[PATCH 00/11] Allow reference values to be checked in a transaction

[PATCH 00/11] Allow reference values to be checked in a transaction

[Michael Haggerty]

The main purpose of this series is to simplify the interface to
reference transactions as follows:

* Remove the need to supply an explicit have_old parameter to
  ref_transaction_update() and ref_transaction_delete(). Instead,
  check the old_sha1 if and only if it is non-NULL.

* Allow NULL to be supplied to ref_transaction_update() as new_sha1,
  in which case old_sha1 will be verified under lock, but the
  reference's value will not be altered.

* Add a function ref_transaction_verify(), which verifies the current
  value of a reference without changing it.

* Make the similarity between ref_transaction_update() and
  update_ref() more obvious.

Along the way, it fixes a race that could happen if two processes try
to create an orphan commit at the same time.

This patch series applies on top of master merged together with
sb/atomic-push, which in turn depends on mh/reflog-expire. It is also
available from my GitHub account [1] as branch "refs-have-new":

It's nothing earth-shattering, but I think it is a worthwhile cleanup.

Michael

[1] https://github.com/mhagger/git

Michael Haggerty (11):
  refs: move REF_DELETING to refs.c
  refs: remove the gap in the REF_* constant values
  struct ref_update: move "have_old" into "flags"
  ref_transaction_update(): remove "have_old" parameter
  ref_transaction_delete(): remove "have_old" parameter
  commit: add tests of commit races
  commit: avoid race when creating orphan commits
  ref_transaction_create(): check that new_sha1 is valid
  ref_transaction_delete(): check that old_sha1 is not null_sha1
  ref_transaction_verify(): new function to check a reference's value
  update_ref(): improve documentation

 branch.c                |   5 +-
 builtin/commit.c        |   4 +-
 builtin/fetch.c         |   6 ++-
 builtin/receive-pack.c  |   5 +-
 builtin/replace.c       |   2 +-
 builtin/tag.c           |   2 +-
 builtin/update-ref.c    |  17 +++----
 fast-import.c           |   6 +--
 refs.c                  | 130 +++++++++++++++++++++++++++++++++---------------
 refs.h                  |  61 ++++++++++++++++-------
 sequencer.c             |   2 +-
 t/t7516-commit-races.sh |  38 ++++++++++++++
 walker.c                |   2 +-
 13 files changed, 197 insertions(+), 83 deletions(-)
 create mode 100755 t/t7516-commit-races.sh

-- 
2.1.4

[PATCH 01/11] refs: move REF_DELETING to refs.c

[Michael Haggerty]

It is only used internally now. Document it a little bit better, too.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 refs.c | 6 ++++++
 refs.h | 4 +---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/refs.c b/refs.c
index c5fa709..cd5208b 100644
--- a/refs.c
+++ b/refs.c
@@ -35,6 +35,12 @@ static unsigned char refname_disposition[256] = {
 };
 
 /*
+ * Flag passed to lock_ref_sha1_basic() telling it to tolerate broken
+ * refs (i.e., because the reference is about to be deleted anyway).
+ */
+#define REF_DELETING	0x02
+
+/*
  * Used as a flag to ref_transaction_delete when a loose ref is being
  * pruned.
  */
diff --git a/refs.h b/refs.h
index afa3c4d..9bf2148 100644
--- a/refs.h
+++ b/refs.h
@@ -183,12 +183,10 @@ extern int peel_ref(const char *refname, unsigned char *sha1);
  * Flags controlling ref_transaction_update(), ref_transaction_create(), etc.
  * REF_NODEREF: act on the ref directly, instead of dereferencing
  *              symbolic references.
- * REF_DELETING: tolerate broken refs
  *
- * Flags >= 0x100 are reserved for internal use.
+ * Other flags are reserved for internal use.
  */
 #define REF_NODEREF	0x01
-#define REF_DELETING	0x02
 
 /*
  * Setup reflog before using. Set errno to something meaningful on failure.
-- 
2.1.4

[PATCH 02/11] refs: remove the gap in the REF_* constant values

[Michael Haggerty]

There is no reason to "reserve" a gap between the public and private
flags values.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 refs.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/refs.c b/refs.c
index cd5208b..477a5b3 100644
--- a/refs.c
+++ b/refs.c
@@ -44,7 +44,8 @@ static unsigned char refname_disposition[256] = {
  * Used as a flag to ref_transaction_delete when a loose ref is being
  * pruned.
  */
-#define REF_ISPRUNING	0x0100
+#define REF_ISPRUNING	0x04
+
 /*
  * Try to read one refname component from the front of refname.
  * Return the length of the component found, or -1 if the component is
-- 
2.1.4

[PATCH 03/11] struct ref_update: move "have_old" into "flags"

[Michael Haggerty]

Instead of having a separate have_old field, record this boolean value
as a bit in the "flags" field.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 refs.c | 45 ++++++++++++++++++++++++++++-----------------
 1 file changed, 28 insertions(+), 17 deletions(-)

diff --git a/refs.c b/refs.c
index 477a5b3..851c9f8 100644
--- a/refs.c
+++ b/refs.c
@@ -41,12 +41,18 @@ static unsigned char refname_disposition[256] = {
 #define REF_DELETING	0x02
 
 /*
- * Used as a flag to ref_transaction_delete when a loose ref is being
+ * Used as a flag in ref_update::flags when a loose ref is being
  * pruned.
  */
 #define REF_ISPRUNING	0x04
 
 /*
+ * Used as a flag in ref_update::flags when old_sha1 should be
+ * checked.
+ */
+#define REF_HAVE_OLD	0x08
+
+/*
  * Try to read one refname component from the front of refname.
  * Return the length of the component found, or -1 if the component is
  * not legal.  It is legal if it is something reasonable to have under
@@ -3564,16 +3570,20 @@ int for_each_reflog(each_ref_fn fn, void *cb_data)
 }
 
 /**
- * Information needed for a single ref update.  Set new_sha1 to the
- * new value or to zero to delete the ref.  To check the old value
- * while locking the ref, set have_old to 1 and set old_sha1 to the
- * value or to zero to ensure the ref does not exist before update.
+ * Information needed for a single ref update. Set new_sha1 to the new
+ * value or to null_sha1 to delete the ref. To check the old value
+ * while the ref is locked, set (flags & REF_HAVE_OLD) and set
+ * old_sha1 to the old value, or to null_sha1 to ensure the ref does
+ * not exist before update.
  */
 struct ref_update {
 	unsigned char new_sha1[20];
 	unsigned char old_sha1[20];
-	int flags; /* REF_NODEREF? */
-	int have_old; /* 1 if old_sha1 is valid, 0 otherwise */
+	/*
+	 * One or more of REF_HAVE_OLD, REF_NODEREF,
+	 * REF_DELETING, and REF_IS_PRUNING:
+	 */
+	int flags;
 	struct ref_lock *lock;
 	int type;
 	char *msg;
@@ -3667,10 +3677,11 @@ int ref_transaction_update(struct ref_transaction *transaction,
 
 	update = add_update(transaction, refname);
 	hashcpy(update->new_sha1, new_sha1);
-	update->flags = flags;
-	update->have_old = have_old;
-	if (have_old)
+	if (have_old) {
 		hashcpy(update->old_sha1, old_sha1);
+		flags |= REF_HAVE_OLD;
+	}
+	update->flags = flags;
 	if (msg)
 		update->msg = xstrdup(msg);
 	return 0;
@@ -3786,13 +3797,13 @@ int ref_transaction_commit(struct ref_transaction *transaction,
 
 		if (is_null_sha1(update->new_sha1))
 			flags |= REF_DELETING;
-		update->lock = lock_ref_sha1_basic(update->refname,
-						   (update->have_old ?
-						    update->old_sha1 :
-						    NULL),
-						   NULL,
-						   flags,
-						   &update->type);
+		update->lock = lock_ref_sha1_basic(
+				update->refname,
+				((update->flags & REF_HAVE_OLD) ?
+				 update->old_sha1 : NULL),
+				NULL,
+				flags,
+				&update->type);
 		if (!update->lock) {
 			ret = (errno == ENOTDIR)
 				? TRANSACTION_NAME_CONFLICT
-- 
2.1.4

[PATCH 04/11] ref_transaction_update(): remove "have_old" parameter

[Michael Haggerty]

Instead, if old_sha1 is non-NULL, verify it; otherwise, don't.

ref_transaction_delete() will get the same treatment in a moment.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 branch.c               |  5 +++--
 builtin/commit.c       |  2 +-
 builtin/fetch.c        |  6 ++++--
 builtin/receive-pack.c |  2 +-
 builtin/replace.c      |  2 +-
 builtin/tag.c          |  2 +-
 builtin/update-ref.c   |  7 ++++---
 fast-import.c          |  6 +++---
 refs.c                 | 18 ++++++++----------
 refs.h                 |  6 +++---
 sequencer.c            |  2 +-
 walker.c               |  2 +-
 12 files changed, 31 insertions(+), 29 deletions(-)

diff --git a/branch.c b/branch.c
index 4bab55a..b002435 100644
--- a/branch.c
+++ b/branch.c
@@ -284,8 +284,9 @@ void create_branch(const char *head,
 
 		transaction = ref_transaction_begin(&err);
 		if (!transaction ||
-		    ref_transaction_update(transaction, ref.buf, sha1,
-					   null_sha1, 0, !forcing, msg, &err) ||
+		    ref_transaction_update(transaction, ref.buf,
+					   sha1, forcing ? NULL : null_sha1,
+					   0, msg, &err) ||
 		    ref_transaction_commit(transaction, &err))
 			die("%s", err.buf);
 		ref_transaction_free(transaction);
diff --git a/builtin/commit.c b/builtin/commit.c
index 7d90c35..5654abd 100644
--- a/builtin/commit.c
+++ b/builtin/commit.c
@@ -1773,7 +1773,7 @@ int cmd_commit(int argc, const char **argv, const char *prefix)
 	    ref_transaction_update(transaction, "HEAD", sha1,
 				   current_head
 				   ? current_head->object.sha1 : NULL,
-				   0, !!current_head, sb.buf, &err) ||
+				   0, sb.buf, &err) ||
 	    ref_transaction_commit(transaction, &err)) {
 		rollback_index_files();
 		die("%s", err.buf);
diff --git a/builtin/fetch.c b/builtin/fetch.c
index 7b84d35..719bf4f 100644
--- a/builtin/fetch.c
+++ b/builtin/fetch.c
@@ -416,8 +416,10 @@ static int s_update_ref(const char *action,
 
