[PATCH 0/8] nd/resolve-ref v2

[PATCH 0/8] nd/resolve-ref v2

[Nguyễn Thái Ngọc Duy]

The first part of actually nd/resolve-ref v2.

The last two patches are an attempt to catch overwriting faults in
future. git_pathname() and resolve_ref_unsafe() are guarded.

(Un)fortunately I ran "make memcheck" but found no new segfaults.
Either test coverage is insufficient, or we have done a very good
job of reviewing/testing git.git

Nguyễn Thái Ngọc Duy (8):
  Convert many resolve_ref() calls to read_ref*() and ref_exists()
  Rename resolve_ref() to resolve_ref_unsafe()
  Re-add resolve_ref() that always returns an allocated buffer
  cmd_merge: convert to single exit point
  Use resolve_ref() instead of resolve_ref_unsafe()
  Convert resolve_ref_unsafe+xstrdup to resolve_ref
  Guard memory overwriting in resolve_ref_unsafe's static buffer
  Enable GIT_DEBUG_MEMCHECK on git_pathname()

 Makefile                |    3 ++
 branch.c                |    2 +-
 builtin/branch.c        |   11 +++----
 builtin/checkout.c      |   17 ++++++------
 builtin/commit.c        |    3 +-
 builtin/fmt-merge-msg.c |    8 ++++-
 builtin/for-each-ref.c  |    7 +---
 builtin/fsck.c          |    2 +-
 builtin/merge.c         |   56 +++++++++++++++++++++++++----------------
 builtin/notes.c         |    8 ++++-
 builtin/receive-pack.c  |    5 ++-
 builtin/remote.c        |   10 +++----
 builtin/replace.c       |    4 +-
 builtin/show-branch.c   |    6 +---
 builtin/show-ref.c      |    2 +-
 builtin/symbolic-ref.c  |    2 +-
 builtin/tag.c           |    4 +-
 bundle.c                |    2 +-
 cache.h                 |   17 +++++++++---
 git-compat-util.h       |    9 ++++++
 notes-merge.c           |    2 +-
 path.c                  |   28 ++++++++++++++------
 reflog-walk.c           |   13 +++++----
 refs.c                  |   63 +++++++++++++++++++++++++++++++---------------
 remote.c                |   10 +++---
 transport.c             |    2 +-
 wrapper.c               |   21 +++++++++++++++
 wt-status.c             |    4 +--
 28 files changed, 203 insertions(+), 118 deletions(-)

-- 
1.7.4.74.g639db

[PATCH 1/8] Convert many resolve_ref() calls to read_ref*() and ref_exists()

[Nguyễn Thái Ngọc Duy]

resolve_ref() may return a pointer to a static buffer, which is not
safe for long-term use because if another resolve_ref() call happens,
the buffer may be changed.  Many call sites though do not care about
this buffer. They simply check if the return value is NULL or not.

Convert all these call sites to new wrappers to reduce resolve_ref()
calls from 57 to 34. If we change resolve_ref() prototype later on
to avoid passing static buffer out, this helps reduce changes.

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 builtin/branch.c   |    5 ++---
 builtin/checkout.c |    4 ++--
 builtin/merge.c    |    4 ++--
 builtin/remote.c   |    8 +++-----
 builtin/replace.c  |    4 ++--
 builtin/show-ref.c |    2 +-
 builtin/tag.c      |    4 ++--
 bundle.c           |    2 +-
 cache.h            |    2 ++
 notes-merge.c      |    2 +-
 refs.c             |   27 ++++++++++++++++-----------
 remote.c           |    4 ++--
 12 files changed, 36 insertions(+), 32 deletions(-)

diff --git a/builtin/branch.c b/builtin/branch.c
index 51ca6a0..0fe9c4d 100644
--- a/builtin/branch.c
+++ b/builtin/branch.c
@@ -186,7 +186,7 @@ static int delete_branches(int argc, const char **argv, int force, int kinds)
 		free(name);
 
 		name = xstrdup(mkpath(fmt, bname.buf));
-		if (!resolve_ref(name, sha1, 1, NULL)) {
+		if (read_ref(name, sha1)) {
 			error(_("%sbranch '%s' not found."),
 					remote, bname.buf);
 			ret = 1;
@@ -565,7 +565,6 @@ static int print_ref_list(int kinds, int detached, int verbose, int abbrev, stru
 static void rename_branch(const char *oldname, const char *newname, int force)
 {
 	struct strbuf oldref = STRBUF_INIT, newref = STRBUF_INIT, logmsg = STRBUF_INIT;
-	unsigned char sha1[20];
 	struct strbuf oldsection = STRBUF_INIT, newsection = STRBUF_INIT;
 	int recovery = 0;
 
@@ -577,7 +576,7 @@ static void rename_branch(const char *oldname, const char *newname, int force)
 		 * Bad name --- this could be an attempt to rename a
 		 * ref that we used to allow to be created by accident.
 		 */
-		if (resolve_ref(oldref.buf, sha1, 1, NULL))
+		if (ref_exists(oldref.buf))
 			recovery = 1;
 		else
 			die(_("Invalid branch name: '%s'"), oldname);
diff --git a/builtin/checkout.c b/builtin/checkout.c
index 2a80772..beeaee4 100644
--- a/builtin/checkout.c
+++ b/builtin/checkout.c
@@ -288,7 +288,7 @@ static int checkout_paths(struct tree *source_tree, const char **pathspec,
 	    commit_locked_index(lock_file))
 		die(_("unable to write new index file"));
 
-	resolve_ref("HEAD", rev, 0, &flag);
+	read_ref_full("HEAD", rev, 0, &flag);
 	head = lookup_commit_reference_gently(rev, 1);
 
 	errs |= post_checkout_hook(head, head, 0);
@@ -866,7 +866,7 @@ static int parse_branchname_arg(int argc, const char **argv,
 	setup_branch_path(new);
 
 	if (!check_refname_format(new->path, 0) &&
-	    resolve_ref(new->path, branch_rev, 1, NULL))
+	    !read_ref(new->path, branch_rev))
 		hashcpy(rev, branch_rev);
 	else
 		new->path = NULL; /* not an existing branch */
diff --git a/builtin/merge.c b/builtin/merge.c
index dffd5ec..42b4f9e 100644
--- a/builtin/merge.c
+++ b/builtin/merge.c
@@ -420,7 +420,7 @@ static struct object *want_commit(const char *name)
 static void merge_name(const char *remote, struct strbuf *msg)
 {
 	struct object *remote_head;
-	unsigned char branch_head[20], buf_sha[20];
+	unsigned char branch_head[20];
 	struct strbuf buf = STRBUF_INIT;
 	struct strbuf bname = STRBUF_INIT;
 	const char *ptr;
@@ -479,7 +479,7 @@ static void merge_name(const char *remote, struct strbuf *msg)
 		strbuf_addstr(&truname, "refs/heads/");
 		strbuf_addstr(&truname, remote);
 		strbuf_setlen(&truname, truname.len - len);
-		if (resolve_ref(truname.buf, buf_sha, 1, NULL)) {
+		if (ref_exists(truname.buf)) {
 			strbuf_addf(msg,
 				    "%s\t\tbranch '%s'%s of .\n",
 				    sha1_to_hex(remote_head->sha1),
diff --git a/builtin/remote.c b/builtin/remote.c
index c810643..407abfb 100644
--- a/builtin/remote.c
+++ b/builtin/remote.c
@@ -343,8 +343,7 @@ static int get_ref_states(const struct ref *remote_refs, struct ref_states *stat
 	states->tracked.strdup_strings = 1;
 	states->stale.strdup_strings = 1;
 	for (ref = fetch_map; ref; ref = ref->next) {
-		unsigned char sha1[20];
-		if (!ref->peer_ref || read_ref(ref->peer_ref->name, sha1))
+		if (!ref->peer_ref || !ref_exists(ref->peer_ref->name))
 			string_list_append(&states->new, abbrev_branch(ref->name));
 		else
 			string_list_append(&states->tracked, abbrev_branch(ref->name));
@@ -710,7 +709,7 @@ static int mv(int argc, const char **argv)
 		int flag = 0;
 		unsigned char sha1[20];
 
-		resolve_ref(item->string, sha1, 1, &flag);
+		read_ref_full(item->string, sha1, 1, &flag);
 		if (!(flag & REF_ISSYMREF))
 			continue;
 		if (delete_ref(item->string, NULL, REF_NODEREF))
@@ -1220,10 +1219,9 @@ static int set_head(int argc, const char **argv)
 		usage_with_options(builtin_remote_sethead_usage, options);
 
 	if (head_name) {
-		unsigned char sha1[20];
 		strbuf_addf(&buf2, "refs/remotes/%s/%s", argv[0], head_name);
 		/* make sure it's valid */
-		if (!resolve_ref(buf2.buf, sha1, 1, NULL))
+		if (!ref_exists(buf2.buf))
 			result |= error("Not a valid ref: %s", buf2.buf);
 		else if (create_symref(buf.buf, buf2.buf, "remote set-head"))
 			result |= error("Could not setup %s", buf.buf);
diff --git a/builtin/replace.c b/builtin/replace.c
index 517fa10..4a8970e 100644
--- a/builtin/replace.c
+++ b/builtin/replace.c
@@ -58,7 +58,7 @@ static int for_each_replace_name(const char **argv, each_replace_name_fn fn)
 			had_error = 1;
 			continue;
 		}
-		if (!resolve_ref(ref, sha1, 1, NULL)) {
+		if (read_ref(ref, sha1)) {
 			error("replace ref '%s' not found.", *p);
 			had_error = 1;
 			continue;
@@ -97,7 +97,7 @@ static int replace_object(const char *object_ref, const char *replace_ref,
 	if (check_refname_format(ref, 0))
 		die("'%s' is not a valid ref name.", ref);
 
-	if (!resolve_ref(ref, prev, 1, NULL))
+	if (read_ref(ref, prev))
 		hashclr(prev);
 	else if (!force)
 		die("replace ref '%s' already exists", ref);
diff --git a/builtin/show-ref.c b/builtin/show-ref.c
index fafb6dd..3911661 100644
--- a/builtin/show-ref.c
+++ b/builtin/show-ref.c
@@ -225,7 +225,7 @@ int cmd_show_ref(int argc, const char **argv, const char *prefix)
 			unsigned char sha1[20];
 
 			if (!prefixcmp(*pattern, "refs/") &&
-			    resolve_ref(*pattern, sha1, 1, NULL)) {
+			    !read_ref(*pattern, sha1)) {
 				if (!quiet)
 					show_one(*pattern, sha1);
 			}
diff --git a/builtin/tag.c b/builtin/tag.c
index 9b6fd95..439249d 100644
--- a/builtin/tag.c
+++ b/builtin/tag.c
@@ -174,7 +174,7 @@ static int for_each_tag_name(const char **argv, each_tag_name_fn fn)
 			had_error = 1;
 			continue;
 		}
-		if (!resolve_ref(ref, sha1, 1, NULL)) {
+		if (read_ref(ref, sha1)) {
 			error(_("tag '%s' not found."), *p);
 			had_error = 1;
 			continue;
@@ -518,7 +518,7 @@ int cmd_tag(int argc, const char **argv, const char *prefix)
 	if (strbuf_check_tag_ref(&ref, tag))
 		die(_("'%s' is not a valid tag name."), tag);
 
-	if (!resolve_ref(ref.buf, prev, 1, NULL))
+	if (read_ref(ref.buf, prev))
 		hashclr(prev);
 	else if (!force)
 		die(_("tag '%s' already exists"), tag);
diff --git a/bundle.c b/bundle.c
index 08020bc..4742f27 100644
--- a/bundle.c
+++ b/bundle.c
@@ -320,7 +320,7 @@ int create_bundle(struct bundle_header *header, const char *path,
 			continue;
 		if (dwim_ref(e->name, strlen(e->name), sha1, &ref) != 1)
 			continue;
-		if (!resolve_ref(e->name, sha1, 1, &flag))
+		if (read_ref_full(e->name, sha1, 1, &flag))
 			flag = 0;
 		display_ref = (flag & REF_ISSYMREF) ? e->name : ref;
 
diff --git a/cache.h b/cache.h
index 2e6ad36..5badece 100644
--- a/cache.h
+++ b/cache.h
@@ -832,6 +832,8 @@ static inline int get_sha1_with_context(const char *str, unsigned char *sha1, st
 extern int get_sha1_hex(const char *hex, unsigned char *sha1);
 
 extern char *sha1_to_hex(const unsigned char *sha1);	/* static buffer result! */
+extern int read_ref_full(const char *filename, unsigned char *sha1,
+			 int reading, int *flags);
 extern int read_ref(const char *filename, unsigned char *sha1);
 
 /*
diff --git a/notes-merge.c b/notes-merge.c
index e9e4199..e33c2c9 100644
--- a/notes-merge.c
+++ b/notes-merge.c
@@ -568,7 +568,7 @@ int notes_merge(struct notes_merge_options *o,
 	       o->local_ref, o->remote_ref);
 
