a huge can
> of worms when I started to peek at what it all touched. I'd be happy
> for someone to take this route, but it won't be me (see also
> https://lore.kernel.org/git/CABPp-BEkX9cH1=r3dJ4WLzcJKVcF-KpGUkshL34MMp3Xhhhpuw@mail.gmail.com/).
OK. I certainly don't insist on this direction. I just saw the
portability issues and wondered how bad it would be to do so. Hence the
patch I sent, which I _think_ is correct, but I really don't know the
dir.c code very well. And I'm sure it will not surprise you that I have
generally been confused and/or frightened by it when I do look at it. :)
-Peff
There was a problem hiding this comment.
On the Git mailing list, Jeff King wrote (reply to this):
On Fri, Dec 20, 2019 at 10:01:21AM -0800, Junio C Hamano wrote:
> In the meantime, here is to apologize for merging the patch a bit
> too early to 'next'.
>
> -- >8 --
> From: Junio C Hamano <gitster@pobox.com>
> Date: Fri, 20 Dec 2019 09:55:53 -0800
> Subject: [PATCH] dir.c: use st_add3() for allocation size
Thanks, I think this is an easy improvement worth doing (I laid out more
in my response to Elijah, but: I don't think this is exploitable, but
I'd rather err on the side of caution and ease of auditing).
-Peff
|
This patch series was integrated into pu via 71498d1. |
Many years ago, the directory traversing logic had an optimization that would always recurse into any directory that was a common prefix of all the pathspecs without walking the leading directories to get down to the desired directory. Thus, git ls-files -o .git/ # case A would notice that .git/ was a common prefix of all pathspecs (since it is the only pathspec listed), and then traverse into it and start showing unknown files under that directory. Unfortunately, .git/ is not a directory we should be traversing into, which made this optimization problematic. This also affected cases like git ls-files -o --exclude-standard t/ # case B where t/ was in the .gitignore file and thus isn't interesting and shouldn't be recursed into. It also affected cases like git ls-files -o --directory untracked_dir/ # case C where untracked_dir/ is indeed untracked and thus interesting, but the --directory flag means we only want to show the directory itself, not recurse into it and start listing untracked files below it. The case B class of bugs were noted and fixed in commits 16e2cfa ("read_directory(): further split treat_path()", 2010-01-08) and 48ffef9 ("ls-files: fix overeager pathspec optimization", 2010-01-08), with the idea being that we first wanted to check whether the common prefix was interesting. The former patch noted that treat_path() couldn't be used when checking the common prefix because treat_path() requires a dir_entry() and we haven't read any directories at the point we are checking the common prefix. So, that patch split treat_one_path() out of treat_path(). The latter patch then created a new treat_leading_path() which duplicated by hand the bits of treat_path() that couldn't be broken out and then called treat_one_path() for the remainder. There were three problems with this approach: * The duplicated logic in treat_leading_path() accidentally missed the check for special paths (such as is_dot_or_dotdot and matching ".git"), causing case A types of bugs to continue to be an issue. * The treat_leading_path() logic assumed we should traverse into anything where path_treatment was not path_none, i.e. it perpetuated class C types of bugs. * It meant we had split logic that needed to kept in sync, running the risk that people introduced new inconsistencies (such as in commit be8a84c, which we reverted earlier in this series, or in commit df5bcdf which we'll fix in a subsequent commit) Fix most these problems by making treat_leading_path() not only loop over each leading path component, but calling treat_path() directly on each. To do so, we have to create a synthetic dir_entry, but that only takes a few lines. Then, pay attention to the path_treatment result we get from treat_path() and don't treat path_excluded, path_untracked, and path_recurse all the same as path_recurse. This leaves one remaining problem, the new inconsistency from commit df5bcdf. That will be addressed in a subsequent commit. Signed-off-by: Elijah Newren <newren@gmail.com>
Our optimization to avoid calling into read_directory_recursive() when all pathspecs have a common leading directory mean that we need to match the logic that read_directory_recursive() would use if we had just called it from the root. Since it does more than call treat_path() we need to copy that same logic. Alternatively, we could try to change treat_path to return path_recurse for an untracked directory under the given special circumstances that this logic checks for, but a simple switch results in many test failures such as 'git clean -d' not wiping out untracked but empty directories. To work around that, we'd need the caller of treat_path to check for path_recurse and sometimes special case it into path_untracked. In other words, we'd still have extra logic in both places. Needing to duplicate logic like this means it is guaranteed someone will eventually need to make further changes and forget to update both locations. It is tempting to just nuke the leading_directory special casing to avoid such bugs and simplify the code, but unpack_trees' verify_clean_subdirectory() also calls read_directory() and does so with a non-empty leading path, so I'm hesitant to try to restructure further. Add obnoxious warnings to treat_leading_path() and read_directory_recursive() to try to warn people of such problems. Signed-off-by: Elijah Newren <newren@gmail.com>
Both the DIR_SKIP_NESTED_GIT and DIR_NO_GITLINKS cases were checking for whether a path was actually a nonbare repository. That code could be shared, with just the result of how to act differing between the two cases. Signed-off-by: Elijah Newren <newren@gmail.com>
Contributor
Author
|
/submit |
|
Submitted as pull.676.v5.git.git.1576790906.gitgitgadget@gmail.com WARNING: newren has no public email address set on GitHub |
|
This patch series was integrated into pu via b374846. |
|
This patch series was integrated into next via 80ad315. |
|
This patch series was integrated into pu via 18fec76. |
|
On the Git mailing list, Johannes Schindelin wrote (reply to this): |
|
This patch series was integrated into pu via d2189a7. |
|
This patch series was integrated into master via d2189a7. |
|
Closed via d2189a7. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This series documents multiple fill_directory() bugs, and fixes the one that is new to 2.24.0 coming from en/clean-nested-with-ignored-topic, the rest having been around in versions of git going back up to a decade.
Changes since v4:
Cc: blees@dcon.de, gitster@pobox.com, kyle@kyleam.com, sxlijin@gmail.com