 	transaction = ref_transaction_begin(&err);
 	if (!transaction ||
-	    ref_transaction_update(transaction, ref->name, ref->new_sha1,
-				   ref->old_sha1, 0, check_old, msg, &err))
+	    ref_transaction_update(transaction, ref->name,
+				   ref->new_sha1,
+				   check_old ? ref->old_sha1 : NULL,
+				   0, msg, &err))
 		goto fail;
 
 	ret = ref_transaction_commit(transaction, &err);
diff --git a/builtin/receive-pack.c b/builtin/receive-pack.c
index 4e85e25..71be82e 100644
--- a/builtin/receive-pack.c
+++ b/builtin/receive-pack.c
@@ -951,7 +951,7 @@ static const char *update(struct command *cmd, struct shallow_info *si)
 		if (ref_transaction_update(transaction,
 					   namespaced_name,
 					   new_sha1, old_sha1,
-					   0, 1, "push",
+					   0, "push",
 					   &err)) {
 			rp_error("%s", err.buf);
 			strbuf_release(&err);
diff --git a/builtin/replace.c b/builtin/replace.c
index 85d39b5..54bf01a 100644
--- a/builtin/replace.c
+++ b/builtin/replace.c
@@ -172,7 +172,7 @@ static int replace_object_sha1(const char *object_ref,
 	transaction = ref_transaction_begin(&err);
 	if (!transaction ||
 	    ref_transaction_update(transaction, ref, repl, prev,
-				   0, 1, NULL, &err) ||
+				   0, NULL, &err) ||
 	    ref_transaction_commit(transaction, &err))
 		die("%s", err.buf);
 
diff --git a/builtin/tag.c b/builtin/tag.c
index e633f4e..232c28c 100644
--- a/builtin/tag.c
+++ b/builtin/tag.c
@@ -733,7 +733,7 @@ int cmd_tag(int argc, const char **argv, const char *prefix)
 	transaction = ref_transaction_begin(&err);
 	if (!transaction ||
 	    ref_transaction_update(transaction, ref.buf, object, prev,
-				   0, 1, NULL, &err) ||
+				   0, NULL, &err) ||
 	    ref_transaction_commit(transaction, &err))
 		die("%s", err.buf);
 	ref_transaction_free(transaction);
diff --git a/builtin/update-ref.c b/builtin/update-ref.c
index 1993529..f0db7a3 100644
--- a/builtin/update-ref.c
+++ b/builtin/update-ref.c
@@ -198,8 +198,9 @@ static const char *parse_cmd_update(struct ref_transaction *transaction,
 	if (*next != line_termination)
 		die("update %s: extra input: %s", refname, next);
 
-	if (ref_transaction_update(transaction, refname, new_sha1, old_sha1,
-				   update_flags, have_old, msg, &err))
+	if (ref_transaction_update(transaction, refname,
+				   new_sha1, have_old ? old_sha1 : NULL,
+				   update_flags, msg, &err))
 		die("%s", err.buf);
 
 	update_flags = 0;
@@ -297,7 +298,7 @@ static const char *parse_cmd_verify(struct ref_transaction *transaction,
 		die("verify %s: extra input: %s", refname, next);
 
 	if (ref_transaction_update(transaction, refname, new_sha1, old_sha1,
-				   update_flags, 1, msg, &err))
+				   update_flags, msg, &err))
 		die("%s", err.buf);
 
 	update_flags = 0;
diff --git a/fast-import.c b/fast-import.c
index d0bd285..1e72bfb 100644
--- a/fast-import.c
+++ b/fast-import.c
@@ -1716,7 +1716,7 @@ static int update_branch(struct branch *b)
 	transaction = ref_transaction_begin(&err);
 	if (!transaction ||
 	    ref_transaction_update(transaction, b->name, b->sha1, old_sha1,
-				   0, 1, msg, &err) ||
+				   0, msg, &err) ||
 	    ref_transaction_commit(transaction, &err)) {
 		ref_transaction_free(transaction);
 		error("%s", err.buf);
@@ -1756,8 +1756,8 @@ static void dump_tags(void)
 		strbuf_reset(&ref_name);
 		strbuf_addf(&ref_name, "refs/tags/%s", t->name);
 
-		if (ref_transaction_update(transaction, ref_name.buf, t->sha1,
-					   NULL, 0, 0, msg, &err)) {
+		if (ref_transaction_update(transaction, ref_name.buf,
+					   t->sha1, NULL, 0, msg, &err)) {
 			failure |= error("%s", err.buf);
 			goto cleanup;
 		}
diff --git a/refs.c b/refs.c
index 851c9f8..6beafcf 100644
--- a/refs.c
+++ b/refs.c
@@ -3655,7 +3655,7 @@ int ref_transaction_update(struct ref_transaction *transaction,
 			   const char *refname,
 			   const unsigned char *new_sha1,
 			   const unsigned char *old_sha1,
-			   int flags, int have_old, const char *msg,
+			   int flags, const char *msg,
 			   struct strbuf *err)
 {
 	struct ref_update *update;
@@ -3665,9 +3665,6 @@ int ref_transaction_update(struct ref_transaction *transaction,
 	if (transaction->state != REF_TRANSACTION_OPEN)
 		die("BUG: update called for transaction that is not open");
 
-	if (have_old && !old_sha1)
-		die("BUG: have_old is true but old_sha1 is NULL");
-
 	if (!is_null_sha1(new_sha1) &&
 	    check_refname_format(refname, REFNAME_ALLOW_ONELEVEL)) {
 		strbuf_addf(err, "refusing to update ref with bad name %s",
@@ -3677,7 +3674,7 @@ int ref_transaction_update(struct ref_transaction *transaction,
 
 	update = add_update(transaction, refname);
 	hashcpy(update->new_sha1, new_sha1);
-	if (have_old) {
+	if (old_sha1) {
 		hashcpy(update->old_sha1, old_sha1);
 		flags |= REF_HAVE_OLD;
 	}
@@ -3694,7 +3691,7 @@ int ref_transaction_create(struct ref_transaction *transaction,
 			   struct strbuf *err)
 {
 	return ref_transaction_update(transaction, refname, new_sha1,
-				      null_sha1, flags, 1, msg, err);
+				      null_sha1, flags, msg, err);
 }
 
 int ref_transaction_delete(struct ref_transaction *transaction,
@@ -3703,8 +3700,9 @@ int ref_transaction_delete(struct ref_transaction *transaction,
 			   int flags, int have_old, const char *msg,
 			   struct strbuf *err)
 {
-	return ref_transaction_update(transaction, refname, null_sha1,
-				      old_sha1, flags, have_old, msg, err);
+	return ref_transaction_update(transaction, refname,
+				      null_sha1, have_old ? old_sha1 : NULL,
+				      flags, msg, err);
 }
 
 int update_ref(const char *action, const char *refname,
@@ -3716,8 +3714,8 @@ int update_ref(const char *action, const char *refname,
 
 	t = ref_transaction_begin(&err);
 	if (!t ||
-	    ref_transaction_update(t, refname, sha1, oldval, flags,
-				   !!oldval, action, &err) ||
+	    ref_transaction_update(t, refname, sha1, oldval,
+				   flags, action, &err) ||
 	    ref_transaction_commit(t, &err)) {
 		const char *str = "update_ref failed for ref '%s': %s";
 
diff --git a/refs.h b/refs.h
index 9bf2148..f05ac89 100644
--- a/refs.h
+++ b/refs.h
@@ -265,8 +265,8 @@ struct ref_transaction *ref_transaction_begin(struct strbuf *err);
 /*
  * Add a reference update to transaction.  new_sha1 is the value that
  * the reference should have after the update, or null_sha1 if it should
- * be deleted.  If have_old is true, then old_sha1 holds the value
- * that the reference should have had before the update, or zeros if
+ * be deleted.  If old_sha1 is non-NULL, then it the value
+ * that the reference should have had before the update, or null_sha1 if
  * it must not have existed beforehand.
  * Function returns 0 on success and non-zero on failure. A failure to update
  * means that the transaction as a whole has failed and will need to be
@@ -276,7 +276,7 @@ int ref_transaction_update(struct ref_transaction *transaction,
 			   const char *refname,
 			   const unsigned char *new_sha1,
 			   const unsigned char *old_sha1,
-			   int flags, int have_old, const char *msg,
+			   int flags, const char *msg,
 			   struct strbuf *err);
 
 /*
diff --git a/sequencer.c b/sequencer.c
index 77a1266..32aa05e 100644
--- a/sequencer.c
+++ b/sequencer.c
@@ -252,7 +252,7 @@ static int fast_forward_to(const unsigned char *to, const unsigned char *from,
 	if (!transaction ||
 	    ref_transaction_update(transaction, "HEAD",
 				   to, unborn ? null_sha1 : from,
-				   0, 1, sb.buf, &err) ||
+				   0, sb.buf, &err) ||
 	    ref_transaction_commit(transaction, &err)) {
 		ref_transaction_free(transaction);
 		error("%s", err.buf);
diff --git a/walker.c b/walker.c
index f149371..34881b0 100644
--- a/walker.c
+++ b/walker.c
@@ -299,7 +299,7 @@ int walker_fetch(struct walker *walker, int targets, char **target,
 		strbuf_reset(&refname);
 		strbuf_addf(&refname, "refs/%s", write_ref[i]);
 		if (ref_transaction_update(transaction, refname.buf,
-					   &sha1[20 * i], NULL, 0, 0,
+					   &sha1[20 * i], NULL, 0,
 					   msg ? msg : "fetch (unknown)",
 					   &err)) {
 			error("%s", err.buf);
-- 
2.1.4