 	/* Dereference o->local_ref into local_sha1 */
-	if (!resolve_ref(o->local_ref, local_sha1, 0, NULL))
+	if (read_ref_full(o->local_ref, local_sha1, 0, NULL))
 		die("Failed to resolve local notes ref '%s'", o->local_ref);
 	else if (!check_refname_format(o->local_ref, 0) &&
 		is_null_sha1(local_sha1))
diff --git a/refs.c b/refs.c
index e69ba26..44c1c86 100644
--- a/refs.c
+++ b/refs.c
@@ -334,7 +334,7 @@ static void get_ref_dir(const char *submodule, const char *base,
 					flag |= REF_ISBROKEN;
 				}
 			} else
-				if (!resolve_ref(ref, sha1, 1, &flag)) {
+				if (read_ref_full(ref, sha1, 1, &flag)) {
 					hashclr(sha1);
 					flag |= REF_ISBROKEN;
 				}
@@ -612,13 +612,18 @@ struct ref_filter {
 	void *cb_data;
 };
 
-int read_ref(const char *ref, unsigned char *sha1)
+int read_ref_full(const char *ref, unsigned char *sha1, int reading, int *flags)
 {
-	if (resolve_ref(ref, sha1, 1, NULL))
+	if (resolve_ref(ref, sha1, reading, flags))
 		return 0;
 	return -1;
 }
 
+int read_ref(const char *ref, unsigned char *sha1)
+{
+	return read_ref_full(ref, sha1, 1, NULL);
+}
+
 #define DO_FOR_EACH_INCLUDE_BROKEN 01
 static int do_one_ref(const char *base, each_ref_fn fn, int trim,
 		      int flags, void *cb_data, struct ref_entry *entry)
@@ -663,7 +668,7 @@ int peel_ref(const char *ref, unsigned char *sha1)
 		goto fallback;
 	}
 
-	if (!resolve_ref(ref, base, 1, &flag))
+	if (read_ref_full(ref, base, 1, &flag))
 		return -1;
 
 	if ((flag & REF_ISPACKED)) {
@@ -746,7 +751,7 @@ static int do_head_ref(const char *submodule, each_ref_fn fn, void *cb_data)
 		return 0;
 	}
 
-	if (resolve_ref("HEAD", sha1, 1, &flag))
+	if (!read_ref_full("HEAD", sha1, 1, &flag))
 		return fn("HEAD", sha1, flag, cb_data);
 
 	return 0;
@@ -826,7 +831,7 @@ int head_ref_namespaced(each_ref_fn fn, void *cb_data)
 	int flag;
 
 	strbuf_addf(&buf, "%sHEAD", get_git_namespace());
-	if (resolve_ref(buf.buf, sha1, 1, &flag))
+	if (!read_ref_full(buf.buf, sha1, 1, &flag))
 		ret = fn(buf.buf, sha1, flag, cb_data);
 	strbuf_release(&buf);
 
@@ -1022,7 +1027,7 @@ int refname_match(const char *abbrev_name, const char *full_name, const char **r
 static struct ref_lock *verify_lock(struct ref_lock *lock,
 	const unsigned char *old_sha1, int mustexist)
 {
-	if (!resolve_ref(lock->ref_name, lock->old_sha1, mustexist, NULL)) {
+	if (read_ref_full(lock->ref_name, lock->old_sha1, mustexist, NULL)) {
 		error("Can't verify ref %s", lock->ref_name);
 		unlock_ref(lock);
 		return NULL;
@@ -1377,7 +1382,8 @@ int rename_ref(const char *oldref, const char *newref, const char *logmsg)
 		goto rollback;
 	}
 
-	if (resolve_ref(newref, sha1, 1, &flag) && delete_ref(newref, sha1, REF_NODEREF)) {
+	if (!read_ref_full(newref, sha1, 1, &flag) &&
+	    delete_ref(newref, sha1, REF_NODEREF)) {
 		if (errno==EISDIR) {
 			if (remove_empty_directories(git_path("%s", newref))) {
 				error("Directory not empty: %s", newref);
@@ -1929,7 +1935,7 @@ static int do_for_each_reflog(const char *base, each_ref_fn fn, void *cb_data)
 				retval = do_for_each_reflog(log, fn, cb_data);
 			} else {
 				unsigned char sha1[20];
-				if (!resolve_ref(log, sha1, 0, NULL))
+				if (read_ref_full(log, sha1, 0, NULL))
 					retval = error("bad ref for %s", log);
 				else
 					retval = fn(log, sha1, 0, cb_data);
@@ -2072,7 +2078,6 @@ char *shorten_unambiguous_ref(const char *ref, int strict)
 		 */
 		for (j = 0; j < rules_to_fail; j++) {
 			const char *rule = ref_rev_parse_rules[j];
-			unsigned char short_objectname[20];
 			char refname[PATH_MAX];
 
 			/* skip matched rule */
@@ -2086,7 +2091,7 @@ char *shorten_unambiguous_ref(const char *ref, int strict)
 			 */
 			mksnpath(refname, sizeof(refname),
 				 rule, short_name_len, short_name);
-			if (!read_ref(refname, short_objectname))
+			if (ref_exists(refname))
 				break;
 		}
 
diff --git a/remote.c b/remote.c
index e2ef991..6655bb0 100644
--- a/remote.c
+++ b/remote.c
@@ -1507,13 +1507,13 @@ int stat_tracking_info(struct branch *branch, int *num_ours, int *num_theirs)
 	 * nothing to report.
 	 */
 	base = branch->merge[0]->dst;
-	if (!resolve_ref(base, sha1, 1, NULL))
+	if (read_ref(base, sha1))
 		return 0;
 	theirs = lookup_commit_reference(sha1);
 	if (!theirs)
 		return 0;
 
-	if (!resolve_ref(branch->refname, sha1, 1, NULL))
+	if (read_ref(branch->refname, sha1))
 		return 0;
 	ours = lookup_commit_reference(sha1);
 	if (!ours)
-- 
1.7.4.74.g639db

[PATCH 2/8] Rename resolve_ref() to resolve_ref_unsafe()

[Nguyễn Thái Ngọc Duy]

resolve_ref() may return a pointer to a shared buffer and can be
overwritten by the next resolve_ref() calls. Callers need to
pay attention, not to keep the pointer when the next call happens.

Rename with "_unsafe" suffix to warn developers (or reviewers) before
introducing new call sites.

This patch is generated using this command

git grep -l 'resolve_ref(' -- '*.[ch]'|xargs sed -i 's/resolve_ref(/resolve_ref_unsafe(/g'

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
---
 branch.c                |    2 +-
 builtin/branch.c        |    6 +++---
 builtin/checkout.c      |    2 +-
 builtin/commit.c        |    2 +-
 builtin/fmt-merge-msg.c |    2 +-
 builtin/for-each-ref.c  |    2 +-
 builtin/fsck.c          |    2 +-
 builtin/merge.c         |    2 +-
 builtin/notes.c         |    2 +-
 builtin/receive-pack.c  |    4 ++--
 builtin/remote.c        |    2 +-
 builtin/show-branch.c   |    4 ++--
 builtin/symbolic-ref.c  |    2 +-
 cache.h                 |    2 +-
 reflog-walk.c           |    4 ++--
 refs.c                  |   20 ++++++++++----------
 remote.c                |    6 +++---
 transport.c             |    2 +-
 wt-status.c             |    2 +-
 19 files changed, 35 insertions(+), 35 deletions(-)

diff --git a/branch.c b/branch.c
index d809876..243355b 100644
--- a/branch.c
+++ b/branch.c
@@ -151,7 +151,7 @@ int validate_new_branchname(const char *name, struct strbuf *ref,
 		const char *head;
 		unsigned char sha1[20];
 
-		head = resolve_ref("HEAD", sha1, 0, NULL);
+		head = resolve_ref_unsafe("HEAD", sha1, 0, NULL);
 		if (!is_bare_repository() && head && !strcmp(head, ref->buf))
 			die("Cannot force update the current branch.");
 	}
diff --git a/builtin/branch.c b/builtin/branch.c
index 0fe9c4d..6903b0d 100644
--- a/builtin/branch.c
+++ b/builtin/branch.c
@@ -115,7 +115,7 @@ static int branch_merged(int kind, const char *name,
 		    branch->merge[0] &&
 		    branch->merge[0]->dst &&
 		    (reference_name =
-		     resolve_ref(branch->merge[0]->dst, sha1, 1, NULL)) != NULL)
+		     resolve_ref_unsafe(branch->merge[0]->dst, sha1, 1, NULL)) != NULL)
 			reference_rev = lookup_commit_reference(sha1);
 	}
 	if (!reference_rev)
@@ -250,7 +250,7 @@ static char *resolve_symref(const char *src, const char *prefix)
 	int flag;
 	const char *dst, *cp;
 
-	dst = resolve_ref(src, sha1, 0, &flag);
+	dst = resolve_ref_unsafe(src, sha1, 0, &flag);
 	if (!(dst && (flag & REF_ISSYMREF)))
 		return NULL;
 	if (prefix && (cp = skip_prefix(dst, prefix)))
@@ -688,7 +688,7 @@ int cmd_branch(int argc, const char **argv, const char *prefix)
 
 	track = git_branch_track;
 
-	head = resolve_ref("HEAD", head_sha1, 0, NULL);
+	head = resolve_ref_unsafe("HEAD", head_sha1, 0, NULL);
 	if (!head)
 		die(_("Failed to resolve HEAD as a valid ref."));
 	head = xstrdup(head);
diff --git a/builtin/checkout.c b/builtin/checkout.c
index beeaee4..2b8e73b 100644
--- a/builtin/checkout.c
+++ b/builtin/checkout.c
@@ -699,7 +699,7 @@ static int switch_branches(struct checkout_opts *opts, struct branch_info *new)
 	unsigned char rev[20];
 	int flag;
 	memset(&old, 0, sizeof(old));
-	old.path = xstrdup(resolve_ref("HEAD", rev, 0, &flag));
+	old.path = xstrdup(resolve_ref_unsafe("HEAD", rev, 0, &flag));
 	old.commit = lookup_commit_reference_gently(rev, 1);
 	if (!(flag & REF_ISSYMREF)) {
 		free((char *)old.path);
diff --git a/builtin/commit.c b/builtin/commit.c
index c46f2d1..0be3b45 100644
--- a/builtin/commit.c
+++ b/builtin/commit.c
@@ -1259,7 +1259,7 @@ static void print_summary(const char *prefix, const unsigned char *sha1,
 	struct commit *commit;
 	struct strbuf format = STRBUF_INIT;
 	unsigned char junk_sha1[20];
-	const char *head = resolve_ref("HEAD", junk_sha1, 0, NULL);
+	const char *head = resolve_ref_unsafe("HEAD", junk_sha1, 0, NULL);
 	struct pretty_print_context pctx = {0};
 	struct strbuf author_ident = STRBUF_INIT;
 	struct strbuf committer_ident = STRBUF_INIT;
diff --git a/builtin/fmt-merge-msg.c b/builtin/fmt-merge-msg.c
index 7e2f225..5c9b40e 100644
--- a/builtin/fmt-merge-msg.c
+++ b/builtin/fmt-merge-msg.c
@@ -263,7 +263,7 @@ static int do_fmt_merge_msg(int merge_title, struct strbuf *in,
 	const char *current_branch;
 
 	/* get current branch */
-	current_branch = resolve_ref("HEAD", head_sha1, 1, NULL);
+	current_branch = resolve_ref_unsafe("HEAD", head_sha1, 1, NULL);
 	if (!current_branch)
 		die("No current branch");
 	if (!prefixcmp(current_branch, "refs/heads/"))
diff --git a/builtin/for-each-ref.c b/builtin/for-each-ref.c
index d90e5d2..b954ca8 100644
--- a/builtin/for-each-ref.c
+++ b/builtin/for-each-ref.c
@@ -629,7 +629,7 @@ static void populate_value(struct refinfo *ref)
 	if (need_symref && (ref->flag & REF_ISSYMREF) && !ref->symref) {
 		unsigned char unused1[20];
 		const char *symref;
-		symref = resolve_ref(ref->refname, unused1, 1, NULL);
+		symref = resolve_ref_unsafe(ref->refname, unused1, 1, NULL);
 		if (symref)
 			ref->symref = xstrdup(symref);
 		else
diff --git a/builtin/fsck.c b/builtin/fsck.c
index df1a88b..0e0e17a 100644
--- a/builtin/fsck.c
+++ b/builtin/fsck.c
@@ -532,7 +532,7 @@ static int fsck_head_link(void)
 	if (verbose)
 		fprintf(stderr, "Checking HEAD link\n");
 
-	head_points_at = resolve_ref("HEAD", head_sha1, 0, &flag);
+	head_points_at = resolve_ref_unsafe("HEAD", head_sha1, 0, &flag);
 	if (!head_points_at)
 		return error("Invalid HEAD");
 	if (!strcmp(head_points_at, "HEAD"))
diff --git a/builtin/merge.c b/builtin/merge.c
index 42b4f9e..519e3c5 100644
--- a/builtin/merge.c
+++ b/builtin/merge.c
@@ -1095,7 +1095,7 @@ int cmd_merge(int argc, const char **argv, const char *prefix)
 	 * Check if we are _not_ on a detached HEAD, i.e. if there is a
 	 * current branch.
 	 */
-	branch = resolve_ref("HEAD", head_sha1, 0, &flag);
+	branch = resolve_ref_unsafe("HEAD", head_sha1, 0, &flag);
 	if (branch && !prefixcmp(branch, "refs/heads/"))
 		branch += 11;
 	if (!branch || is_null_sha1(head_sha1))
diff --git a/builtin/notes.c b/builtin/notes.c
index f8e437d..e191ce6 100644
--- a/builtin/notes.c
+++ b/builtin/notes.c
@@ -825,7 +825,7 @@ static int merge_commit(struct notes_merge_options *o)
 	t = xcalloc(1, sizeof(struct notes_tree));
 	init_notes(t, "NOTES_MERGE_PARTIAL", combine_notes_overwrite, 0);
 