[PATCH 05/11] ref_transaction_delete(): remove "have_old" parameter

[Michael Haggerty]

Instead, if old_sha1 is non-NULL, verify it; otherwise, don't.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 builtin/receive-pack.c |  3 +--
 builtin/update-ref.c   |  5 +++--
 refs.c                 | 11 ++++++-----
 refs.h                 |  6 +++---
 4 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/builtin/receive-pack.c b/builtin/receive-pack.c
index 71be82e..b08806d 100644
--- a/builtin/receive-pack.c
+++ b/builtin/receive-pack.c
@@ -933,8 +933,7 @@ static const char *update(struct command *cmd, struct shallow_info *si)
 		if (ref_transaction_delete(transaction,
 					   namespaced_name,
 					   old_sha1,
-					   0, old_sha1 != NULL,
-					   "push", &err)) {
+					   0, "push", &err)) {
 			rp_error("%s", err.buf);
 			strbuf_release(&err);
 			return "failed to delete";
diff --git a/builtin/update-ref.c b/builtin/update-ref.c
index f0db7a3..76b8aef 100644
--- a/builtin/update-ref.c
+++ b/builtin/update-ref.c
@@ -265,8 +265,9 @@ static const char *parse_cmd_delete(struct ref_transaction *transaction,
 	if (*next != line_termination)
 		die("delete %s: extra input: %s", refname, next);
 
-	if (ref_transaction_delete(transaction, refname, old_sha1,
-				   update_flags, have_old, msg, &err))
+	if (ref_transaction_delete(transaction, refname,
+				   have_old ? old_sha1 : NULL,
+				   update_flags, msg, &err))
 		die("%s", err.buf);
 
 	update_flags = 0;
diff --git a/refs.c b/refs.c
index 6beafcf..6bd6581 100644
--- a/refs.c
+++ b/refs.c
@@ -2577,7 +2577,7 @@ static void prune_ref(struct ref_to_prune *r)
 	transaction = ref_transaction_begin(&err);
 	if (!transaction ||
 	    ref_transaction_delete(transaction, r->name, r->sha1,
-				   REF_ISPRUNING, 1, NULL, &err) ||
+				   REF_ISPRUNING, NULL, &err) ||
 	    ref_transaction_commit(transaction, &err)) {
 		ref_transaction_free(transaction);
 		error("%s", err.buf);
@@ -2754,8 +2754,9 @@ int delete_ref(const char *refname, const unsigned char *sha1, int delopt)
 
 	transaction = ref_transaction_begin(&err);
 	if (!transaction ||
-	    ref_transaction_delete(transaction, refname, sha1, delopt,
-				   sha1 && !is_null_sha1(sha1), NULL, &err) ||
+	    ref_transaction_delete(transaction, refname,
+				   (sha1 && !is_null_sha1(sha1)) ? sha1 : NULL,
+				   delopt, NULL, &err) ||
 	    ref_transaction_commit(transaction, &err)) {
 		error("%s", err.buf);
 		ref_transaction_free(transaction);
@@ -3697,11 +3698,11 @@ int ref_transaction_create(struct ref_transaction *transaction,
 int ref_transaction_delete(struct ref_transaction *transaction,
 			   const char *refname,
 			   const unsigned char *old_sha1,
-			   int flags, int have_old, const char *msg,
+			   int flags, const char *msg,
 			   struct strbuf *err)
 {
 	return ref_transaction_update(transaction, refname,
-				      null_sha1, have_old ? old_sha1 : NULL,
+				      null_sha1, old_sha1,
 				      flags, msg, err);
 }
 
diff --git a/refs.h b/refs.h
index f05ac89..ee612da 100644
--- a/refs.h
+++ b/refs.h
@@ -295,8 +295,8 @@ int ref_transaction_create(struct ref_transaction *transaction,
 			   struct strbuf *err);
 
 /*
- * Add a reference deletion to transaction.  If have_old is true, then
- * old_sha1 holds the value that the reference should have had before
+ * Add a reference deletion to transaction.  If old_sha1 is non-NULL, then
+ * it holds the value that the reference should have had before
  * the update (which must not be the null SHA-1).
  * Function returns 0 on success and non-zero on failure. A failure to delete
  * means that the transaction as a whole has failed and will need to be
@@ -305,7 +305,7 @@ int ref_transaction_create(struct ref_transaction *transaction,
 int ref_transaction_delete(struct ref_transaction *transaction,
 			   const char *refname,
 			   const unsigned char *old_sha1,
-			   int flags, int have_old, const char *msg,
+			   int flags, const char *msg,
 			   struct strbuf *err);
 
 /*
-- 
2.1.4

[PATCH 06/11] commit: add tests of commit races

[Michael Haggerty]

Committing involves the following steps:

1. Determine the current value of HEAD (if any).
2. Create the new commit object.
3. Update HEAD.

Please note that step 2 can take arbitrarily long, because it might
involve the user editing a commit message.

If a second process sneaks in a commit during step 2, then the first
commit process should fail. This is usually done correctly, because
step 3 verifies that HEAD still points at the same commit that it
pointed to during step 1.

However, if there is a race when creating an *orphan* commit, then the
test in step 3 is skipped.

Add tests for proper handling of such races. One of the new tests
fails. It will be fixed in a moment.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 t/t7516-commit-races.sh | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100755 t/t7516-commit-races.sh

diff --git a/t/t7516-commit-races.sh b/t/t7516-commit-races.sh
new file mode 100755
index 0000000..5efa351
--- /dev/null
+++ b/t/t7516-commit-races.sh
@@ -0,0 +1,38 @@
+#!/bin/sh
+#
+# Copyright (c) 2014 Michael Haggerty <mhagger@alum.mit.edu>
+#
+
+test_description='git commit races'
+. ./test-lib.sh
+
+test_tick
+
+test_expect_success 'set up editor' '
+	cat >editor <<-\EOF &&
+	#!/bin/sh
+	git commit --allow-empty -m hare
+	echo tortoise >"$1"
+	EOF
+	chmod +x editor
+'
+
+test_expect_failure 'race to create orphan commit' '
+	test_must_fail env EDITOR=./editor git commit --allow-empty &&
+	git show -s --pretty=format:%s >subject &&
+	grep -q hare subject &&
+	test -z "$(git show -s --pretty=format:%P)"
+'
+
+test_expect_success 'race to create non-orphan commit' '
+	git checkout --orphan branch &&
+	git commit --allow-empty -m base &&
+	git rev-parse HEAD >base &&
+	test_must_fail env EDITOR=./editor git commit --allow-empty &&
+	git show -s --pretty=format:%s >subject &&
+	grep -q hare subject &&
+	git rev-parse HEAD^ >parent &&
+	test_cmp base parent
+'
+
+test_done
-- 
2.1.4

[PATCH 07/11] commit: avoid race when creating orphan commits

[Michael Haggerty]

If, during the initial check, HEAD doesn't point at anything, then we
should make sure that it *still* doesn't point at anything when we are
ready to update the reference. Otherwise, another process might commit
while we are working (e.g., while we are waiting for the user to edit
the commit message) and we will silently overwrite it.

This fixes a failing test in t7516.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 builtin/commit.c        | 2 +-
 t/t7516-commit-races.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/builtin/commit.c b/builtin/commit.c
index 5654abd..c566e32 100644
--- a/builtin/commit.c
+++ b/builtin/commit.c
@@ -1772,7 +1772,7 @@ int cmd_commit(int argc, const char **argv, const char *prefix)
 	if (!transaction ||
 	    ref_transaction_update(transaction, "HEAD", sha1,
 				   current_head
-				   ? current_head->object.sha1 : NULL,
+				   ? current_head->object.sha1 : null_sha1,
 				   0, sb.buf, &err) ||
 	    ref_transaction_commit(transaction, &err)) {
 		rollback_index_files();
diff --git a/t/t7516-commit-races.sh b/t/t7516-commit-races.sh
index 5efa351..17a139e 100755
--- a/t/t7516-commit-races.sh
+++ b/t/t7516-commit-races.sh
@@ -17,7 +17,7 @@ test_expect_success 'set up editor' '
 	chmod +x editor
 '
 
-test_expect_failure 'race to create orphan commit' '
+test_expect_success 'race to create orphan commit' '
 	test_must_fail env EDITOR=./editor git commit --allow-empty &&
 	git show -s --pretty=format:%s >subject &&
 	grep -q hare subject &&
-- 
2.1.4

[PATCH 08/11] ref_transaction_create(): check that new_sha1 is valid

[Michael Haggerty]

Creating a reference requires a new_sha1 that is not NULL and not
null_sha1.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 refs.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/refs.c b/refs.c
index 6bd6581..8ab1f8e 100644
--- a/refs.c
+++ b/refs.c
@@ -3691,6 +3691,8 @@ int ref_transaction_create(struct ref_transaction *transaction,
 			   int flags, const char *msg,
 			   struct strbuf *err)
 {
+	if (!new_sha1 || is_null_sha1(new_sha1))
+		die("BUG: create called without valid new_sha1");
 	return ref_transaction_update(transaction, refname, new_sha1,
 				      null_sha1, flags, msg, err);
 }
-- 
2.1.4

[PATCH 09/11] ref_transaction_delete(): check that old_sha1 is not null_sha1

[Michael Haggerty]

It makes no sense to delete a reference that is already known not to
exist.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 refs.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/refs.c b/refs.c
index 8ab1f8e..85815d7 100644
--- a/refs.c
+++ b/refs.c
@@ -3703,6 +3703,8 @@ int ref_transaction_delete(struct ref_transaction *transaction,
 			   int flags, const char *msg,
 			   struct strbuf *err)
 {
+	if (old_sha1 && is_null_sha1(old_sha1))
+		die("BUG: delete called with old_sha1 set to zeros");
 	return ref_transaction_update(transaction, refname,
 				      null_sha1, old_sha1,
 				      flags, msg, err);
-- 
2.1.4

[PATCH 10/11] ref_transaction_verify(): new function to check a reference's value

[Michael Haggerty]

If NULL is passed to ref_transaction_update()'s new_sha1 parameter,
then just verify old_sha1 (under lock) without trying to change the
new value of the reference.

Use this functionality to add a new function ref_transaction_verify(),
which checks the current value of the reference under lock but doesn't
change it.

Use ref_transaction_verify() in the implementation of "git update-ref
--stdin"'s "verify" command to avoid the awkward need to "update" the
reference to its existing value.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 builtin/update-ref.c |  7 ++-----
 refs.c               | 47 +++++++++++++++++++++++++++++++++++++++--------
 refs.h               | 34 ++++++++++++++++++++++++++--------
 3 files changed, 67 insertions(+), 21 deletions(-)

diff --git a/builtin/update-ref.c b/builtin/update-ref.c
index 76b8aef..a2eedba 100644
--- a/builtin/update-ref.c
+++ b/builtin/update-ref.c
@@ -282,7 +282,6 @@ static const char *parse_cmd_verify(struct ref_transaction *transaction,
 {
 	struct strbuf err = STRBUF_INIT;
 	char *refname;
-	unsigned char new_sha1[20];
 	unsigned char old_sha1[20];
 
 	refname = parse_refname(input, &next);
@@ -293,13 +292,11 @@ static const char *parse_cmd_verify(struct ref_transaction *transaction,
 			    PARSE_SHA1_OLD))
 		hashclr(old_sha1);
 
-	hashcpy(new_sha1, old_sha1);
-
 	if (*next != line_termination)
 		die("verify %s: extra input: %s", refname, next);
 
-	if (ref_transaction_update(transaction, refname, new_sha1, old_sha1,
-				   update_flags, msg, &err))
+	if (ref_transaction_verify(transaction, refname, old_sha1,
+				   update_flags, &err))
 		die("%s", err.buf);
 
 	update_flags = 0;
diff --git a/refs.c b/refs.c
index 85815d7..0da680e 100644
--- a/refs.c
+++ b/refs.c
@@ -47,10 +47,16 @@ static unsigned char refname_disposition[256] = {
 #define REF_ISPRUNING	0x04
 
 /*
+ * Used as a flag in ref_update::flags when the reference should be
+ * updated to new_sha1.
+ */
+#define REF_HAVE_NEW	0x08
+
+/*
  * Used as a flag in ref_update::flags when old_sha1 should be
  * checked.
  */
-#define REF_HAVE_OLD	0x08
+#define REF_HAVE_OLD	0x10
 
 /*
  * Try to read one refname component from the front of refname.
@@ -3578,10 +3584,17 @@ int for_each_reflog(each_ref_fn fn, void *cb_data)
  * not exist before update.
  */
 struct ref_update {
+	/*
+	 * If (flags & REF_HAVE_NEW), set the reference to this value:
+	 */
 	unsigned char new_sha1[20];
+	/*
+	 * If (flags & REF_HAVE_OLD), check that the reference
+	 * previously had this value:
+	 */
 	unsigned char old_sha1[20];
 	/*
-	 * One or more of REF_HAVE_OLD, REF_NODEREF,
+	 * One or more of REF_HAVE_NEW, REF_HAVE_OLD, REF_NODEREF,
 	 * REF_DELETING, and REF_IS_PRUNING:
 	 */
 	int flags;
@@ -3666,7 +3679,7 @@ int ref_transaction_update(struct ref_transaction *transaction,
 	if (transaction->state != REF_TRANSACTION_OPEN)
 		die("BUG: update called for transaction that is not open");
 
-	if (!is_null_sha1(new_sha1) &&
+	if (new_sha1 && !is_null_sha1(new_sha1) &&
 	    check_refname_format(refname, REFNAME_ALLOW_ONELEVEL)) {
 		strbuf_addf(err, "refusing to update ref with bad name %s",
 			    refname);
@@ -3674,7 +3687,10 @@ int ref_transaction_update(struct ref_transaction *transaction,
 	}
 
 	update = add_update(transaction, refname);
-	hashcpy(update->new_sha1, new_sha1);
+	if (new_sha1) {
+		hashcpy(update->new_sha1, new_sha1);
+		flags |= REF_HAVE_NEW;
+	}
 	if (old_sha1) {
 		hashcpy(update->old_sha1, old_sha1);
 		flags |= REF_HAVE_OLD;
@@ -3710,6 +3726,19 @@ int ref_transaction_delete(struct ref_transaction *transaction,
 				      flags, msg, err);
 }
 
+int ref_transaction_verify(struct ref_transaction *transaction,
+			   const char *refname,
+			   const unsigned char *old_sha1,
+			   int flags,
+			   struct strbuf *err)
+{
+	if (!old_sha1)
+		die("BUG: verify called with old_sha1 set to NULL");
+	return ref_transaction_update(transaction, refname,
+				      NULL, old_sha1,
+				      flags, NULL, err);
+}
+
 int update_ref(const char *action, const char *refname,
 	       const unsigned char *sha1, const unsigned char *oldval,
 	       int flags, enum action_on_err onerr)
@@ -3798,7 +3827,7 @@ int ref_transaction_commit(struct ref_transaction *transaction,
 		struct ref_update *update = updates[i];
 		int flags = update->flags;
 
-		if (is_null_sha1(update->new_sha1))
+		if ((flags & REF_HAVE_NEW) && is_null_sha1(update->new_sha1))
 			flags |= REF_DELETING;
 		update->lock = lock_ref_sha1_basic(
 				update->refname,
@@ -3820,8 +3849,9 @@ int ref_transaction_commit(struct ref_transaction *transaction,
 	/* Perform updates first so live commits remain referenced */
 	for (i = 0; i < n; i++) {
 		struct ref_update *update = updates[i];
+		int flags = update->flags;
 
-		if (!is_null_sha1(update->new_sha1)) {
+		if ((flags & REF_HAVE_NEW) && !is_null_sha1(update->new_sha1)) {
 			if (write_ref_sha1(update->lock, update->new_sha1,
 					   update->msg)) {
 				update->lock = NULL; /* freed by write_ref_sha1 */
@@ -3837,14 +3867,15 @@ int ref_transaction_commit(struct ref_transaction *transaction,
 	/* Perform deletes now that updates are safely completed */
 	for (i = 0; i < n; i++) {
 		struct ref_update *update = updates[i];
+		int flags = update->flags;
 
-		if (update->lock) {
+		if ((flags & REF_HAVE_NEW) && is_null_sha1(update->new_sha1)) {
 			if (delete_ref_loose(update->lock, update->type, err)) {
 				ret = TRANSACTION_GENERIC_ERROR;
 				goto cleanup;
 			}
 
-			if (!(update->flags & REF_ISPRUNING))
+			if (!(flags & REF_ISPRUNING))
 				string_list_append(&refs_to_delete,
 						   update->lock->ref_name);
 		}
diff --git a/refs.h b/refs.h
index ee612da..02d6e39 100644
--- a/refs.h
+++ b/refs.h
@@ -263,14 +263,19 @@ struct ref_transaction *ref_transaction_begin(struct strbuf *err);
  */
 
 /*
- * Add a reference update to transaction.  new_sha1 is the value that
- * the reference should have after the update, or null_sha1 if it should
- * be deleted.  If old_sha1 is non-NULL, then it the value
- * that the reference should have had before the update, or null_sha1 if
- * it must not have existed beforehand.
- * Function returns 0 on success and non-zero on failure. A failure to update
- * means that the transaction as a whole has failed and will need to be
- * rolled back.
+ * Add a reference update to transaction. new_sha1 is the value that
+ * the reference should have after the update, or null_sha1 if it
+ * should be deleted. If new_sha1 is NULL, then the reference is not
+ * changed at all. old_sha1 is the value that the reference must have
+ * before the update, or null_sha1 if it must not have existed
+ * beforehand. The old value is checked after the lock is taken to
+ * prevent races. If the old value doesn't agree with old_sha1, the
+ * whole transaction fails. If old_sha1 is NULL, then the previous
+ * value is not checked.
+ *
+ * Return 0 on success and non-zero on failure. Any failure in the
+ * transaction means that the transaction as a whole has failed and
+ * will need to be rolled back.
  */
 int ref_transaction_update(struct ref_transaction *transaction,
 			   const char *refname,
@@ -309,6 +314,19 @@ int ref_transaction_delete(struct ref_transaction *transaction,
 			   struct strbuf *err);
 
 /*
+ * Verify, within a transaction, that refname has the value old_sha1,
+ * or, if old_sha1 is null_sha1, then verify that the reference
+ * doesn't exist. old_sha1 must be non-NULL. Function returns 0 on
+ * success and non-zero on failure. A failure to verify means that the
+ * transaction as a whole has failed and will need to be rolled back.
+ */
+int ref_transaction_verify(struct ref_transaction *transaction,
+			   const char *refname,
+			   const unsigned char *old_sha1,
+			   int flags,
+			   struct strbuf *err);
+
+/*
  * Commit all of the changes that have been queued in transaction, as
  * atomically as possible.
  *
-- 
2.1.4

[PATCH 11/11] update_ref(): improve documentation

[Michael Haggerty]

Add a docstring for update_ref(), emphasizing its similarity to
ref_transaction_update(). Rename its parameters to match those of
ref_transaction_update().