-	o->local_ref = resolve_ref("NOTES_MERGE_REF", sha1, 0, NULL);
+	o->local_ref = resolve_ref_unsafe("NOTES_MERGE_REF", sha1, 0, NULL);
 	if (!o->local_ref)
 		die("Failed to resolve NOTES_MERGE_REF");
 
diff --git a/builtin/receive-pack.c b/builtin/receive-pack.c
index 7ec68a1..333f2b0 100644
--- a/builtin/receive-pack.c
+++ b/builtin/receive-pack.c
@@ -571,7 +571,7 @@ static void check_aliased_update(struct command *cmd, struct string_list *list)
 	int flag;
 
 	strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
-	dst_name = resolve_ref(buf.buf, sha1, 0, &flag);
+	dst_name = resolve_ref_unsafe(buf.buf, sha1, 0, &flag);
 	strbuf_release(&buf);
 
 	if (!(flag & REF_ISSYMREF))
@@ -695,7 +695,7 @@ static void execute_commands(struct command *commands, const char *unpacker_erro
 
 	check_aliased_updates(commands);
 
-	head_name = resolve_ref("HEAD", sha1, 0, NULL);
+	head_name = resolve_ref_unsafe("HEAD", sha1, 0, NULL);
 
 	for (cmd = commands; cmd; cmd = cmd->next)
 		if (!cmd->skip_update)
diff --git a/builtin/remote.c b/builtin/remote.c
index 407abfb..583eec9 100644
--- a/builtin/remote.c
+++ b/builtin/remote.c
@@ -573,7 +573,7 @@ static int read_remote_branches(const char *refname,
 	strbuf_addf(&buf, "refs/remotes/%s/", rename->old);
 	if (!prefixcmp(refname, buf.buf)) {
 		item = string_list_append(rename->remote_branches, xstrdup(refname));
-		symref = resolve_ref(refname, orig_sha1, 1, &flag);
+		symref = resolve_ref_unsafe(refname, orig_sha1, 1, &flag);
 		if (flag & REF_ISSYMREF)
 			item->util = xstrdup(symref);
 		else
diff --git a/builtin/show-branch.c b/builtin/show-branch.c
index 4b480d7..1e7bd31 100644
--- a/builtin/show-branch.c
+++ b/builtin/show-branch.c
@@ -728,7 +728,7 @@ int cmd_show_branch(int ac, const char **av, const char *prefix)
 			static const char *fake_av[2];
 			const char *refname;
 
-			refname = resolve_ref("HEAD", sha1, 1, NULL);
+			refname = resolve_ref_unsafe("HEAD", sha1, 1, NULL);
 			fake_av[0] = xstrdup(refname);
 			fake_av[1] = NULL;
 			av = fake_av;
@@ -791,7 +791,7 @@ int cmd_show_branch(int ac, const char **av, const char *prefix)
 		}
 	}
 
-	head_p = resolve_ref("HEAD", head_sha1, 1, NULL);
+	head_p = resolve_ref_unsafe("HEAD", head_sha1, 1, NULL);
 	if (head_p) {
 		head_len = strlen(head_p);
 		memcpy(head, head_p, head_len + 1);
diff --git a/builtin/symbolic-ref.c b/builtin/symbolic-ref.c
index dea849c..2ef5962 100644
--- a/builtin/symbolic-ref.c
+++ b/builtin/symbolic-ref.c
@@ -12,7 +12,7 @@ static void check_symref(const char *HEAD, int quiet)
 {
 	unsigned char sha1[20];
 	int flag;
-	const char *refs_heads_master = resolve_ref(HEAD, sha1, 0, &flag);
+	const char *refs_heads_master = resolve_ref_unsafe(HEAD, sha1, 0, &flag);
 
 	if (!refs_heads_master)
 		die("No such ref: %s", HEAD);
diff --git a/cache.h b/cache.h
index 5badece..61f023a 100644
--- a/cache.h
+++ b/cache.h
@@ -866,7 +866,7 @@ extern int read_ref(const char *filename, unsigned char *sha1);
  *
  * errno is sometimes set on errors, but not always.
  */
-extern const char *resolve_ref(const char *ref, unsigned char *sha1, int reading, int *flag);
+extern const char *resolve_ref_unsafe(const char *ref, unsigned char *sha1, int reading, int *flag);
 
 extern int dwim_ref(const char *str, int len, unsigned char *sha1, char **ref);
 extern int dwim_log(const char *str, int len, unsigned char *sha1, char **ref);
diff --git a/reflog-walk.c b/reflog-walk.c
index 5d81d39..b9b2453 100644
--- a/reflog-walk.c
+++ b/reflog-walk.c
@@ -50,7 +50,7 @@ static struct complete_reflogs *read_complete_reflog(const char *ref)
 	for_each_reflog_ent(ref, read_one_reflog, reflogs);
 	if (reflogs->nr == 0) {
 		unsigned char sha1[20];
-		const char *name = resolve_ref(ref, sha1, 1, NULL);
+		const char *name = resolve_ref_unsafe(ref, sha1, 1, NULL);
 		if (name)
 			for_each_reflog_ent(name, read_one_reflog, reflogs);
 	}
@@ -168,7 +168,7 @@ int add_reflog_for_walk(struct reflog_walk_info *info,
 	else {
 		if (*branch == '\0') {
 			unsigned char sha1[20];
-			const char *head = resolve_ref("HEAD", sha1, 0, NULL);
+			const char *head = resolve_ref_unsafe("HEAD", sha1, 0, NULL);
 			if (!head)
 				die ("No current branch");
 			free(branch);
diff --git a/refs.c b/refs.c
index 44c1c86..9e42e36 100644
--- a/refs.c
+++ b/refs.c
@@ -361,7 +361,7 @@ static int warn_if_dangling_symref(const char *refname, const unsigned char *sha
 	if (!(flags & REF_ISSYMREF))
 		return 0;
 
-	resolves_to = resolve_ref(refname, junk, 0, NULL);
+	resolves_to = resolve_ref_unsafe(refname, junk, 0, NULL);
 	if (!resolves_to || strcmp(resolves_to, d->refname))
 		return 0;
 
@@ -497,7 +497,7 @@ static int get_packed_ref(const char *ref, unsigned char *sha1)
 	return -1;
 }
 
-const char *resolve_ref(const char *ref, unsigned char *sha1, int reading, int *flag)
+const char *resolve_ref_unsafe(const char *ref, unsigned char *sha1, int reading, int *flag)
 {
 	int depth = MAXDEPTH;
 	ssize_t len;
@@ -614,7 +614,7 @@ struct ref_filter {
 
 int read_ref_full(const char *ref, unsigned char *sha1, int reading, int *flags)
 {
-	if (resolve_ref(ref, sha1, reading, flags))
+	if (resolve_ref_unsafe(ref, sha1, reading, flags))
 		return 0;
 	return -1;
 }
@@ -1118,7 +1118,7 @@ int dwim_ref(const char *str, int len, unsigned char *sha1, char **ref)
 
 		this_result = refs_found ? sha1_from_ref : sha1;
 		mksnpath(fullref, sizeof(fullref), *p, len, str);
-		r = resolve_ref(fullref, this_result, 1, &flag);
+		r = resolve_ref_unsafe(fullref, this_result, 1, &flag);
 		if (r) {
 			if (!refs_found++)
 				*ref = xstrdup(r);
@@ -1148,7 +1148,7 @@ int dwim_log(const char *str, int len, unsigned char *sha1, char **log)
 		const char *ref, *it;
 
 		mksnpath(path, sizeof(path), *p, len, str);
-		ref = resolve_ref(path, hash, 1, NULL);
+		ref = resolve_ref_unsafe(path, hash, 1, NULL);
 		if (!ref)
 			continue;
 		if (!stat(git_path("logs/%s", path), &st) &&
@@ -1184,7 +1184,7 @@ static struct ref_lock *lock_ref_sha1_basic(const char *ref, const unsigned char
 	lock = xcalloc(1, sizeof(struct ref_lock));
 	lock->lock_fd = -1;
 
-	ref = resolve_ref(ref, lock->old_sha1, mustexist, &type);
+	ref = resolve_ref_unsafe(ref, lock->old_sha1, mustexist, &type);
 	if (!ref && errno == EISDIR) {
 		/* we are trying to lock foo but we used to
 		 * have foo/bar which now does not exist;
@@ -1197,7 +1197,7 @@ static struct ref_lock *lock_ref_sha1_basic(const char *ref, const unsigned char
 			error("there are still refs under '%s'", orig_ref);
 			goto error_return;
 		}
-		ref = resolve_ref(orig_ref, lock->old_sha1, mustexist, &type);
+		ref = resolve_ref_unsafe(orig_ref, lock->old_sha1, mustexist, &type);
 	}
 	if (type_p)
 	    *type_p = type;
@@ -1360,7 +1360,7 @@ int rename_ref(const char *oldref, const char *newref, const char *logmsg)
 	if (log && S_ISLNK(loginfo.st_mode))
 		return error("reflog for %s is a symlink", oldref);
 
-	symref = resolve_ref(oldref, orig_sha1, 1, &flag);
+	symref = resolve_ref_unsafe(oldref, orig_sha1, 1, &flag);
 	if (flag & REF_ISSYMREF)
 		return error("refname %s is a symbolic ref, renaming it is not supported",
 			oldref);
@@ -1649,7 +1649,7 @@ int write_ref_sha1(struct ref_lock *lock,
 		unsigned char head_sha1[20];
 		int head_flag;
 		const char *head_ref;
-		head_ref = resolve_ref("HEAD", head_sha1, 1, &head_flag);
+		head_ref = resolve_ref_unsafe("HEAD", head_sha1, 1, &head_flag);
 		if (head_ref && (head_flag & REF_ISSYMREF) &&
 		    !strcmp(head_ref, lock->ref_name))
 			log_ref_write("HEAD", lock->old_sha1, sha1, logmsg);
@@ -1986,7 +1986,7 @@ int update_ref(const char *action, const char *refname,
 int ref_exists(const char *refname)
 {
 	unsigned char sha1[20];
-	return !!resolve_ref(refname, sha1, 1, NULL);
+	return !!resolve_ref_unsafe(refname, sha1, 1, NULL);
 }
 
 struct ref *find_ref_by_name(const struct ref *list, const char *name)
diff --git a/remote.c b/remote.c
index 6655bb0..73a3809 100644
--- a/remote.c
+++ b/remote.c
@@ -482,7 +482,7 @@ static void read_config(void)
 		return;
 	default_remote_name = xstrdup("origin");
 	current_branch = NULL;
-	head_ref = resolve_ref("HEAD", sha1, 0, &flag);
+	head_ref = resolve_ref_unsafe("HEAD", sha1, 0, &flag);
 	if (head_ref && (flag & REF_ISSYMREF) &&
 	    !prefixcmp(head_ref, "refs/heads/")) {
 		current_branch =
@@ -1007,7 +1007,7 @@ static char *guess_ref(const char *name, struct ref *peer)
 	struct strbuf buf = STRBUF_INIT;
 	unsigned char sha1[20];
 
-	const char *r = resolve_ref(peer->name, sha1, 1, NULL);
+	const char *r = resolve_ref_unsafe(peer->name, sha1, 1, NULL);
 	if (!r)
 		return NULL;
 
@@ -1058,7 +1058,7 @@ static int match_explicit(struct ref *src, struct ref *dst,
 		unsigned char sha1[20];
 		int flag;
 
-		dst_value = resolve_ref(matched_src->name, sha1, 1, &flag);
+		dst_value = resolve_ref_unsafe(matched_src->name, sha1, 1, &flag);
 		if (!dst_value ||
 		    ((flag & REF_ISSYMREF) &&
 		     prefixcmp(dst_value, "refs/heads/")))
diff --git a/transport.c b/transport.c
index 51814b5..e9797c0 100644
--- a/transport.c
+++ b/transport.c
@@ -163,7 +163,7 @@ static void set_upstreams(struct transport *transport, struct ref *refs,
 		/* Follow symbolic refs (mainly for HEAD). */
 		localname = ref->peer_ref->name;
 		remotename = ref->name;
-		tmp = resolve_ref(localname, sha, 1, &flag);
+		tmp = resolve_ref_unsafe(localname, sha, 1, &flag);
 		if (tmp && flag & REF_ISSYMREF &&
 			!prefixcmp(tmp, "refs/heads/"))
 			localname = tmp;
diff --git a/wt-status.c b/wt-status.c
index 70fdb76..cc6dad5 100644
--- a/wt-status.c
+++ b/wt-status.c
@@ -119,7 +119,7 @@ void wt_status_prepare(struct wt_status *s)
 	s->show_untracked_files = SHOW_NORMAL_UNTRACKED_FILES;
 	s->use_color = -1;
 	s->relative_paths = 1;
-	head = resolve_ref("HEAD", sha1, 0, NULL);
+	head = resolve_ref_unsafe("HEAD", sha1, 0, NULL);
 	s->branch = head ? xstrdup(head) : NULL;
 	s->reference = "HEAD";
 	s->fp = stdout;
-- 
1.7.4.74.g639db

[PATCH 3/8] Re-add resolve_ref() that always returns an allocated buffer

[Nguyễn Thái Ngọc Duy]

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
---
 cache.h |    1 +
 refs.c  |    6 ++++++
 2 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/cache.h b/cache.h
index 61f023a..6b8ac8b 100644
--- a/cache.h
+++ b/cache.h
@@ -867,6 +867,7 @@ extern int read_ref(const char *filename, unsigned char *sha1);
  * errno is sometimes set on errors, but not always.
  */
 extern const char *resolve_ref_unsafe(const char *ref, unsigned char *sha1, int reading, int *flag);
+extern char *resolve_ref(const char *ref, unsigned char *sha1, int reading, int *flag);
 
 extern int dwim_ref(const char *str, int len, unsigned char *sha1, char **ref);
 extern int dwim_log(const char *str, int len, unsigned char *sha1, char **ref);
diff --git a/refs.c b/refs.c
index 9e42e36..28496ed 100644
--- a/refs.c
+++ b/refs.c
@@ -605,6 +605,12 @@ const char *resolve_ref_unsafe(const char *ref, unsigned char *sha1, int reading
 	return ref;
 }
 
+char *resolve_ref(const char *ref, unsigned char *sha1, int reading, int *flag)
+{
+	const char *ret = resolve_ref_unsafe(ref, sha1, reading, flag);
+	return ret ? xstrdup(ret) : NULL;
+}
+
 /* The argument to filter_refs */
 struct ref_filter {
 	const char *pattern;
-- 
1.7.4.74.g639db

[PATCH 4/8] cmd_merge: convert to single exit point

[Nguyễn Thái Ngọc Duy]

This makes post-processing easier.

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
---
 builtin/merge.c |   48 +++++++++++++++++++++++++++++-------------------
 1 files changed, 29 insertions(+), 19 deletions(-)

diff --git a/builtin/merge.c b/builtin/merge.c
index 519e3c5..0d597b3 100644
--- a/builtin/merge.c
+++ b/builtin/merge.c
@@ -1082,7 +1082,7 @@ int cmd_merge(int argc, const char **argv, const char *prefix)
 	struct commit *head_commit;
 	struct strbuf buf = STRBUF_INIT;
 	const char *head_arg;
-	int flag, i;
+	int flag, i, ret = 0;
 	int best_cnt = -1, merge_was_ok = 0, automerge_was_ok = 0;
 	struct commit_list *common = NULL;
 	const char *best_strategy = NULL, *wt_strategy = NULL;
@@ -1121,7 +1121,8 @@ int cmd_merge(int argc, const char **argv, const char *prefix)
 			die(_("There is no merge to abort (MERGE_HEAD missing)."));
 
 		/* Invoke 'git reset --merge' */
-		return cmd_reset(nargc, nargv, prefix);
+		ret = cmd_reset(nargc, nargv, prefix);
+		goto done;
 	}
 
 	if (read_cache_unmerged())
@@ -1205,7 +1206,7 @@ int cmd_merge(int argc, const char **argv, const char *prefix)
 		read_empty(remote_head->sha1, 0);
 		update_ref("initial pull", "HEAD", remote_head->sha1, NULL, 0,
 				DIE_ON_ERR);
-		return 0;
+		goto done;
 	} else {
 		struct strbuf merge_names = STRBUF_INIT;
 
@@ -1292,7 +1293,7 @@ int cmd_merge(int argc, const char **argv, const char *prefix)
 		 * but first the most common case of merging one remote.
 		 */
 		finish_up_to_date("Already up-to-date.");
-		return 0;
+		goto done;
 	} else if (allow_fast_forward && !remoteheads->next &&
 			!common->next &&
 			!hashcmp(common->item->object.sha1, head_commit->object.sha1)) {
@@ -1313,15 +1314,16 @@ int cmd_merge(int argc, const char **argv, const char *prefix)
 			strbuf_addstr(&msg,
 				" (no commit created; -m option ignored)");
 		o = want_commit(sha1_to_hex(remoteheads->item->object.sha1));
-		if (!o)
-			return 1;
-
-		if (checkout_fast_forward(head_commit->object.sha1, remoteheads->item->object.sha1))
-			return 1;
+		if (!o ||
+		    checkout_fast_forward(head_commit->object.sha1,
+					  remoteheads->item->object.sha1)) {
+			ret = 1;
+			goto done;
+		}
 
 		finish(head_commit, o->sha1, msg.buf);
 		drop_save();
-		return 0;
+		goto done;
 	} else if (!remoteheads->next && common->next)
 		;
 		/*
@@ -1339,8 +1341,11 @@ int cmd_merge(int argc, const char **argv, const char *prefix)
 			git_committer_info(IDENT_ERROR_ON_NO_NAME);
 			printf(_("Trying really trivial in-index merge...\n"));
 			if (!read_tree_trivial(common->item->object.sha1,
-					head_commit->object.sha1, remoteheads->item->object.sha1))
-				return merge_trivial(head_commit);
+					       head_commit->object.sha1,
+					       remoteheads->item->object.sha1)) {
+				ret = merge_trivial(head_commit);
+				goto done;
+			}
 			printf(_("Nope.\n"));
 		}
 	} else {
@@ -1368,7 +1373,7 @@ int cmd_merge(int argc, const char **argv, const char *prefix)
 		}
 		if (up_to_date) {
 			finish_up_to_date("Already up-to-date. Yeeah!");
-			return 0;
+			goto done;
 		}
 	}
 
@@ -1450,9 +1455,11 @@ int cmd_merge(int argc, const char **argv, const char *prefix)
 	 * If we have a resulting tree, that means the strategy module
 	 * auto resolved the merge cleanly.
 	 */
-	if (automerge_was_ok)
-		return finish_automerge(head_commit, common, result_tree,
-					wt_strategy);
+	if (automerge_was_ok) {
+		ret = finish_automerge(head_commit, common, result_tree,
+				       wt_strategy);
+		goto done;
+	}
 
 	/*
 	 * Pick the result from the best strategy and have the user fix
@@ -1466,7 +1473,8 @@ int cmd_merge(int argc, const char **argv, const char *prefix)
 		else
 			fprintf(stderr, _("Merge with strategy %s failed.\n"),
 				use_strategies[0]->name);
-		return 2;
+		ret = 2;
+		goto done;
 	} else if (best_strategy == wt_strategy)
 		; /* We already have its result in the working tree. */
 	else {
@@ -1485,7 +1493,9 @@ int cmd_merge(int argc, const char **argv, const char *prefix)
 	if (merge_was_ok) {
 		fprintf(stderr, _("Automatic merge went well; "
 			"stopped before committing as requested\n"));
-		return 0;
 	} else
-		return suggest_conflicts(option_renormalize);
+		ret = suggest_conflicts(option_renormalize);
+
+done:
+	return ret;
 }
-- 
1.7.4.74.g639db

Re: [PATCH 4/8] cmd_merge: convert to single exit point

[Ramkumar Ramachandra]

Hi again,

Nguyễn Thái Ngọc Duy wrote:
> [Subject: [PATCH 4/8] cmd_merge: convert to single exit point]
>
> This makes post-processing easier.
>
> Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
> ---
>  builtin/merge.c |   48 +++++++++++++++++++++++++++++-------------------
>  1 files changed, 29 insertions(+), 19 deletions(-)

Um, (how) does this seemingly unrelated patch belong to the series?

Thanks.

-- Ram

Re: [PATCH 4/8] cmd_merge: convert to single exit point

[Jonathan Nieder]

Ramkumar Ramachandra wrote:
> Nguyễn Thái Ngọc Duy wrote:

>> [Subject: [PATCH 4/8] cmd_merge: convert to single exit point]
>>
>> This makes post-processing easier.
>>
>> Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
[...]
> Um, (how) does this seemingly unrelated patch belong to the series?

It's as Duy says --- it makes post-processing, for example to free()
a variable before returning, easier.  Which simplifies the next patch.

[PATCH 5/8] Use resolve_ref() instead of resolve_ref_unsafe()

[Nguyễn Thái Ngọc Duy]

resolve_ref_unsaf() may return a pointer to a static buffer. Callers
that use this value longer than a couple of statements should copy the
value to avoid some hidden resolve_ref() call that may change the
static buffer's value.

The bug found by Tony Wang <wwwjfy@gmail.com> in builtin/merge.c
demonstrates this. The first call is in cmd_merge()

branch = resolve_ref_unsafe("HEAD", head_sha1, 0, &flag);

Then deep in lookup_commit_or_die() a few lines after, resolve_ref()
may be called again and destroy "branch".

lookup_commit_or_die
 lookup_commit_reference
  lookup_commit_reference_gently
   parse_object
    lookup_replace_object
     do_lookup_replace_object
      prepare_replace_object
       for_each_replace_ref
        do_for_each_ref
         get_loose_refs
          get_ref_dir
           read_ref_full
	    resolve_ref_unsafe

Convert all resolve_ref_unsafe() call sites, where the return value may
be held across many function calls, to resolve_ref() and free buffer
after use.

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
---
 builtin/branch.c        |    5 +++--
 builtin/commit.c        |    3 ++-
 builtin/fmt-merge-msg.c |    8 ++++++--
 builtin/merge.c         |    4 +++-
 builtin/notes.c         |    8 ++++++--
 builtin/receive-pack.c  |    5 +++--
 reflog-walk.c           |    6 ++++--
 7 files changed, 27 insertions(+), 12 deletions(-)

diff --git a/builtin/branch.c b/builtin/branch.c
index 6903b0d..633b56e 100644
--- a/builtin/branch.c
+++ b/builtin/branch.c
@@ -103,7 +103,7 @@ static int branch_merged(int kind, const char *name,
 	 * safely to HEAD (or the other branch).
 	 */
 	struct commit *reference_rev = NULL;
-	const char *reference_name = NULL;
+	char *reference_name = NULL;
 	int merged;
 
 	if (kind == REF_LOCAL_BRANCH) {
@@ -115,7 +115,7 @@ static int branch_merged(int kind, const char *name,
 		    branch->merge[0] &&
 		    branch->merge[0]->dst &&
 		    (reference_name =
-		     resolve_ref_unsafe(branch->merge[0]->dst, sha1, 1, NULL)) != NULL)
+		     resolve_ref(branch->merge[0]->dst, sha1, 1, NULL)) != NULL)
 			reference_rev = lookup_commit_reference(sha1);
 	}
 	if (!reference_rev)
@@ -141,6 +141,7 @@ static int branch_merged(int kind, const char *name,
 				"         '%s', even though it is merged to HEAD."),
 				name, reference_name);
 	}
+	free(reference_name);
 	return merged;
 }
 
diff --git a/builtin/commit.c b/builtin/commit.c
index 0be3b45..f3a6ed2 100644
--- a/builtin/commit.c
+++ b/builtin/commit.c
@@ -1259,7 +1259,7 @@ static void print_summary(const char *prefix, const unsigned char *sha1,
 	struct commit *commit;
 	struct strbuf format = STRBUF_INIT;
 	unsigned char junk_sha1[20];
-	const char *head = resolve_ref_unsafe("HEAD", junk_sha1, 0, NULL);
+	const char *head;
 	struct pretty_print_context pctx = {0};
 	struct strbuf author_ident = STRBUF_INIT;
 	struct strbuf committer_ident = STRBUF_INIT;
@@ -1304,6 +1304,7 @@ static void print_summary(const char *prefix, const unsigned char *sha1,
 	rev.diffopt.break_opt = 0;
 	diff_setup_done(&rev.diffopt);
 
+	head = resolve_ref("HEAD", junk_sha1, 0, NULL);
 	printf("[%s%s ",
 		!prefixcmp(head, "refs/heads/") ?
 			head + 11 :
diff --git a/builtin/fmt-merge-msg.c b/builtin/fmt-merge-msg.c
index 5c9b40e..dd94c3d 100644
--- a/builtin/fmt-merge-msg.c
+++ b/builtin/fmt-merge-msg.c
@@ -261,9 +261,10 @@ static int do_fmt_merge_msg(int merge_title, struct strbuf *in,
 	int i = 0, pos = 0;
 	unsigned char head_sha1[20];
 	const char *current_branch;
+	char *ref;
 
 	/* get current branch */
-	current_branch = resolve_ref_unsafe("HEAD", head_sha1, 1, NULL);
+	current_branch = ref = resolve_ref("HEAD", head_sha1, 1, NULL);
 	if (!current_branch)
 		die("No current branch");
 	if (!prefixcmp(current_branch, "refs/heads/"))
@@ -283,8 +284,10 @@ static int do_fmt_merge_msg(int merge_title, struct strbuf *in,
 			die ("Error in line %d: %.*s", i, len, p);
 	}
 