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 refs.c |  8 ++++----
 refs.h | 15 +++++++++++----
 2 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/refs.c b/refs.c
index 0da680e..2651583 100644
--- a/refs.c
+++ b/refs.c
@@ -3739,8 +3739,8 @@ int ref_transaction_verify(struct ref_transaction *transaction,
 				      flags, NULL, err);
 }
 
-int update_ref(const char *action, const char *refname,
-	       const unsigned char *sha1, const unsigned char *oldval,
+int update_ref(const char *msg, const char *refname,
+	       const unsigned char *new_sha1, const unsigned char *old_sha1,
 	       int flags, enum action_on_err onerr)
 {
 	struct ref_transaction *t;
@@ -3748,8 +3748,8 @@ int update_ref(const char *action, const char *refname,
 
 	t = ref_transaction_begin(&err);
 	if (!t ||
-	    ref_transaction_update(t, refname, sha1, oldval,
-				   flags, action, &err) ||
+	    ref_transaction_update(t, refname, new_sha1, old_sha1,
+				   flags, msg, &err) ||
 	    ref_transaction_commit(t, &err)) {
 		const char *str = "update_ref failed for ref '%s': %s";
 
diff --git a/refs.h b/refs.h
index 02d6e39..08abd2c 100644
--- a/refs.h
+++ b/refs.h
@@ -344,10 +344,17 @@ int ref_transaction_commit(struct ref_transaction *transaction,
  */
 void ref_transaction_free(struct ref_transaction *transaction);
 
-/** Lock a ref and then write its file */
-int update_ref(const char *action, const char *refname,
-		const unsigned char *sha1, const unsigned char *oldval,
-		int flags, enum action_on_err onerr);
+/**
+ * Lock, update, and unlock a single reference. This function
+ * basically does a transaction containing a single call to
+ * ref_transaction_update(). The parameters to this function have the
+ * same meaning as the corresponding parameters to
+ * ref_transaction_update(). Handle errors as requested by the `onerr`
+ * argument.
+ */
+int update_ref(const char *msg, const char *refname,
+	       const unsigned char *new_sha1, const unsigned char *old_sha1,
+	       int flags, enum action_on_err onerr);
 
 extern int parse_hide_refs_config(const char *var, const char *value, const char *);
 extern int ref_is_hidden(const char *);
-- 
2.1.4

Re: [PATCH 01/11] refs: move REF_DELETING to refs.c

[Stefan Beller]

On Sun, Feb 8, 2015 at 8:13 AM, Michael Haggerty <mhagger@alum.mit.edu> wrote:
> It is only used internally now. Document it a little bit better, too.
>
> Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Reviewed-by: Stefan Beller <sbeller@google.com>

Re: [PATCH 02/11] refs: remove the gap in the REF_* constant values

[Stefan Beller]

On Sun, Feb 8, 2015 at 8:13 AM, Michael Haggerty <mhagger@alum.mit.edu> wrote:
> There is no reason to "reserve" a gap between the public and private
> flags values.
>
> Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
> ---
>  refs.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/refs.c b/refs.c
> index cd5208b..477a5b3 100644
> --- a/refs.c
> +++ b/refs.c
> @@ -44,7 +44,8 @@ static unsigned char refname_disposition[256] = {
>   * Used as a flag to ref_transaction_delete when a loose ref is being
>   * pruned.
>   */
> -#define REF_ISPRUNING  0x0100
> +#define REF_ISPRUNING  0x04
> +

I'm ok with that change, though I remember Duy had once started to
create a table in a header file documenting all positions of flags
(e.g foo.c would use 1<<{1,2,3,7}, and bar.c had 1<<{1,2,5,26} in
use).
I wonder if we should start a discussion on that topic. I think it
makes sense to have a central place documenting all the flags
(specially their bit allocation), but this one is only in one c file,
so we're really unlikely to
break something by having different defines pointing at the same bit.

Re: [PATCH 04/11] ref_transaction_update(): remove "have_old" parameter

[Stefan Beller]

On Sun, Feb 8, 2015 at 8:13 AM, Michael Haggerty <mhagger@alum.mit.edu> wrote:
> Instead, if old_sha1 is non-NULL, verify it; otherwise, don't.

parsing error on that commit message. I needed to read the code to understand
what you want to say here.
The code itself is

Reviewed-by: Stefan Beller <sbeller@google.com>

>
> ref_transaction_delete() will get the same treatment in a moment.
>
> Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
> ---
>  branch.c               |  5 +++--
>  builtin/commit.c       |  2 +-
>  builtin/fetch.c        |  6 ++++--
>  builtin/receive-pack.c |  2 +-
>  builtin/replace.c      |  2 +-
>  builtin/tag.c          |  2 +-
>  builtin/update-ref.c   |  7 ++++---
>  fast-import.c          |  6 +++---
>  refs.c                 | 18 ++++++++----------
>  refs.h                 |  6 +++---
>  sequencer.c            |  2 +-
>  walker.c               |  2 +-
>  12 files changed, 31 insertions(+), 29 deletions(-)
>
> diff --git a/branch.c b/branch.c
> index 4bab55a..b002435 100644
> --- a/branch.c
> +++ b/branch.c
> @@ -284,8 +284,9 @@ void create_branch(const char *head,
>
>                 transaction = ref_transaction_begin(&err);
>                 if (!transaction ||
> -                   ref_transaction_update(transaction, ref.buf, sha1,
> -                                          null_sha1, 0, !forcing, msg, &err) ||
> +                   ref_transaction_update(transaction, ref.buf,
> +                                          sha1, forcing ? NULL : null_sha1,
> +                                          0, msg, &err) ||
>                     ref_transaction_commit(transaction, &err))
>                         die("%s", err.buf);
>                 ref_transaction_free(transaction);
> diff --git a/builtin/commit.c b/builtin/commit.c
> index 7d90c35..5654abd 100644
> --- a/builtin/commit.c
> +++ b/builtin/commit.c
> @@ -1773,7 +1773,7 @@ int cmd_commit(int argc, const char **argv, const char *prefix)
>             ref_transaction_update(transaction, "HEAD", sha1,
>                                    current_head
>                                    ? current_head->object.sha1 : NULL,
> -                                  0, !!current_head, sb.buf, &err) ||
> +                                  0, sb.buf, &err) ||
>             ref_transaction_commit(transaction, &err)) {
>                 rollback_index_files();
>                 die("%s", err.buf);
> diff --git a/builtin/fetch.c b/builtin/fetch.c
> index 7b84d35..719bf4f 100644
> --- a/builtin/fetch.c
> +++ b/builtin/fetch.c
> @@ -416,8 +416,10 @@ static int s_update_ref(const char *action,
>
>         transaction = ref_transaction_begin(&err);
>         if (!transaction ||
> -           ref_transaction_update(transaction, ref->name, ref->new_sha1,
> -                                  ref->old_sha1, 0, check_old, msg, &err))
> +           ref_transaction_update(transaction, ref->name,
> +                                  ref->new_sha1,
> +                                  check_old ? ref->old_sha1 : NULL,
> +                                  0, msg, &err))
>                 goto fail;
>
>         ret = ref_transaction_commit(transaction, &err);
> diff --git a/builtin/receive-pack.c b/builtin/receive-pack.c
> index 4e85e25..71be82e 100644
> --- a/builtin/receive-pack.c
> +++ b/builtin/receive-pack.c
> @@ -951,7 +951,7 @@ static const char *update(struct command *cmd, struct shallow_info *si)
>                 if (ref_transaction_update(transaction,
>                                            namespaced_name,
>                                            new_sha1, old_sha1,
> -                                          0, 1, "push",
> +                                          0, "push",
>                                            &err)) {
>                         rp_error("%s", err.buf);
>                         strbuf_release(&err);
> diff --git a/builtin/replace.c b/builtin/replace.c
> index 85d39b5..54bf01a 100644
> --- a/builtin/replace.c
> +++ b/builtin/replace.c
> @@ -172,7 +172,7 @@ static int replace_object_sha1(const char *object_ref,
>         transaction = ref_transaction_begin(&err);
>         if (!transaction ||
>             ref_transaction_update(transaction, ref, repl, prev,
> -                                  0, 1, NULL, &err) ||
> +                                  0, NULL, &err) ||
>             ref_transaction_commit(transaction, &err))
>                 die("%s", err.buf);
>
> diff --git a/builtin/tag.c b/builtin/tag.c
> index e633f4e..232c28c 100644
> --- a/builtin/tag.c
> +++ b/builtin/tag.c
> @@ -733,7 +733,7 @@ int cmd_tag(int argc, const char **argv, const char *prefix)
>         transaction = ref_transaction_begin(&err);
>         if (!transaction ||
>             ref_transaction_update(transaction, ref.buf, object, prev,
> -                                  0, 1, NULL, &err) ||
> +                                  0, NULL, &err) ||
>             ref_transaction_commit(transaction, &err))
>                 die("%s", err.buf);
>         ref_transaction_free(transaction);
> diff --git a/builtin/update-ref.c b/builtin/update-ref.c
> index 1993529..f0db7a3 100644
> --- a/builtin/update-ref.c
> +++ b/builtin/update-ref.c
> @@ -198,8 +198,9 @@ static const char *parse_cmd_update(struct ref_transaction *transaction,
>         if (*next != line_termination)
>                 die("update %s: extra input: %s", refname, next);
>
> -       if (ref_transaction_update(transaction, refname, new_sha1, old_sha1,
> -                                  update_flags, have_old, msg, &err))
> +       if (ref_transaction_update(transaction, refname,
> +                                  new_sha1, have_old ? old_sha1 : NULL,
> +                                  update_flags, msg, &err))
>                 die("%s", err.buf);
>
>         update_flags = 0;
> @@ -297,7 +298,7 @@ static const char *parse_cmd_verify(struct ref_transaction *transaction,
>                 die("verify %s: extra input: %s", refname, next);
>
>         if (ref_transaction_update(transaction, refname, new_sha1, old_sha1,
> -                                  update_flags, 1, msg, &err))
> +                                  update_flags, msg, &err))
>                 die("%s", err.buf);
>
>         update_flags = 0;
> diff --git a/fast-import.c b/fast-import.c
> index d0bd285..1e72bfb 100644
> --- a/fast-import.c
> +++ b/fast-import.c
> @@ -1716,7 +1716,7 @@ static int update_branch(struct branch *b)
>         transaction = ref_transaction_begin(&err);
>         if (!transaction ||
>             ref_transaction_update(transaction, b->name, b->sha1, old_sha1,
> -                                  0, 1, msg, &err) ||
> +                                  0, msg, &err) ||
>             ref_transaction_commit(transaction, &err)) {
>                 ref_transaction_free(transaction);
>                 error("%s", err.buf);
> @@ -1756,8 +1756,8 @@ static void dump_tags(void)
>                 strbuf_reset(&ref_name);
>                 strbuf_addf(&ref_name, "refs/tags/%s", t->name);
>
> -               if (ref_transaction_update(transaction, ref_name.buf, t->sha1,
> -                                          NULL, 0, 0, msg, &err)) {
> +               if (ref_transaction_update(transaction, ref_name.buf,
> +                                          t->sha1, NULL, 0, msg, &err)) {
>                         failure |= error("%s", err.buf);
>                         goto cleanup;
>                 }
> diff --git a/refs.c b/refs.c
> index 851c9f8..6beafcf 100644
> --- a/refs.c
> +++ b/refs.c
> @@ -3655,7 +3655,7 @@ int ref_transaction_update(struct ref_transaction *transaction,
>                            const char *refname,
>                            const unsigned char *new_sha1,
>                            const unsigned char *old_sha1,
> -                          int flags, int have_old, const char *msg,
> +                          int flags, const char *msg,
>                            struct strbuf *err)
>  {
>         struct ref_update *update;
> @@ -3665,9 +3665,6 @@ int ref_transaction_update(struct ref_transaction *transaction,
>         if (transaction->state != REF_TRANSACTION_OPEN)
>                 die("BUG: update called for transaction that is not open");
>
> -       if (have_old && !old_sha1)
> -               die("BUG: have_old is true but old_sha1 is NULL");
> -
>         if (!is_null_sha1(new_sha1) &&
>             check_refname_format(refname, REFNAME_ALLOW_ONELEVEL)) {
>                 strbuf_addf(err, "refusing to update ref with bad name %s",
> @@ -3677,7 +3674,7 @@ int ref_transaction_update(struct ref_transaction *transaction,
>
>         update = add_update(transaction, refname);
>         hashcpy(update->new_sha1, new_sha1);
> -       if (have_old) {
> +       if (old_sha1) {
>                 hashcpy(update->old_sha1, old_sha1);
>                 flags |= REF_HAVE_OLD;
>         }
> @@ -3694,7 +3691,7 @@ int ref_transaction_create(struct ref_transaction *transaction,
>                            struct strbuf *err)
>  {
>         return ref_transaction_update(transaction, refname, new_sha1,
> -                                     null_sha1, flags, 1, msg, err);
> +                                     null_sha1, flags, msg, err);
>  }
>
>  int ref_transaction_delete(struct ref_transaction *transaction,
> @@ -3703,8 +3700,9 @@ int ref_transaction_delete(struct ref_transaction *transaction,
>                            int flags, int have_old, const char *msg,
>                            struct strbuf *err)
>  {
> -       return ref_transaction_update(transaction, refname, null_sha1,
> -                                     old_sha1, flags, have_old, msg, err);
> +       return ref_transaction_update(transaction, refname,
> +                                     null_sha1, have_old ? old_sha1 : NULL,
> +                                     flags, msg, err);
>  }
>
>  int update_ref(const char *action, const char *refname,
> @@ -3716,8 +3714,8 @@ int update_ref(const char *action, const char *refname,
>
>         t = ref_transaction_begin(&err);
>         if (!t ||
> -           ref_transaction_update(t, refname, sha1, oldval, flags,
> -                                  !!oldval, action, &err) ||
> +           ref_transaction_update(t, refname, sha1, oldval,
> +                                  flags, action, &err) ||
>             ref_transaction_commit(t, &err)) {
>                 const char *str = "update_ref failed for ref '%s': %s";
>
> diff --git a/refs.h b/refs.h
> index 9bf2148..f05ac89 100644
> --- a/refs.h
> +++ b/refs.h
> @@ -265,8 +265,8 @@ struct ref_transaction *ref_transaction_begin(struct strbuf *err);
>  /*
>   * Add a reference update to transaction.  new_sha1 is the value that
>   * the reference should have after the update, or null_sha1 if it should
> - * be deleted.  If have_old is true, then old_sha1 holds the value
> - * that the reference should have had before the update, or zeros if
> + * be deleted.  If old_sha1 is non-NULL, then it the value
> + * that the reference should have had before the update, or null_sha1 if
>   * it must not have existed beforehand.
>   * Function returns 0 on success and non-zero on failure. A failure to update
>   * means that the transaction as a whole has failed and will need to be
> @@ -276,7 +276,7 @@ int ref_transaction_update(struct ref_transaction *transaction,
>                            const char *refname,
>                            const unsigned char *new_sha1,
>                            const unsigned char *old_sha1,
> -                          int flags, int have_old, const char *msg,
> +                          int flags, const char *msg,
>                            struct strbuf *err);
>
>  /*
> diff --git a/sequencer.c b/sequencer.c
> index 77a1266..32aa05e 100644
> --- a/sequencer.c
> +++ b/sequencer.c
> @@ -252,7 +252,7 @@ static int fast_forward_to(const unsigned char *to, const unsigned char *from,
>         if (!transaction ||
>             ref_transaction_update(transaction, "HEAD",
>                                    to, unborn ? null_sha1 : from,
> -                                  0, 1, sb.buf, &err) ||
> +                                  0, sb.buf, &err) ||
>             ref_transaction_commit(transaction, &err)) {
>                 ref_transaction_free(transaction);
>                 error("%s", err.buf);
> diff --git a/walker.c b/walker.c
> index f149371..34881b0 100644
> --- a/walker.c
> +++ b/walker.c
> @@ -299,7 +299,7 @@ int walker_fetch(struct walker *walker, int targets, char **target,
>                 strbuf_reset(&refname);
>                 strbuf_addf(&refname, "refs/%s", write_ref[i]);
>                 if (ref_transaction_update(transaction, refname.buf,
> -                                          &sha1[20 * i], NULL, 0, 0,
> +                                          &sha1[20 * i], NULL, 0,
>                                            msg ? msg : "fetch (unknown)",
>                                            &err)) {
>                         error("%s", err.buf);
> --
> 2.1.4
>

Re: [PATCH 05/11] ref_transaction_delete(): remove "have_old" parameter

[Stefan Beller]

On Sun, Feb 8, 2015 at 8:13 AM, Michael Haggerty <mhagger@alum.mit.edu> wrote:
> Instead, if old_sha1 is non-NULL, verify it; otherwise, don't.
>
> Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>

Reviewed-by: Stefan Beller <sbeller@google.com> apart from the commit message.

Re: [PATCH 06/11] commit: add tests of commit races

[Stefan Beller]

On Sun, Feb 8, 2015 at 8:14 AM, Michael Haggerty <mhagger@alum.mit.edu> wrote:

> diff --git a/t/t7516-commit-races.sh b/t/t7516-commit-races.sh
> new file mode 100755
> index 0000000..5efa351
> --- /dev/null
> +++ b/t/t7516-commit-races.sh
> @@ -0,0 +1,38 @@
> +#!/bin/sh
> +#
> +# Copyright (c) 2014 Michael Haggerty <mhagger@alum.mit.edu>

What is the projects stance on copyright lines?
I've seen files (most of them from the beginning) having some copyright lines,
other files (often introduced way later) not having them, "because
we're git and have
history, so we know who did it".

The tests themselves look fine.

Is there a reason you did not append the tests in 7509 ?


>

Re: [PATCH 07/11] commit: avoid race when creating orphan commits

[Stefan Beller]

On Sun, Feb 8, 2015 at 8:14 AM, Michael Haggerty <mhagger@alum.mit.edu> wrote:
> If, during the initial check, HEAD doesn't point at anything, then we

Maybe
"If HEAD doesn't point at anything during the initial check, then..." ?
(Being a non native speaker is hard. These commas look so confusing,
so the version without commas makes it way easier to read for me.)

Otherwise
Reviewed-by: Stefan Beller <sbeller@google.com>

Re: [PATCH 08/11] ref_transaction_create(): check that new_sha1 is valid

[Stefan Beller]

On Sun, Feb 8, 2015 at 8:14 AM, Michael Haggerty <mhagger@alum.mit.edu> wrote:
> Creating a reference requires a new_sha1 that is not NULL and not
> null_sha1.
>
> Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>

Reviewed-by: Stefan Beller <sbeller@google.com>

Re: [PATCH 09/11] ref_transaction_delete(): check that old_sha1 is not null_sha1

[Stefan Beller]

On Sun, Feb 8, 2015 at 8:14 AM, Michael Haggerty <mhagger@alum.mit.edu> wrote:
> It makes no sense to delete a reference that is already known not to
> exist.
>
> Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>

Reviewed-by: Stefan Beller <sbeller@google.com>

Re: [PATCH 00/11] Allow reference values to be checked in a transaction

[Junio C Hamano]

Michael Haggerty <mhagger@alum.mit.edu> writes:

> The main purpose of this series is to simplify the interface to
> reference transactions as follows:
>
> * Remove the need to supply an explicit have_old parameter to
>   ref_transaction_update() and ref_transaction_delete(). Instead,
>   check the old_sha1 if and only if it is non-NULL.
>
> * Allow NULL to be supplied to ref_transaction_update() as new_sha1,
>   in which case old_sha1 will be verified under lock, but the
>   reference's value will not be altered.
>
> * Add a function ref_transaction_verify(), which verifies the current
>   value of a reference without changing it.
>
> * Make the similarity between ref_transaction_update() and
>   update_ref() more obvious.
>
> Along the way, it fixes a race that could happen if two processes try
> to create an orphan commit at the same time.
>
> This patch series applies on top of master merged together with
> sb/atomic-push, which in turn depends on mh/reflog-expire.

I am a bit puzzled by your intentions, so help me out.

I see that your understanding is that Stefan will be rerolling the
push atomicity thing; wouldn't we then want to have a "fix and
clean" topic like this one first and build the push atomicity thing
on top instead?