-	if (!srcs.nr)
+	if (!srcs.nr) {
+		free(ref);
 		return 0;
+	}
 
 	if (merge_title)
 		do_fmt_merge_msg_title(out, current_branch);
@@ -306,6 +309,7 @@ static int do_fmt_merge_msg(int merge_title, struct strbuf *in,
 			shortlog(origins.items[i].string, origins.items[i].util,
 					head, &rev, shortlog_len, out);
 	}
+	free(ref);
 	return 0;
 }
 
diff --git a/builtin/merge.c b/builtin/merge.c
index 0d597b3..8be0594 100644
--- a/builtin/merge.c
+++ b/builtin/merge.c
@@ -1087,6 +1087,7 @@ int cmd_merge(int argc, const char **argv, const char *prefix)
 	struct commit_list *common = NULL;
 	const char *best_strategy = NULL, *wt_strategy = NULL;
 	struct commit_list **remotes = &remoteheads;
+	char *branch_ref;
 
 	if (argc == 2 && !strcmp(argv[1], "-h"))
 		usage_with_options(builtin_merge_usage, builtin_merge_options);
@@ -1095,7 +1096,7 @@ int cmd_merge(int argc, const char **argv, const char *prefix)
 	 * Check if we are _not_ on a detached HEAD, i.e. if there is a
 	 * current branch.
 	 */
-	branch = resolve_ref_unsafe("HEAD", head_sha1, 0, &flag);
+	branch = branch_ref = resolve_ref("HEAD", head_sha1, 0, &flag);
 	if (branch && !prefixcmp(branch, "refs/heads/"))
 		branch += 11;
 	if (!branch || is_null_sha1(head_sha1))
@@ -1497,5 +1498,6 @@ int cmd_merge(int argc, const char **argv, const char *prefix)
 		ret = suggest_conflicts(option_renormalize);
 
 done:
+	free(branch_ref);
 	return ret;
 }
diff --git a/builtin/notes.c b/builtin/notes.c
index e191ce6..725a701 100644
--- a/builtin/notes.c
+++ b/builtin/notes.c
@@ -804,6 +804,8 @@ static int merge_commit(struct notes_merge_options *o)
 	struct notes_tree *t;
 	struct commit *partial;
 	struct pretty_print_context pretty_ctx;
+	char *ref;
+	int ret;
 
 	/*
 	 * Read partial merge result from .git/NOTES_MERGE_PARTIAL,
@@ -825,7 +827,7 @@ static int merge_commit(struct notes_merge_options *o)
 	t = xcalloc(1, sizeof(struct notes_tree));
 	init_notes(t, "NOTES_MERGE_PARTIAL", combine_notes_overwrite, 0);
 
-	o->local_ref = resolve_ref_unsafe("NOTES_MERGE_REF", sha1, 0, NULL);
+	o->local_ref = ref = resolve_ref("NOTES_MERGE_REF", sha1, 0, NULL);
 	if (!o->local_ref)
 		die("Failed to resolve NOTES_MERGE_REF");
 
@@ -843,7 +845,9 @@ static int merge_commit(struct notes_merge_options *o)
 
 	free_notes(t);
 	strbuf_release(&msg);
-	return merge_abort(o);
+	ret = merge_abort(o);
+	free(ref);
+	return ret;
 }
 
 static int merge(int argc, const char **argv, const char *prefix)
diff --git a/builtin/receive-pack.c b/builtin/receive-pack.c
index 333f2b0..d41884a 100644
--- a/builtin/receive-pack.c
+++ b/builtin/receive-pack.c
@@ -36,7 +36,7 @@ static int use_sideband;
 static int prefer_ofs_delta = 1;
 static int auto_update_server_info;
 static int auto_gc = 1;
-static const char *head_name;
+static char *head_name;
 static int sent_capabilities;
 
 static enum deny_action parse_deny_action(const char *var, const char *value)
@@ -695,7 +695,8 @@ static void execute_commands(struct command *commands, const char *unpacker_erro
 
 	check_aliased_updates(commands);
 
-	head_name = resolve_ref_unsafe("HEAD", sha1, 0, NULL);
+	free(head_name);
+	head_name = resolve_ref("HEAD", sha1, 0, NULL);
 
 	for (cmd = commands; cmd; cmd = cmd->next)
 		if (!cmd->skip_update)
diff --git a/reflog-walk.c b/reflog-walk.c
index b9b2453..2d5aee0 100644
--- a/reflog-walk.c
+++ b/reflog-walk.c
@@ -50,9 +50,11 @@ static struct complete_reflogs *read_complete_reflog(const char *ref)
 	for_each_reflog_ent(ref, read_one_reflog, reflogs);
 	if (reflogs->nr == 0) {
 		unsigned char sha1[20];
-		const char *name = resolve_ref_unsafe(ref, sha1, 1, NULL);
-		if (name)
+		char *name = resolve_ref(ref, sha1, 1, NULL);
+		if (name) {
 			for_each_reflog_ent(name, read_one_reflog, reflogs);
+			free(name);
+		}
 	}
 	if (reflogs->nr == 0) {
 		int len = strlen(ref);
-- 
1.7.4.74.g639db

[PATCH 6/8] Convert resolve_ref_unsafe+xstrdup to resolve_ref

[Nguyễn Thái Ngọc Duy]

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
---
 builtin/branch.c       |    3 +--
 builtin/checkout.c     |   13 +++++++------
 builtin/for-each-ref.c |    7 ++-----
 builtin/show-branch.c  |    4 +---
 reflog-walk.c          |    7 +++----
 wt-status.c            |    4 +---
 6 files changed, 15 insertions(+), 23 deletions(-)

diff --git a/builtin/branch.c b/builtin/branch.c
index 633b56e..a254898 100644
--- a/builtin/branch.c
+++ b/builtin/branch.c
@@ -689,10 +689,9 @@ int cmd_branch(int argc, const char **argv, const char *prefix)
 
 	track = git_branch_track;
 
-	head = resolve_ref_unsafe("HEAD", head_sha1, 0, NULL);
+	head = resolve_ref("HEAD", head_sha1, 0, NULL);
 	if (!head)
 		die(_("Failed to resolve HEAD as a valid ref."));
-	head = xstrdup(head);
 	if (!strcmp(head, "HEAD")) {
 		detached = 1;
 	} else {
diff --git a/builtin/checkout.c b/builtin/checkout.c
index 2b8e73b..6efb1cf 100644
--- a/builtin/checkout.c
+++ b/builtin/checkout.c
@@ -696,15 +696,14 @@ static int switch_branches(struct checkout_opts *opts, struct branch_info *new)
 {
 	int ret = 0;
 	struct branch_info old;
+	char *path;
 	unsigned char rev[20];
 	int flag;
 	memset(&old, 0, sizeof(old));
-	old.path = xstrdup(resolve_ref_unsafe("HEAD", rev, 0, &flag));
+	old.path = path = resolve_ref("HEAD", rev, 0, &flag);
 	old.commit = lookup_commit_reference_gently(rev, 1);
-	if (!(flag & REF_ISSYMREF)) {
-		free((char *)old.path);
+	if (!(flag & REF_ISSYMREF))
 		old.path = NULL;
-	}
 
 	if (old.path && !prefixcmp(old.path, "refs/heads/"))
 		old.name = old.path + strlen("refs/heads/");
@@ -718,8 +717,10 @@ static int switch_branches(struct checkout_opts *opts, struct branch_info *new)
 	}
 
 	ret = merge_working_tree(opts, &old, new);
-	if (ret)
+	if (ret) {
+		free(path);
 		return ret;
+	}
 
 	if (!opts->quiet && !old.path && old.commit && new->commit != old.commit)
 		orphaned_commit_warning(old.commit);
@@ -727,7 +728,7 @@ static int switch_branches(struct checkout_opts *opts, struct branch_info *new)
 	update_refs_for_switch(opts, &old, new);
 
 	ret = post_checkout_hook(old.commit, new->commit, 1);
-	free((char *)old.path);
+	free(path);
 	return ret || opts->writeout_error;
 }
 
diff --git a/builtin/for-each-ref.c b/builtin/for-each-ref.c
index b954ca8..dc19f3c 100644
--- a/builtin/for-each-ref.c
+++ b/builtin/for-each-ref.c
@@ -628,11 +628,8 @@ static void populate_value(struct refinfo *ref)
 
 	if (need_symref && (ref->flag & REF_ISSYMREF) && !ref->symref) {
 		unsigned char unused1[20];
-		const char *symref;
-		symref = resolve_ref_unsafe(ref->refname, unused1, 1, NULL);
-		if (symref)
-			ref->symref = xstrdup(symref);
-		else
+		ref->symref = resolve_ref(ref->refname, unused1, 1, NULL);
+		if (!ref->symref)
 			ref->symref = "";
 	}
 
diff --git a/builtin/show-branch.c b/builtin/show-branch.c
index 1e7bd31..9e849c7 100644
--- a/builtin/show-branch.c
+++ b/builtin/show-branch.c
@@ -726,10 +726,8 @@ int cmd_show_branch(int ac, const char **av, const char *prefix)
 
 		if (ac == 0) {
 			static const char *fake_av[2];
-			const char *refname;
 
-			refname = resolve_ref_unsafe("HEAD", sha1, 1, NULL);
-			fake_av[0] = xstrdup(refname);
+			fake_av[0] = resolve_ref("HEAD", sha1, 1, NULL);
 			fake_av[1] = NULL;
 			av = fake_av;
 			ac = 1;
diff --git a/reflog-walk.c b/reflog-walk.c
index 2d5aee0..fd17e71 100644
--- a/reflog-walk.c
+++ b/reflog-walk.c
@@ -170,11 +170,10 @@ int add_reflog_for_walk(struct reflog_walk_info *info,
 	else {
 		if (*branch == '\0') {
 			unsigned char sha1[20];
-			const char *head = resolve_ref_unsafe("HEAD", sha1, 0, NULL);
-			if (!head)
-				die ("No current branch");
 			free(branch);
-			branch = xstrdup(head);
+			branch = resolve_ref("HEAD", sha1, 0, NULL);
+			if (!branch)
+				die ("No current branch");
 		}
 		reflogs = read_complete_reflog(branch);
 		if (!reflogs || reflogs->nr == 0) {
diff --git a/wt-status.c b/wt-status.c
index cc6dad5..77adf64 100644
--- a/wt-status.c
+++ b/wt-status.c
@@ -111,7 +111,6 @@ void status_printf_more(struct wt_status *s, const char *color,
 void wt_status_prepare(struct wt_status *s)
 {
 	unsigned char sha1[20];
-	const char *head;
 
 	memset(s, 0, sizeof(*s));
 	memcpy(s->color_palette, default_wt_status_colors,
@@ -119,8 +118,7 @@ void wt_status_prepare(struct wt_status *s)
 	s->show_untracked_files = SHOW_NORMAL_UNTRACKED_FILES;
 	s->use_color = -1;
 	s->relative_paths = 1;
-	head = resolve_ref_unsafe("HEAD", sha1, 0, NULL);
-	s->branch = head ? xstrdup(head) : NULL;
+	s->branch = resolve_ref("HEAD", sha1, 0, NULL);
 	s->reference = "HEAD";
 	s->fp = stdout;
 	s->index_file = get_index_file();
-- 
1.7.4.74.g639db

Re: [PATCH 6/8] Convert resolve_ref_unsafe+xstrdup to resolve_ref

[Ramkumar Ramachandra]

Hi Nguyễn,

Nguyễn Thái Ngọc Duy wrote:
> diff --git a/builtin/checkout.c b/builtin/checkout.c
> index 2b8e73b..6efb1cf 100644
> --- a/builtin/checkout.c
> +++ b/builtin/checkout.c
> @@ -696,15 +696,14 @@ static int switch_branches(struct checkout_opts *opts, struct branch_info *new)
>  {
>        int ret = 0;
>        struct branch_info old;
> +       char *path;
>        unsigned char rev[20];
>        int flag;
>        memset(&old, 0, sizeof(old));
> -       old.path = xstrdup(resolve_ref_unsafe("HEAD", rev, 0, &flag));
> +       old.path = path = resolve_ref("HEAD", rev, 0, &flag);
>        old.commit = lookup_commit_reference_gently(rev, 1);
> -       if (!(flag & REF_ISSYMREF)) {
> -               free((char *)old.path);
> +       if (!(flag & REF_ISSYMREF))
>                old.path = NULL;
> -       }
>
>        if (old.path && !prefixcmp(old.path, "refs/heads/"))
>                old.name = old.path + strlen("refs/heads/");

This caught my eye immediately: you introduced a new "path" variable.
Let's scroll ahead and see why.

> @@ -718,8 +717,10 @@ static int switch_branches(struct checkout_opts *opts, struct branch_info *new)
>        }
>
>        ret = merge_working_tree(opts, &old, new);
> -       if (ret)
> +       if (ret) {
> +               free(path);
>                return ret;
> +       }
>
>        if (!opts->quiet && !old.path && old.commit && new->commit != old.commit)
>                orphaned_commit_warning(old.commit);
> @@ -727,7 +728,7 @@ static int switch_branches(struct checkout_opts *opts, struct branch_info *new)
>        update_refs_for_switch(opts, &old, new);
>
>        ret = post_checkout_hook(old.commit, new->commit, 1);
> -       free((char *)old.path);
> +       free(path);
>        return ret || opts->writeout_error;
>  }

Before application of your patch, if !(flag & REF_ISSYMREF) then
old.path is set to NULL and this free() would've read free(NULL).  Was
this codepath ever reached, and did you fix a bug by introducing the
new "path" variable, or was it never reached but you introduced the
new variable for clarity anyway?  Either case is worth mentioning in
the commit message, I think.