In other words, would it make sense to extend mh/reflog-expire (in
'next') topic with commits from "Fix some problems with reflog
expiration (8 patches)" series and this series to fix and clean it?

We may even want to rebase/reroll mh/reflog-expire on top of v2.3
while doing so to adjust to the transaction stuff, if that makes
some of the changes in the two new series unnecessary (if these "fix
and clean up" changes made in mh/reflog-expire in 'next', that is).

Re: [PATCH 10/11] ref_transaction_verify(): new function to check a reference's value

[Stefan Beller]

On Sun, Feb 8, 2015 at 8:14 AM, Michael Haggerty <mhagger@alum.mit.edu> wrote:
>  /*
> - * Add a reference update to transaction.  new_sha1 is the value that
> - * the reference should have after the update, or null_sha1 if it should
> - * be deleted.  If old_sha1 is non-NULL, then it the value
> - * that the reference should have had before the update, or null_sha1 if
> - * it must not have existed beforehand.
> - * Function returns 0 on success and non-zero on failure. A failure to update
> - * means that the transaction as a whole has failed and will need to be
> - * rolled back.
> + * Add a reference update to transaction. new_sha1 is the value that
> + * the reference should have after the update, or null_sha1 if it
> + * should be deleted. If new_sha1 is NULL, then the reference is not
> + * changed at all. old_sha1 is the value that the reference must have
> + * before the update, or null_sha1 if it must not have existed
> + * beforehand. The old value is checked after the lock is taken to
> + * prevent races. If the old value doesn't agree with old_sha1, the
> + * whole transaction fails. If old_sha1 is NULL, then the previous
> + * value is not checked.
> + *
> + * Return 0 on success and non-zero on failure. Any failure in the
> + * transaction means that the transaction as a whole has failed and
> + * will need to be rolled back.

Do we need to be explicit about having to rollback everything in each
ref_transaction_* function documentation?

I like the new wording (first paragraph) of this function documentation.

Re: [PATCH 11/11] update_ref(): improve documentation

[Stefan Beller]

On Sun, Feb 8, 2015 at 8:14 AM, Michael Haggerty <mhagger@alum.mit.edu> wrote:
> Add a docstring for update_ref(), emphasizing its similarity to
> ref_transaction_update(). Rename its parameters to match those of
> ref_transaction_update().
>
> Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>

Reviewed-by: Stefan Beller <sbeller@google.com>

Re: [PATCH 00/11] Allow reference values to be checked in a transaction

[Stefan Beller]

On Mon, Feb 9, 2015 at 10:41 AM, Junio C Hamano <gitster@pobox.com> wrote:
> Michael Haggerty <mhagger@alum.mit.edu> writes:
>
>> The main purpose of this series is to simplify the interface to
>> reference transactions as follows:
>>
>> * Remove the need to supply an explicit have_old parameter to
>>   ref_transaction_update() and ref_transaction_delete(). Instead,
>>   check the old_sha1 if and only if it is non-NULL.
>>
>> * Allow NULL to be supplied to ref_transaction_update() as new_sha1,
>>   in which case old_sha1 will be verified under lock, but the
>>   reference's value will not be altered.
>>
>> * Add a function ref_transaction_verify(), which verifies the current
>>   value of a reference without changing it.
>>
>> * Make the similarity between ref_transaction_update() and
>>   update_ref() more obvious.
>>
>> Along the way, it fixes a race that could happen if two processes try
>> to create an orphan commit at the same time.
>>
>> This patch series applies on top of master merged together with
>> sb/atomic-push, which in turn depends on mh/reflog-expire.
>
> I am a bit puzzled by your intentions, so help me out.
>
> I see that your understanding is that Stefan will be rerolling the
> push atomicity thing; wouldn't we then want to have a "fix and
> clean" topic like this one first and build the push atomicity thing
> on top instead?

My understanding is to not reroll origin/sb/atomic-push, but
origin/sb/atomic-push-fix (which is worded misleading. It is not about
atomic pushes, but about enabling large transactions in my understanding)

>
> In other words, would it make sense to extend mh/reflog-expire (in
> 'next') topic with commits from "Fix some problems with reflog
> expiration (8 patches)" series and this series to fix and clean it?

I am not sure what advantages this would bring. A better history
for bisection? I cannot speak for Michael, but my understanding was
to have mh/reflog-expire and sb/atomic-push-fix merged now that 2.3
is out and everything else on top is unclear/rerolled/discussed as needed.

>
> We may even want to rebase/reroll mh/reflog-expire on top of v2.3
> while doing so to adjust to the transaction stuff, if that makes
> some of the changes in the two new series unnecessary (if these "fix
> and clean up" changes made in mh/reflog-expire in 'next', that is).
>

Re: [PATCH 00/11] Allow reference values to be checked in a transaction

[Michael Haggerty]

On 02/09/2015 08:05 PM, Stefan Beller wrote:
> On Mon, Feb 9, 2015 at 10:41 AM, Junio C Hamano <gitster@pobox.com> wrote:
>> Michael Haggerty <mhagger@alum.mit.edu> writes:
>>> [...]
>>> This patch series applies on top of master merged together with
>>> sb/atomic-push, which in turn depends on mh/reflog-expire.
>>
>> I am a bit puzzled by your intentions, so help me out.
>>
>> I see that your understanding is that Stefan will be rerolling the
>> push atomicity thing; wouldn't we then want to have a "fix and
>> clean" topic like this one first and build the push atomicity thing
>> on top instead?
> 
> My understanding is to not reroll origin/sb/atomic-push, but
> origin/sb/atomic-push-fix (which is worded misleading. It is not about
> atomic pushes, but about enabling large transactions in my understanding)

Yes, that is what I thought.

>> In other words, would it make sense to extend mh/reflog-expire (in
>> 'next') topic with commits from "Fix some problems with reflog
>> expiration (8 patches)" series and this series to fix and clean it?

Both series have to do with reflogs, but they are logically pretty
independent. In particular, "Fix some problems with reflog expiration"
fixes problems that existed before mh/reflog-expire. And considering
that one topic is quite mature whereas the the other is just making its
debut, it seemed like yoking them together would slow down the first
topic for no good reason.

> I am not sure what advantages this would bring. A better history
> for bisection? I cannot speak for Michael, but my understanding was
> to have mh/reflog-expire and sb/atomic-push-fix merged now that 2.3
> is out and everything else on top is unclear/rerolled/discussed as needed.

Stefan, I think you mean sb/atomic-push, not sb/atomic-push-fix, right?

>> We may even want to rebase/reroll mh/reflog-expire on top of v2.3
>> while doing so to adjust to the transaction stuff, if that makes
>> some of the changes in the two new series unnecessary (if these "fix
>> and clean up" changes made in mh/reflog-expire in 'next', that is).

I see all of these topics as pretty independent, though given that they
touch similar areas of the code they often have annoying (but small)
conflicts with each other.

I expected that mh/reflog-expire and sb/atomic-push would be merged
pretty early in the 2.4 cycle (they are both in next already). Junio, is
that not your plan?

Michael

-- 
Michael Haggerty
mhagger@alum.mit.edu

Re: [PATCH 00/11] Allow reference values to be checked in a transaction

[Stefan Beller]

On Mon, Feb 9, 2015 at 12:40 PM, Michael Haggerty <mhagger@alum.mit.edu> wrote:

>
>> I am not sure what advantages this would bring. A better history
>> for bisection? I cannot speak for Michael, but my understanding was
>> to have mh/reflog-expire and sb/atomic-push-fix merged now that 2.3
>> is out and everything else on top is unclear/rerolled/discussed as needed.
>
> Stefan, I think you mean sb/atomic-push, not sb/atomic-push-fix, right?

Of course, sorry for adding more confusion here.

Re: [PATCH 00/11] Allow reference values to be checked in a transaction

[Junio C Hamano]

Michael Haggerty <mhagger@alum.mit.edu> writes:

> On 02/09/2015 08:05 PM, Stefan Beller wrote:
>> On Mon, Feb 9, 2015 at 10:41 AM, Junio C Hamano <gitster@pobox.com> wrote:
>>> Michael Haggerty <mhagger@alum.mit.edu> writes:
>>>> [...]
>>>> This patch series applies on top of master merged together with
>>>> sb/atomic-push, which in turn depends on mh/reflog-expire.
>>>
>>> I am a bit puzzled by your intentions, so help me out.
>>>
>>> I see that your understanding is that Stefan will be rerolling the
>>> push atomicity thing; wouldn't we then want to have a "fix and
>>> clean" topic like this one first and build the push atomicity thing
>>> on top instead?
>> 
>> My understanding is to not reroll origin/sb/atomic-push, but
>> origin/sb/atomic-push-fix (which is worded misleading. It is not about
>> atomic pushes, but about enabling large transactions in my understanding)
>
> Yes, that is what I thought.
> ...
> Both series have to do with reflogs, but they are logically pretty
> independent. In particular, "Fix some problems with reflog expiration"
> fixes problems that existed before mh/reflog-expire. And considering
> that one topic is quite mature whereas the the other is just making its
> debut, it seemed like yoking them together would slow down the first
> topic for no good reason.
> ...
> I expected that mh/reflog-expire and sb/atomic-push would be merged
> pretty early in the 2.4 cycle (they are both in next already). Junio, is
> that not your plan?

OK, I am glad I asked for clarifications.  It was that I felt uneasy
to see many new "this cleans and fixes" while there are in-flight
topics in the same area.

Thanks.

Re: [PATCH 06/11] commit: add tests of commit races

[Junio C Hamano]

Stefan Beller <sbeller@google.com> writes:

> On Sun, Feb 8, 2015 at 8:14 AM, Michael Haggerty <mhagger@alum.mit.edu> wrote:
>
>> +# Copyright (c) 2014 Michael Haggerty <mhagger@alum.mit.edu>
>
> What is the projects stance on copyright lines?

I do not think we have a strong one.

> I've seen files (most of them from the beginning) having some copyright lines,
> other files (often introduced way later) not having them, "because
> we're git and have
> history, so we know who did it".