> diff --git a/builtin/for-each-ref.c b/builtin/for-each-ref.c
> index b954ca8..dc19f3c 100644
> --- a/builtin/for-each-ref.c
> +++ b/builtin/for-each-ref.c
> @@ -628,11 +628,8 @@ static void populate_value(struct refinfo *ref)
>
>        if (need_symref && (ref->flag & REF_ISSYMREF) && !ref->symref) {
>                unsigned char unused1[20];
> -               const char *symref;
> -               symref = resolve_ref_unsafe(ref->refname, unused1, 1, NULL);
> -               if (symref)
> -                       ref->symref = xstrdup(symref);
> -               else
> +               ref->symref = resolve_ref(ref->refname, unused1, 1, NULL);
> +               if (!ref->symref)
>                        ref->symref = "";
>        }
> [...]

This bit along with the others follow a common pattern: one temporary
variable was used to capture the value of resolve_ref_unsafe(), before
using xstrdup() on it to perform the actual assignment.  You changed
the resolve_ref_unsafe() to resolve_ref() and got rid of that extra
variable.

Thanks.

-- Ram

Re: [PATCH 6/8] Convert resolve_ref_unsafe+xstrdup to resolve_ref

[Nguyen Thai Ngoc Duy]

2011/11/17 Ramkumar Ramachandra <artagnon@gmail.com>:
> Hi Nguyễn,
>
> Nguyễn Thái Ngọc Duy wrote:
>> diff --git a/builtin/checkout.c b/builtin/checkout.c
>> index 2b8e73b..6efb1cf 100644
>> --- a/builtin/checkout.c
>> +++ b/builtin/checkout.c
>> @@ -696,15 +696,14 @@ static int switch_branches(struct checkout_opts *opts, struct branch_info *new)
>>  {
>>        int ret = 0;
>>        struct branch_info old;
>> +       char *path;
>>        unsigned char rev[20];
>>        int flag;
>>        memset(&old, 0, sizeof(old));
>> -       old.path = xstrdup(resolve_ref_unsafe("HEAD", rev, 0, &flag));
>> +       old.path = path = resolve_ref("HEAD", rev, 0, &flag);
>>        old.commit = lookup_commit_reference_gently(rev, 1);
>> -       if (!(flag & REF_ISSYMREF)) {
>> -               free((char *)old.path);
>> +       if (!(flag & REF_ISSYMREF))
>>                old.path = NULL;
>> -       }
>>
>>        if (old.path && !prefixcmp(old.path, "refs/heads/"))
>>                old.name = old.path + strlen("refs/heads/");
>
> This caught my eye immediately: you introduced a new "path" variable.
> Let's scroll ahead and see why.
>
>> @@ -718,8 +717,10 @@ static int switch_branches(struct checkout_opts *opts, struct branch_info *new)
>>        }
>>
>>        ret = merge_working_tree(opts, &old, new);
>> -       if (ret)
>> +       if (ret) {
>> +               free(path);
>>                return ret;
>> +       }
>>
>>        if (!opts->quiet && !old.path && old.commit && new->commit != old.commit)
>>                orphaned_commit_warning(old.commit);
>> @@ -727,7 +728,7 @@ static int switch_branches(struct checkout_opts *opts, struct branch_info *new)
>>        update_refs_for_switch(opts, &old, new);
>>
>>        ret = post_checkout_hook(old.commit, new->commit, 1);
>> -       free((char *)old.path);
>> +       free(path);
>>        return ret || opts->writeout_error;
>>  }
>
> Before application of your patch, if !(flag & REF_ISSYMREF) then
> old.path is set to NULL and this free() would've read free(NULL).  Was
> this codepath ever reached, and did you fix a bug by introducing the
> new "path" variable, or was it never reached but you introduced the
> new variable for clarity anyway?  Either case is worth mentioning in
> the commit message, I think.

free(NULL) is OK if I remember correctly, so it's not really a bug.
Although I do plug a memory leak when merge_working_tree() returns
non-zero.
-- 
Duy

[PATCH 7/8] Guard memory overwriting in resolve_ref_unsafe's static buffer

[Nguyễn Thái Ngọc Duy]

There is a potential problem with resolve_ref_unsafe() and some other
functions in git. The return value returned by resolve_ref_unsafe() may
be changed when the function is called again. Callers must make sure the
next call won't happen as long as the value is still being used.

It's usually hard to track down this kind of problem.  Michael Haggerty
has an idea [1] that, instead of passing the same static buffer to
caller every time the function is called, we free the old buffer and
allocate the new one. This way access to the old (now invalid) buffer
may be caught.

This patch applies the same principle for resolve_ref_unsafe() with a
few modifications:

 - This behavior is enabled when GIT_DEBUG_MEMCHECK is set. The ability
   is always available. We may be able to ask users to rerun with this
   flag on in suspicious cases.

 - Rely on mmap/mprotect to catch illegal access. We need valgrind or
   some other memory tracking tool to reliably catch this in Michael's
   approach.

 - Because mprotect is used instead of munmap, we definitely leak
   memory. Hopefully callers will not put resolve_ref_unsafe() in a
   loop that runs 1 million times.

 - Save caller location in the allocated buffer so we know who made this
   call in the core dump.

Also introduce a new target, "make memcheck", that runs tests with this
flag on.

[1] http://comments.gmane.org/gmane.comp.version-control.git/182209

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
---
 GIT_DEBUG_MEMCHECK should probably be ignored in Windows.

 Makefile          |    3 +++
 cache.h           |    3 ++-
 git-compat-util.h |    9 +++++++++
 refs.c            |   14 ++++++++++++--
 wrapper.c         |   21 +++++++++++++++++++++
 5 files changed, 47 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index ee34eab..d671c64 100644
--- a/Makefile
+++ b/Makefile
@@ -2220,6 +2220,9 @@ export NO_SVN_TESTS
 test: all
 	$(MAKE) -C t/ all
 
+memcheck: all
+	GIT_DEBUG_MEMCHECK=1 $(MAKE) -C t/ all
+
 test-ctype$X: ctype.o
 
 test-date$X: date.o ctype.o
diff --git a/cache.h b/cache.h
index 6b8ac8b..feb44a5 100644
--- a/cache.h
+++ b/cache.h
@@ -866,7 +866,8 @@ extern int read_ref(const char *filename, unsigned char *sha1);
  *
  * errno is sometimes set on errors, but not always.
  */
-extern const char *resolve_ref_unsafe(const char *ref, unsigned char *sha1, int reading, int *flag);
+#define resolve_ref_unsafe(ref, sha1, reading, flag) resolve_ref_unsafe_real(ref, sha1, reading, flag, __FUNCTION__, __LINE__)
+extern const char *resolve_ref_unsafe_real(const char *ref, unsigned char *sha1, int reading, int *flag, const char *file, int line);
 extern char *resolve_ref(const char *ref, unsigned char *sha1, int reading, int *flag);
 
 extern int dwim_ref(const char *str, int len, unsigned char *sha1, char **ref);
diff --git a/git-compat-util.h b/git-compat-util.h
index 5ef8ff7..d00c9c6 100644
--- a/git-compat-util.h
+++ b/git-compat-util.h
@@ -432,6 +432,15 @@ extern char *xstrndup(const char *str, size_t len);
 extern void *xrealloc(void *ptr, size_t size);
 extern void *xcalloc(size_t nmemb, size_t size);
 extern void *xmmap(void *start, size_t length, int prot, int flags, int fd, off_t offset);
+
+/*
+ * These functions are used to allocate new memory. When the memory
+ * area is no longer used, ban all access to it so any illegal access
+ * can be caught. xfree_mmap() does not really free memory.
+ */
+extern void *xmalloc_mmap(size_t, const char *file, int line);
+extern void xfree_mmap(void *);
+
 extern ssize_t xread(int fd, void *buf, size_t len);
 extern ssize_t xwrite(int fd, const void *buf, size_t len);
 extern int xdup(int fd);
diff --git a/refs.c b/refs.c
index 28496ed..62d8a37 100644
--- a/refs.c
+++ b/refs.c
@@ -497,12 +497,22 @@ static int get_packed_ref(const char *ref, unsigned char *sha1)
 	return -1;
 }
 
-const char *resolve_ref_unsafe(const char *ref, unsigned char *sha1, int reading, int *flag)
+const char *resolve_ref_unsafe_real(const char *ref, unsigned char *sha1,
+				    int reading, int *flag,
+				    const char *file, int line)
 {
 	int depth = MAXDEPTH;
 	ssize_t len;
 	char buffer[256];
-	static char ref_buffer[256];
+	static char real_ref_buffer[256];
+	static char *ref_buffer;
+
+	if (!ref_buffer && !getenv("GIT_DEBUG_MEMCHECK"))
+		ref_buffer = real_ref_buffer;
+	if (ref_buffer != real_ref_buffer) {
+		xfree_mmap(ref_buffer);
+		ref_buffer = xmalloc_mmap(256, file, line);
+	}
 
 	if (flag)
 		*flag = 0;
diff --git a/wrapper.c b/wrapper.c
index 85f09df..3120d97 100644
--- a/wrapper.c
+++ b/wrapper.c
@@ -60,6 +60,27 @@ void *xmallocz(size_t size)
 	return ret;
 }
 
+void *xmalloc_mmap(size_t size, const char *file, int line)
+{
+	int *ret = mmap(NULL, size + sizeof(int*) * 3,
+			PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE,
+			-1, 0);
+	if (ret == (int*)-1)
+		die_errno("unable to mmap %lu bytes anonymously",
+			  (unsigned long)size);
+
+	ret[0] = (int)file;
+	ret[1] = line;
+	ret[2] = size;
+	return ret + 3;
+}
+
+void xfree_mmap(void *p)
+{
+	if (p && mprotect(((int*)p) - 3, ((int*)p)[-1], PROT_NONE) == -1)
+		die_errno("unable to remove memory access");
+}
+
 /*
  * xmemdupz() allocates (len + 1) bytes of memory, duplicates "len" bytes of
  * "data" to the allocated memory, zero terminates the allocated memory,
-- 
1.7.4.74.g639db

[PATCH 8/8] Enable GIT_DEBUG_MEMCHECK on git_pathname()

[Nguyễn Thái Ngọc Duy]

Make git_pathname() use xmalloc_mmap/xfree_mmap to catch invalid access
to old buffer when it's already overwritten.

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
---
 cache.h |   11 +++++++----
 path.c  |   28 +++++++++++++++++++---------
 2 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/cache.h b/cache.h
index feb44a5..66365fb 100644
--- a/cache.h
+++ b/cache.h
@@ -661,10 +661,13 @@ extern char *git_pathdup(const char *fmt, ...)
 	__attribute__((format (printf, 1, 2)));
 
 /* Return a statically allocated filename matching the sha1 signature */
-extern char *mkpath(const char *fmt, ...) __attribute__((format (printf, 1, 2)));
-extern char *git_path(const char *fmt, ...) __attribute__((format (printf, 1, 2)));
-extern char *git_path_submodule(const char *path, const char *fmt, ...)
-	__attribute__((format (printf, 2, 3)));
+#define mkpath(...) mkpath_real(__FUNCTION__, __LINE__, __VA_ARGS__)
+extern char *mkpath_real(const char *file, int line, const char *fmt, ...) __attribute__((format (printf, 3, 4)));
+#define git_path( ...) git_path_real(__FUNCTION__, __LINE__, __VA_ARGS__)
+extern char *git_path_real(const char *file, int line, const char *fmt, ...) __attribute__((format (printf, 3, 4)));
+#define git_path_submodule(path, ...) git_path_submodule_real(__FUNCTION__, __LINE__, path, __VA_ARGS__)
+extern char *git_path_submodule_real(const char *file, int line, const char *path, const char *fmt, ...)
+	__attribute__((format (printf, 4, 5)));
 
 extern char *sha1_file_name(const unsigned char *sha1);
 extern char *sha1_pack_name(const unsigned char *sha1);
diff --git a/path.c b/path.c
index b6f71d1..d2aa941 100644
--- a/path.c
+++ b/path.c
@@ -15,11 +15,21 @@
 
 static char bad_path[] = "/bad-path/";
 
-static char *get_pathname(void)
+static char *get_pathname(const char *file, int line)
 {
-	static char pathname_array[4][PATH_MAX];
+	static char real_pathname_array[4][PATH_MAX];
+	static char *pathname_array[4];
 	static int index;
-	return pathname_array[3 & ++index];
+	int idx = 3 & ++index;
+
+	if (!pathname_array[idx] && !getenv("GIT_DEBUG_MEMCHECK"))
+		pathname_array[idx] = real_pathname_array[idx];
+
+	if (pathname_array[idx] != real_pathname_array[idx]) {
+		xfree_mmap(pathname_array[idx]);
+		pathname_array[idx] = xmalloc_mmap(PATH_MAX, file, line);
+	}
+	return pathname_array[idx];
 }
 
 static char *cleanup_path(char *path)
@@ -87,11 +97,11 @@ char *git_pathdup(const char *fmt, ...)
 	return xstrdup(path);
 }
 
-char *mkpath(const char *fmt, ...)
+char *mkpath_real(const char *file, int line, const char *fmt, ...)
 {
 	va_list args;
 	unsigned len;
-	char *pathname = get_pathname();
+	char *pathname = get_pathname(file, line);
 
 	va_start(args, fmt);
 	len = vsnprintf(pathname, PATH_MAX, fmt, args);
@@ -101,10 +111,10 @@ char *mkpath(const char *fmt, ...)
 	return cleanup_path(pathname);
 }
 
-char *git_path(const char *fmt, ...)
+char *git_path_real(const char *file, int line, const char *fmt, ...)
 {
 	const char *git_dir = get_git_dir();
-	char *pathname = get_pathname();
+	char *pathname = get_pathname(file, line);
 	va_list args;
 	unsigned len;
 
@@ -122,9 +132,9 @@ char *git_path(const char *fmt, ...)
 	return cleanup_path(pathname);
 }
 
-char *git_path_submodule(const char *path, const char *fmt, ...)
+char *git_path_submodule_real(const char *file, int line, const char *path, const char *fmt, ...)
 {
-	char *pathname = get_pathname();
+	char *pathname = get_pathname(file, line);
 	struct strbuf buf = STRBUF_INIT;
 	const char *git_dir;
 	va_list args;
-- 
1.7.4.74.g639db

Re: [PATCH 8/8] Enable GIT_DEBUG_MEMCHECK on git_pathname()

[Ramkumar Ramachandra]

Hi Nguyễn,

Nguyễn Thái Ngọc Duy writes:
> diff --git a/cache.h b/cache.h
> index feb44a5..66365fb 100644
> --- a/cache.h
> +++ b/cache.h
> @@ -661,10 +661,13 @@ extern char *git_pathdup(const char *fmt, ...)
>        __attribute__((format (printf, 1, 2)));
>
>  /* Return a statically allocated filename matching the sha1 signature */
> -extern char *mkpath(const char *fmt, ...) __attribute__((format (printf, 1, 2)));
> -extern char *git_path(const char *fmt, ...) __attribute__((format (printf, 1, 2)));
> -extern char *git_path_submodule(const char *path, const char *fmt, ...)
> -       __attribute__((format (printf, 2, 3)));
> +#define mkpath(...) mkpath_real(__FUNCTION__, __LINE__, __VA_ARGS__)
> +extern char *mkpath_real(const char *file, int line, const char *fmt, ...) __attribute__((format (printf, 3, 4)));
> +#define git_path( ...) git_path_real(__FUNCTION__, __LINE__, __VA_ARGS__)
> +extern char *git_path_real(const char *file, int line, const char *fmt, ...) __attribute__((format (printf, 3, 4)));
> +#define git_path_submodule(path, ...) git_path_submodule_real(__FUNCTION__, __LINE__, path, __VA_ARGS__)
> +extern char *git_path_submodule_real(const char *file, int line, const char *path, const char *fmt, ...)
> +       __attribute__((format (printf, 4, 5)));

The macros __FILE__, __LINE__ and __VA_ARGS__ are gcc-specific
extensions, no?  I was curious to see if some other parts of Git are
using this: a quick grep returns mailmap.c and notes-merge.c.  They
both use __VA_ARGS__ it for debugging purposes.  So, nothing new.

What happens if GIT_DEBUG_MEMCHECK is set, but I'm not using gcc?
Also, it's probably worth mentioning in the commit message that this
debugging trick is gcc-specific.

Thanks for working on this.

-- Ram

Re: [PATCH 8/8] Enable GIT_DEBUG_MEMCHECK on git_pathname()

[Jeff King]

On Thu, Nov 17, 2011 at 04:05:52PM +0530, Ramkumar Ramachandra wrote:

> The macros __FILE__, __LINE__ and __VA_ARGS__ are gcc-specific
> extensions, no?  I was curious to see if some other parts of Git are
> using this: a quick grep returns mailmap.c and notes-merge.c.  They
> both use __VA_ARGS__ it for debugging purposes.  So, nothing new.

All three are in C99. I'm pretty sure __FILE__ and __LINE__ were
available in C89, but I only have a copy of C99 handy these days.
Variable-argument macros were definitely introduced in C99 (and were a
gcc extension for a while before then).

> What happens if GIT_DEBUG_MEMCHECK is set, but I'm not using gcc?
> Also, it's probably worth mentioning in the commit message that this
> debugging trick is gcc-specific.

Older compilers will probably barf on the variable-argument macros.

-Peff

Re: [PATCH 8/8] Enable GIT_DEBUG_MEMCHECK on git_pathname()

[Nguyen Thai Ngoc Duy]

On Thu, Nov 17, 2011 at 8:42 PM, Jeff King <peff@peff.net> wrote:
> On Thu, Nov 17, 2011 at 04:05:52PM +0530, Ramkumar Ramachandra wrote:
>
>> The macros __FILE__, __LINE__ and __VA_ARGS__ are gcc-specific
>> extensions, no?  I was curious to see if some other parts of Git are
>> using this: a quick grep returns mailmap.c and notes-merge.c.  They
>> both use __VA_ARGS__ it for debugging purposes.  So, nothing new.
>
> All three are in C99. I'm pretty sure __FILE__ and __LINE__ were
> available in C89, but I only have a copy of C99 handy these days.
> Variable-argument macros were definitely introduced in C99 (and were a
> gcc extension for a while before then).
>
>> What happens if GIT_DEBUG_MEMCHECK is set, but I'm not using gcc?
>> Also, it's probably worth mentioning in the commit message that this
>> debugging trick is gcc-specific.
>
> Older compilers will probably barf on the variable-argument macros.

Anyway to detect if __VA_ARGS__ is supported at compile time? I guess
#ifdef __GNUC__ is the last resort.

notes-merge.c introduces __VA_ARGS__ since v1.7.4 so we may want to do
something there too.
-- 
Duy

Re: [PATCH 8/8] Enable GIT_DEBUG_MEMCHECK on git_pathname()

[Jeff King]

On Fri, Nov 18, 2011 at 08:12:27AM +0700, Nguyen Thai Ngoc Duy wrote:

> > Older compilers will probably barf on the variable-argument macros.
> 
> Anyway to detect if __VA_ARGS__ is supported at compile time? I guess
> #ifdef __GNUC__ is the last resort.

You can check "#if __STDC_VERSION__ >= 19901L", but that will of course
only tell you whether you have C99; older gcc (and possibly other
compilers) supported __VA_ARGS__ even before it was standardized.

But more annoying is that there isn't a great fallback to __VA_ARGS__.
If you can't use it, then every callsite has to have the same number of
arguments. So it's not like you can localize the fallback code to just
the definition.

Unless you really need macro-like behavior, you're probably better off
using a variadic function and making it a static inline on platforms
which can do so.

> notes-merge.c introduces __VA_ARGS__ since v1.7.4 so we may want to do
> something there too.

I hadn't noticed. That definitely violates our usual rules about
portability.  That usage can easily be turned into an inline function.
However, since nobody has complained in the past year, it makes me
wonder if we are overly conservative (my guess is that people on crazy
old compilers just don't keep up with git. Which maybe means they aren't
worth worrying about. But who knows).

-Peff

Re: [PATCH 8/8] Enable GIT_DEBUG_MEMCHECK on git_pathname()

[Jonathan Nieder]

Jeff King wrote:
> On Fri, Nov 18, 2011 at 08:12:27AM +0700, Nguyen Thai Ngoc Duy wrote:

>> notes-merge.c introduces __VA_ARGS__ since v1.7.4 so we may want to do
>> something there too.
>
> I hadn't noticed. That definitely violates our usual rules about
> portability.  That usage can easily be turned into an inline function.
> However, since nobody has complained in the past year, it makes me
> wonder if we are overly conservative (my guess is that people on crazy
> old compilers just don't keep up with git. Which maybe means they aren't
> worth worrying about. But who knows).

I suspect we didn't notice because MSVC 2005 and later have some
(limited, as far as I can tell from web searches) support for
__VA_ARGS__.

Re: [PATCH 8/8] Enable GIT_DEBUG_MEMCHECK on git_pathname()

[Nguyen Thai Ngoc Duy]

On Fri, Nov 18, 2011 at 8:27 AM, Jeff King <peff@peff.net> wrote:
> On Fri, Nov 18, 2011 at 08:12:27AM +0700, Nguyen Thai Ngoc Duy wrote:
>
>> > Older compilers will probably barf on the variable-argument macros.
>>
>> Anyway to detect if __VA_ARGS__ is supported at compile time? I guess
>> #ifdef __GNUC__ is the last resort.
>
> You can check "#if __STDC_VERSION__ >= 19901L", but that will of course
> only tell you whether you have C99; older gcc (and possibly other
> compilers) supported __VA_ARGS__ even before it was standardized.
>
> But more annoying is that there isn't a great fallback to __VA_ARGS__.
> If you can't use it, then every callsite has to have the same number of
> arguments. So it's not like you can localize the fallback code to just
> the definition.
>
> Unless you really need macro-like behavior, you're probably better off
> using a variadic function and making it a static inline on platforms
> which can do so.

I need to save __FILE__ and __LINE__ of call site, inline functions
probably don't help.

>> notes-merge.c introduces __VA_ARGS__ since v1.7.4 so we may want to do
>> something there too.
>
> I hadn't noticed. That definitely violates our usual rules about
> portability.  That usage can easily be turned into an inline function.
> However, since nobody has complained in the past year, it makes me
> wonder if we are overly conservative (my guess is that people on crazy
> old compilers just don't keep up with git. Which maybe means they aren't
> worth worrying about. But who knows).

For the record, Sun C compiler 5.9 seems to support it.
-- 
Duy

Re: [PATCH 8/8] Enable GIT_DEBUG_MEMCHECK on git_pathname()

[Jeff King]

On Fri, Nov 18, 2011 at 08:50:20AM +0700, Nguyen Thai Ngoc Duy wrote:

> > Unless you really need macro-like behavior, you're probably better off
> > using a variadic function and making it a static inline on platforms
> > which can do so.
> 
> I need to save __FILE__ and __LINE__ of call site, inline functions
> probably don't help.

Yeah, you'd have to pass them in to the function. Which of course you
can't wrap with a macro, because the whole thing is variadic.

-Peff

Re: [PATCH 8/8] Enable GIT_DEBUG_MEMCHECK on git_pathname()

[Jonathan Nieder]

Nguyen Thai Ngoc Duy wrote:

> Anyway to detect if __VA_ARGS__ is supported at compile time? I guess
> #ifdef __GNUC__ is the last resort.

Why would one want to do that?  Either your feature requires C99 (so the
build can error out if __VA_ARGS__ support is missing) or it doesn't.

> notes-merge.c introduces __VA_ARGS__ since v1.7.4 so we may want to do
> something there too.

Good catch.  How about this patch?  It seems I forgot to send it out
last May and it has been rotting in my local tree ever since.

-- >8 --
Subject: notes merge: eliminate OUTPUT macro

The macro is variadic, which breaks support for pre-C99 compilers,
and it hides an "if", which can make code hard to understand on
first reading if some arguments have side-effects.

The OUTPUT macro seems to have been inspired by the "output" function
from merge-recursive.  But that function in merge-recursive exists to
indent output based on the level of recursion and there is no similar
justification for such a function in "notes merge".

Noticed with 'make CC="gcc -std=c89 -pedantic"':

 notes-merge.c:24:22: warning: anonymous variadic macros were introduced in C99 [-Wvariadic-macros]

Encouraged-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
---
 notes-merge.c |  104 +++++++++++++++++++++++++++++++++-----------------------
 1 files changed, 61 insertions(+), 43 deletions(-)

diff --git a/notes-merge.c b/notes-merge.c
index baaf31f4..d0e5034d 100644
--- a/notes-merge.c
+++ b/notes-merge.c
@@ -21,14 +21,6 @@ void init_notes_merge_options(struct notes_merge_options *o)
 	o->verbosity = NOTES_MERGE_VERBOSITY_DEFAULT;
 }
 
-#define OUTPUT(o, v, ...) \
-	do { \
-		if ((o)->verbosity >= (v)) { \
-			printf(__VA_ARGS__); \
-			puts(""); \
-		} \
-	} while (0)
-
 static int path_to_sha1(const char *path, unsigned char *sha1)
 {
 	char hex_sha1[40];
@@ -392,21 +384,26 @@ static int merge_one_change_manual(struct notes_merge_options *o,
 
 	strbuf_addf(&(o->commit_msg), "\t%s\n", sha1_to_hex(p->obj));
 
-	OUTPUT(o, 2, "Auto-merging notes for %s", sha1_to_hex(p->obj));
+	if (o->verbosity >= 2)
+		printf("Auto-merging notes for %s\n", sha1_to_hex(p->obj));
 	check_notes_merge_worktree(o);
 	if (is_null_sha1(p->local)) {
 		/* D/F conflict, checkout p->remote */
 		assert(!is_null_sha1(p->remote));
-		OUTPUT(o, 1, "CONFLICT (delete/modify): Notes for object %s "
-		       "deleted in %s and modified in %s. Version from %s "
-		       "left in tree.", sha1_to_hex(p->obj), lref, rref, rref);
+		if (o->verbosity >= 1)
+			printf("CONFLICT (delete/modify): Notes for object %s "
+				"deleted in %s and modified in %s. Version from %s "
+				"left in tree.\n",
+				sha1_to_hex(p->obj), lref, rref, rref);
 		write_note_to_worktree(p->obj, p->remote);
 	} else if (is_null_sha1(p->remote)) {
 		/* D/F conflict, checkout p->local */
 		assert(!is_null_sha1(p->local));
-		OUTPUT(o, 1, "CONFLICT (delete/modify): Notes for object %s "
-		       "deleted in %s and modified in %s. Version from %s "
-		       "left in tree.", sha1_to_hex(p->obj), rref, lref, lref);
+		if (o->verbosity >= 1)
+			printf("CONFLICT (delete/modify): Notes for object %s "
+				"deleted in %s and modified in %s. Version from %s "
+				"left in tree.\n",
+				sha1_to_hex(p->obj), rref, lref, lref);
 		write_note_to_worktree(p->obj, p->local);
 	} else {
 		/* "regular" conflict, checkout result of ll_merge() */
@@ -415,8 +412,9 @@ static int merge_one_change_manual(struct notes_merge_options *o,
 			reason = "add/add";
 		assert(!is_null_sha1(p->local));
 		assert(!is_null_sha1(p->remote));
-		OUTPUT(o, 1, "CONFLICT (%s): Merge conflict in notes for "
-		       "object %s", reason, sha1_to_hex(p->obj));
+		if (o->verbosity >= 1)
+			printf("CONFLICT (%s): Merge conflict in notes for "
+				"object %s\n", reason, sha1_to_hex(p->obj));
 		ll_merge_in_worktree(o, p);
 	}
 