I personally agree with that statement.  Also, a copyright notice
per file is often added when a new file is added, but that ends up
giving false sense of "ownership" to everybody else down the line
even after the file has been extensively modified.  It's not like
Michael solely owns all lines in this file in later versions.  And
even if people added their name at the top every time they make any
change, their names tend to stay even when their contributions are
later completely rewritten or removed.

In a sense, my agreement with your statement is stronger than "Yes,
Git can tell us who did what anyway".  What we can find in the
history is the sole source of truth, and in-file copyright notice is
misleading.  You do not even have to have one in the Berne signatory
nations anyway.

> The tests themselves look fine.
>
> Is there a reason you did not append the tests in 7509 ?

Hmph.

Re: [PATCH 06/11] commit: add tests of commit races

[Michael Haggerty]

On 02/10/2015 08:12 PM, Junio C Hamano wrote:
> Stefan Beller <sbeller@google.com> writes:
> 
>> On Sun, Feb 8, 2015 at 8:14 AM, Michael Haggerty <mhagger@alum.mit.edu> wrote:
>>
>>> +# Copyright (c) 2014 Michael Haggerty <mhagger@alum.mit.edu>
>>
>> What is the projects stance on copyright lines?
> 
> I do not think we have a strong one.
> 
>> I've seen files (most of them from the beginning) having some copyright lines,
>> other files (often introduced way later) not having them, "because
>> we're git and have
>> history, so we know who did it".
> 
> I personally agree with that statement.  Also, a copyright notice
> per file is often added when a new file is added, but that ends up
> giving false sense of "ownership" to everybody else down the line
> even after the file has been extensively modified.  It's not like
> Michael solely owns all lines in this file in later versions.  And
> even if people added their name at the top every time they make any
> change, their names tend to stay even when their contributions are
> later completely rewritten or removed.
> 
> In a sense, my agreement with your statement is stronger than "Yes,
> Git can tell us who did what anyway".  What we can find in the
> history is the sole source of truth, and in-file copyright notice is
> misleading.  You do not even have to have one in the Berne signatory
> nations anyway.

I only put a copyright notice there because I thought it was standard
practice. I think it is ugly and would rather do without it, even aside
from the practical problems that Junio mentioned.

On the other hand, there's this [1] and this [2] from the FSF, which
recommend a copyright blurb at the beginning of every source file.
Though actually the recommendation is to include a GPL blurb too, not
just a naked copyright line like I used. But I get the feeling that the
FSF's recommendation is more for ideological than for legal reasons.

If I don't hear anything else, I'll delete the copyright line in the reroll.

>> The tests themselves look fine.
>>
>> Is there a reason you did not append the tests in 7509 ?
> 
> Hmph.

I don't know what "Hmph" means in this context.

The description for t7509 is "git commit --reset-author", which doesn't
seem to describe the new tests.

There are also

    t7500 "git commit / Tests for selected commit options"
    t7501 "git commit"
    t7502 "git commit porcelain-ish"

I suppose the new tests could go in any of these. But since the tests
are thematically a bit unusual (dealing with races rather than testing
command-line options) and they start with an orphan commit, I thought it
would be just as easy to put them in their own file to make it clear
that they are independent.

I really don't care either way.

Michael

[1] http://www.gnu.org/licenses/gpl-howto.html
[2] http://www.gnu.org/licenses/gpl-faq.html#NoticeInSourceFile

-- 
Michael Haggerty
mhagger@alum.mit.edu

Re: [PATCH 04/11] ref_transaction_update(): remove "have_old" parameter

[Michael Haggerty]

On 02/09/2015 07:20 PM, Stefan Beller wrote:
> On Sun, Feb 8, 2015 at 8:13 AM, Michael Haggerty <mhagger@alum.mit.edu> wrote:
>> Instead, if old_sha1 is non-NULL, verify it; otherwise, don't.
> 
> parsing error on that commit message. I needed to read the code to understand
> what you want to say here.

Thanks for the comment. I will change that sentence to

    Instead, verify the reference's old value if and only if old_sha1 is
    non-NULL.

(in this commit and its successor).

Michael

-- 
Michael Haggerty
mhagger@alum.mit.edu

Re: [PATCH 07/11] commit: avoid race when creating orphan commits

[Michael Haggerty]

On 02/09/2015 07:35 PM, Stefan Beller wrote:
> On Sun, Feb 8, 2015 at 8:14 AM, Michael Haggerty <mhagger@alum.mit.edu> wrote:
>> If, during the initial check, HEAD doesn't point at anything, then we
> 
> Maybe
> "If HEAD doesn't point at anything during the initial check, then..." ?
> (Being a non native speaker is hard. These commas look so confusing,
> so the version without commas makes it way easier to read for me.)

Will change. Thanks!

Michael

-- 
Michael Haggerty
mhagger@alum.mit.edu

Re: [PATCH 10/11] ref_transaction_verify(): new function to check a reference's value

[Michael Haggerty]

On 02/09/2015 07:50 PM, Stefan Beller wrote:
> On Sun, Feb 8, 2015 at 8:14 AM, Michael Haggerty <mhagger@alum.mit.edu> wrote:
>>  /*
>> - * Add a reference update to transaction.  new_sha1 is the value that
>> - * the reference should have after the update, or null_sha1 if it should
>> - * be deleted.  If old_sha1 is non-NULL, then it the value
>> - * that the reference should have had before the update, or null_sha1 if
>> - * it must not have existed beforehand.
>> - * Function returns 0 on success and non-zero on failure. A failure to update
>> - * means that the transaction as a whole has failed and will need to be
>> - * rolled back.
>> + * Add a reference update to transaction. new_sha1 is the value that
>> + * the reference should have after the update, or null_sha1 if it
>> + * should be deleted. If new_sha1 is NULL, then the reference is not
>> + * changed at all. old_sha1 is the value that the reference must have
>> + * before the update, or null_sha1 if it must not have existed
>> + * beforehand. The old value is checked after the lock is taken to
>> + * prevent races. If the old value doesn't agree with old_sha1, the
>> + * whole transaction fails. If old_sha1 is NULL, then the previous
>> + * value is not checked.
>> + *
>> + * Return 0 on success and non-zero on failure. Any failure in the
>> + * transaction means that the transaction as a whole has failed and
>> + * will need to be rolled back.
> 
> Do we need to be explicit about having to rollback everything in each
> ref_transaction_* function documentation?

Thanks for the suggestion.

I just added a new commit that moves this (and more) information to the
introductory comment above these four functions' declarations, so that
it doesn't have to be repeated for each function. It will be in the re-roll.

Michael

-- 
Michael Haggerty
mhagger@alum.mit.edu

Re: [PATCH 06/11] commit: add tests of commit races

[Junio C Hamano]

Michael Haggerty <mhagger@alum.mit.edu> writes:

> On the other hand, there's this [1] and this [2] from the FSF, which
> recommend a copyright blurb at the beginning of every source file.
> Though actually the recommendation is to include a GPL blurb too, not
> just a naked copyright line like I used. But I get the feeling that the
> FSF's recommendation is more for ideological than for legal reasons.

It is relatively recent (late 1980s) that US became part of Berne
Convention (1886).  Before that you had to write Copyright and All
Rights Reserved (or Todos Derechos Reserrvados) in Buenos Aires
days.

It is not surprising to see the more cautious practice from the
older days in recommendations by an old organization like FSF.

>>> Is there a reason you did not append the tests in 7509 ?
>> 
>> Hmph.
>
> I don't know what "Hmph" means in this context.

"Hmph, it might deserve more thought, but I do not have opinion
right now".

Re: [PATCH 06/11] commit: add tests of commit races

[Stefan Beller]

On Wed, Feb 11, 2015 at 10:10 AM, Junio C Hamano <gitster@pobox.com> wrote:
> Michael Haggerty <mhagger@alum.mit.edu> writes:
>
>> On the other hand, there's this [1] and this [2] from the FSF, which
>> recommend a copyright blurb at the beginning of every source file.
>> Though actually the recommendation is to include a GPL blurb too, not
>> just a naked copyright line like I used. But I get the feeling that the
>> FSF's recommendation is more for ideological than for legal reasons.
>
> It is relatively recent (late 1980s) that US became part of Berne
> Convention (1886).  Before that you had to write Copyright and All
> Rights Reserved (or Todos Derechos Reserrvados) in Buenos Aires
> days.

Quoting from wikipedia[1]

(note however that when the United States joined the Convention
in 1988, it continued to make statutory damages and attorney's fees
only available for registered works).

Does that mean if somebody would infringe the GPL on git (e.g. selling
a modified git version without giving sources), it would be harder to
tell him to stop because of the missing attorney's fees in case we drop
out the copyright notices? (I have no deep understanding of legal
processes in the US).

>
> It is not surprising to see the more cautious practice from the
> older days in recommendations by an old organization like FSF.
>
>>>> Is there a reason you did not append the tests in 7509 ?

You convinced me that having to start with an orphan commit justifies
a new test file as well as the nature of the test.

>>>
>>> Hmph.
>>
>> I don't know what "Hmph" means in this context.
>
> "Hmph, it might deserve more thought, but I do not have opinion
> right now".

[1] http://en.wikipedia.org/wiki/Berne_Convention

Re: [PATCH 06/11] commit: add tests of commit races

[Junio C Hamano]

Stefan Beller <sbeller@google.com> writes:

> Quoting from wikipedia[1]
>
> (note however that when the United States joined the Convention
> in 1988, it continued to make statutory damages and attorney's fees
> only available for registered works).
>
> Does that mean if somebody would infringe the GPL on git (e.g. selling
> a modified git version without giving sources), it would be harder to
> tell him to stop because of the missing attorney's fees in case we drop
> out the copyright notices? (I have no deep understanding of legal
> processes in the US).

No.  "registered works" in that sentence is about registering
copyright with U.S. Copyright Office.  In-file Copyright circle-c
line does not have much to do with that.