@@ -438,24 +436,30 @@ static int merge_one_change(struct notes_merge_options *o,
 	case NOTES_MERGE_RESOLVE_MANUAL:
 		return merge_one_change_manual(o, p, t);
 	case NOTES_MERGE_RESOLVE_OURS:
-		OUTPUT(o, 2, "Using local notes for %s", sha1_to_hex(p->obj));
+		if (o->verbosity >= 2)
+			printf("Using local notes for %s\n",
+						sha1_to_hex(p->obj));
 		/* nothing to do */
 		return 0;
 	case NOTES_MERGE_RESOLVE_THEIRS:
-		OUTPUT(o, 2, "Using remote notes for %s", sha1_to_hex(p->obj));
+		if (o->verbosity >= 2)
+			printf("Using remote notes for %s\n",
+						sha1_to_hex(p->obj));
 		if (add_note(t, p->obj, p->remote, combine_notes_overwrite))
 			die("BUG: combine_notes_overwrite failed");
 		return 0;
 	case NOTES_MERGE_RESOLVE_UNION:
-		OUTPUT(o, 2, "Concatenating local and remote notes for %s",
-		       sha1_to_hex(p->obj));
+		if (o->verbosity >= 2)
+			printf("Concatenating local and remote notes for %s\n",
+							sha1_to_hex(p->obj));
 		if (add_note(t, p->obj, p->remote, combine_notes_concatenate))
 			die("failed to concatenate notes "
 			    "(combine_notes_concatenate)");
 		return 0;
 	case NOTES_MERGE_RESOLVE_CAT_SORT_UNIQ:
-		OUTPUT(o, 2, "Concatenating unique lines in local and remote "
-		       "notes for %s", sha1_to_hex(p->obj));
+		if (o->verbosity >= 2)
+			printf("Concatenating unique lines in local and remote "
+				"notes for %s\n", sha1_to_hex(p->obj));
 		if (add_note(t, p->obj, p->remote, combine_notes_cat_sort_uniq))
 			die("failed to concatenate notes "
 			    "(combine_notes_cat_sort_uniq)");
@@ -518,8 +522,9 @@ static int merge_from_diffs(struct notes_merge_options *o,
 	conflicts = merge_changes(o, changes, &num_changes, t);
 	free(changes);
 
-	OUTPUT(o, 4, "Merge result: %i unmerged notes and a %s notes tree",
-	       conflicts, t->dirty ? "dirty" : "clean");
+	if (o->verbosity >= 4)
+		printf("Merge result: %i unmerged notes and a %s notes tree\n",
+			conflicts, t->dirty ? "dirty" : "clean");
 
 	return conflicts ? -1 : 1;
 }
@@ -616,33 +621,40 @@ int notes_merge(struct notes_merge_options *o,
 	if (!bases) {
 		base_sha1 = null_sha1;
 		base_tree_sha1 = EMPTY_TREE_SHA1_BIN;
-		OUTPUT(o, 4, "No merge base found; doing history-less merge");
+		if (o->verbosity >= 4)
+			printf("No merge base found; doing history-less merge\n");
 	} else if (!bases->next) {
 		base_sha1 = bases->item->object.sha1;
 		base_tree_sha1 = bases->item->tree->object.sha1;
-		OUTPUT(o, 4, "One merge base found (%.7s)",
-		       sha1_to_hex(base_sha1));
+		if (o->verbosity >= 4)
+			printf("One merge base found (%.7s)\n",
+				sha1_to_hex(base_sha1));
 	} else {
 		/* TODO: How to handle multiple merge-bases? */
 		base_sha1 = bases->item->object.sha1;
 		base_tree_sha1 = bases->item->tree->object.sha1;
-		OUTPUT(o, 3, "Multiple merge bases found. Using the first "
-		       "(%.7s)", sha1_to_hex(base_sha1));
+		if (o->verbosity >= 3)
+			printf("Multiple merge bases found. Using the first "
+				"(%.7s)\n", sha1_to_hex(base_sha1));
 	}
 
-	OUTPUT(o, 4, "Merging remote commit %.7s into local commit %.7s with "
-	       "merge-base %.7s", sha1_to_hex(remote->object.sha1),
-	       sha1_to_hex(local->object.sha1), sha1_to_hex(base_sha1));
+	if (o->verbosity >= 4)
+		printf("Merging remote commit %.7s into local commit %.7s with "
+			"merge-base %.7s\n", sha1_to_hex(remote->object.sha1),
+			sha1_to_hex(local->object.sha1),
+			sha1_to_hex(base_sha1));
 
 	if (!hashcmp(remote->object.sha1, base_sha1)) {
 		/* Already merged; result == local commit */
-		OUTPUT(o, 2, "Already up-to-date!");
+		if (o->verbosity >= 2)
+			printf("Already up-to-date!\n");
 		hashcpy(result_sha1, local->object.sha1);
 		goto found_result;
 	}
 	if (!hashcmp(local->object.sha1, base_sha1)) {
 		/* Fast-forward; result == remote commit */
-		OUTPUT(o, 2, "Fast-forward");
+		if (o->verbosity >= 2)
+			printf("Fast-forward\n");
 		hashcpy(result_sha1, remote->object.sha1);
 		goto found_result;
 	}
@@ -684,8 +696,9 @@ int notes_merge_commit(struct notes_merge_options *o,
 	int path_len = strlen(path), i;
 	const char *msg = strstr(partial_commit->buffer, "\n\n");
 
-	OUTPUT(o, 3, "Committing notes in notes merge worktree at %.*s",
-	       path_len - 1, path);
+	if (o->verbosity >= 3)
+		printf("Committing notes in notes merge worktree at %.*s\n",
+			path_len - 1, path);
 
 	if (!msg || msg[2] == '\0')
 		die("partial notes commit has empty message");
@@ -700,7 +713,9 @@ int notes_merge_commit(struct notes_merge_options *o,
 		unsigned char obj_sha1[20], blob_sha1[20];
 
 		if (ent->len - path_len != 40 || get_sha1_hex(relpath, obj_sha1)) {
-			OUTPUT(o, 3, "Skipping non-SHA1 entry '%s'", ent->name);
+			if (o->verbosity >= 3)
+				printf("Skipping non-SHA1 entry '%s'\n",
+								ent->name);
 			continue;
 		}
 
@@ -712,14 +727,16 @@ int notes_merge_commit(struct notes_merge_options *o,
 		if (add_note(partial_tree, obj_sha1, blob_sha1, NULL))
 			die("Failed to add resolved note '%s' to notes tree",
 			    ent->name);
-		OUTPUT(o, 4, "Added resolved note for object %s: %s",
-		       sha1_to_hex(obj_sha1), sha1_to_hex(blob_sha1));
+		if (o->verbosity >= 4)
+			printf("Added resolved note for object %s: %s\n",
+				sha1_to_hex(obj_sha1), sha1_to_hex(blob_sha1));
 	}
 
 	create_notes_commit(partial_tree, partial_commit->parents, msg,
 			    result_sha1);
-	OUTPUT(o, 4, "Finalized notes merge commit: %s",
-	       sha1_to_hex(result_sha1));
+	if (o->verbosity >= 4)
+		printf("Finalized notes merge commit: %s\n",
+			sha1_to_hex(result_sha1));
 	free(path);
 	return 0;
 }
@@ -731,7 +748,8 @@ int notes_merge_abort(struct notes_merge_options *o)
 	int ret;
 
 	strbuf_addstr(&buf, git_path(NOTES_MERGE_WORKTREE));
-	OUTPUT(o, 3, "Removing notes merge worktree at %s", buf.buf);
+	if (o->verbosity >= 3)
+		printf("Removing notes merge worktree at %s\n", buf.buf);
 	ret = remove_dir_recursively(&buf, 0);
 	strbuf_release(&buf);
 	return ret;
-- 
1.7.8.rc2

Re: [PATCH 8/8] Enable GIT_DEBUG_MEMCHECK on git_pathname()

[Johan Herland]

On Fri, Nov 18, 2011 at 02:27, Jonathan Nieder <jrnieder@gmail.com> wrote:
> Subject: notes merge: eliminate OUTPUT macro
>
> The macro is variadic, which breaks support for pre-C99 compilers,
> and it hides an "if", which can make code hard to understand on
> first reading if some arguments have side-effects.
>
> The OUTPUT macro seems to have been inspired by the "output" function
> from merge-recursive.  But that function in merge-recursive exists to
> indent output based on the level of recursion and there is no similar
> justification for such a function in "notes merge".
>
> Noticed with 'make CC="gcc -std=c89 -pedantic"':
>
>  notes-merge.c:24:22: warning: anonymous variadic macros were introduced in C99 [-Wvariadic-macros]
>
> Encouraged-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
> Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>

Acked-by: Johan Herland <johan@herland.net>

-- 
Johan Herland, <johan@herland.net>
www.herland.net

Re: [PATCH 8/8] Enable GIT_DEBUG_MEMCHECK on git_pathname()

[Jonathan Nieder]

Johan Herland wrote:

> Acked-by: Johan Herland <johan@herland.net>

Thanks for looking it over.

Re: [PATCH 8/8] Enable GIT_DEBUG_MEMCHECK on git_pathname()

[Junio C Hamano]

Thanks, both. Will queue.

Re: [PATCH 8/8] Enable GIT_DEBUG_MEMCHECK on git_pathname()

[Bernhard R. Link]

* Jeff King <peff@peff.net> [111117 14:42]:
> Variable-argument macros were definitely introduced in C99 (and were a
> gcc extension for a while before then).

Though AFAIK not that long. Before that gcc had it's own variadic
syntax a la

#define eprintf(args...) fprintf (stderr, args)

	Bernhard R. Link

Re: [PATCH 0/8] nd/resolve-ref v2

[Jonathan Nieder]

Hi,

Nguyễn Thái Ngọc Duy wrote:

> Nguyễn Thái Ngọc Duy (8):

Here are some comments from a quick glance over the series, to avoid
too much noise that would distract from reports about the upcoming
release.

>   Convert many resolve_ref() calls to read_ref*() and ref_exists()
>   Rename resolve_ref() to resolve_ref_unsafe()

I like the general direction of the series (and especially patch 1/8).
As Junio nicely explains at [1], it is too tempting to keep and pass
around the canonical representation of a refname returned by
resolve_ref() without remembering to copy it.

>   Re-add resolve_ref() that always returns an allocated buffer

Makes me nervous, since it would introduce memory leaks if some other
patch in flight calls resolve_ref().  Why not call it ref_resolve() or
something?

>   cmd_merge: convert to single exit point
>   Use resolve_ref() instead of resolve_ref_unsafe()

The print_summary() change introduces a leak.

[...]
>   Guard memory overwriting in resolve_ref_unsafe's static buffer
>   Enable GIT_DEBUG_MEMCHECK on git_pathname()

__VA_ARGS__ was introduced in C99.  I suspect some compilers that
currently can compile git don't support it.  But if you need to use
it, that wouldn't rule out doing so in some corner guarded with an
#ifdef.

Looks pleasant overall.  I look forward to looking more closely at
this later.

Ciao,
Jonathan

[1] http://thread.gmane.org/gmane.comp.version-control.git/185446/focus=185519

Re: [PATCH 0/8] nd/resolve-ref v2

[Nguyen Thai Ngoc Duy]

2011/11/17 Jonathan Nieder <jrnieder@gmail.com>:
> Hi,
>
> Nguyễn Thái Ngọc Duy wrote:
>
>> Nguyễn Thái Ngọc Duy (8):
>
> Here are some comments from a quick glance over the series, to avoid
> too much noise that would distract from reports about the upcoming
> release.

Sorry for the late reply. Somehow I managed to miss your mail.

>>   Re-add resolve_ref() that always returns an allocated buffer
>
> Makes me nervous, since it would introduce memory leaks if some other
> patch in flight calls resolve_ref().  Why not call it ref_resolve() or
> something?

Yeah, I made the same mistake before and made it again.

>>   Enable GIT_DEBUG_MEMCHECK on git_pathname()
>
> __VA_ARGS__ was introduced in C99.  I suspect some compilers that
> currently can compile git don't support it.  But if you need to use
> it, that wouldn't rule out doing so in some corner guarded with an
> #ifdef.
>
> Looks pleasant overall.  I look forward to looking more closely at
> this later.

This patch is bonus anyway and I think I'll drop it. Keeping a bunch
of ifdefs looks really ugly. I think having git_pathname()'s static
buffer per callsite file would be a good thing to do instead.
-- 
Duy