[PATCH v2 00/17] Fix some mkdir/rmdir races

[PATCH v2 00/17] Fix some mkdir/rmdir races

[Michael Haggerty]

This is v2 of changes [1] to remove some mkdir/rmdir races around
safe_create_leading_directories() and a couple of its callers.  Thanks
to Jonathan Nieder for his thorough review of v1 and to Ramsay Jones
for pointing out a typo.  I think I have addressed all of their
suggestions.

This patch series has a bigger scope than v1.  The main differences is
that I took Jonathan's (implicit?) suggestion to move the retrying to
a level higher, where files are actually created in the directories
and therefore the directories are definitely no longer subject to
pruning.

Differences from v1:

* Improve some commit messages

* Break up some changes to safe_create_leading_directories() into
  smaller steps.

* Fix a problem in safe_create_leading_directories() when handling
  paths with multiple slashes (e.g., "foo//bar").  (I noticed this
  pre-existing problem while making the other changes.)

* Change how retrying is done:

  * safe_create_leading_directories() doesn't retry internally;
    instead, its return value is turned into an enum with a new value,
    SCLD_VANISHED, that indicates that a directory along the path
    vanished while it was working.  This return value is an indication
    that its caller might want to try calling the function again.

  * Change rename_ref() to retry if either
    safe_create_leading_directories() returns SCLD_VANISHED or if its
    own call to rename() returns ENOENT.

* Fix a similar mkdir/rmdir race in lock_ref_sha1_basic().  This one
  is actually more interesting than the one in rename_ref() because it
  can be triggered internal to git.

* Fix a race in remove_dir_recurse(): if somebody else deletes a file
  or directory that the function wanted to delete anyway, don't treat
  it as an error.

The main git-internal race that I know to be fixed by these changes is
when pack-refs is trying to delete empty directories at the same time
as another process is trying to create a new reference.  It can be
reproduced by this script:

    BRANCHES="foo/bar/xyzzy foo/bar/plugh"
    HEADS="h1 h2"

    rm -rf test-repo
    $GIT init test-repo
    cd test-repo
    $GIT config user.name 'Lou User'
    $GIT config user.email 'luser@example.com'

    for h in $HEADS
    do
        $GIT commit --allow-empty -m $h
        $GIT branch $h
    done

    (
        while true
        do
    	for b in $BRANCHES
    	do
    	    for h in $HEADS
    	    do
    		$GIT update-ref refs/heads/$b $h
    	    done
    	done
        done
    ) &
    pid1=$!

    (
        while true
        do
    	$GIT pack-refs --all
        done
    ) &
    pid2=$!

The script has to fail if update-ref and pack-refs try to lock the
same reference at the same time, because we don't handle lock
contention:

    fatal: Unable to create '/home/mhagger/tmp/test-repo/.git/refs/heads/foo/bar/plugh.lock': File exists.

    If no other git process is currently running, this probably means a
    git process crashed in this repository earlier. Make sure no other git
    process is running and remove the file manually to continue.

Also, if update-ref changes the value of a reference while pack-refs
is running, then pack-refs emits a warning and leaves the new value of
the loose reference in place:

    error: Ref refs/heads/foo/bar/xyzzy is at 003a9cedc3ec79b8f589b158ffe91177f0a611b3 but expected 34bf1e34d27a639732a01fef0a791e58c2c0882f

But it used to have other unnecessary failures, too, related to
mkdir/rmdir races between the two programs:

    error: unable to create directory for .git/refs/heads/foo/bar/plugh

and

    fatal: Unable to create '/home/mhagger/tmp/test-repo/.git/refs/heads/foo/bar/plugh.lock': No such file or directory

This patch series eliminates the last two types of failures.  Here are
tallies of failures from running the above script for 60 seconds
before and after this change.  Before:

    Total updates: 46900
    Unable to create '*.lock': File exists: 1992
    * is at * but expected *: 940
    unable to create directory: 187
    Unable to create '*.lock': No such file or directory: 197

After:

    Total updates: 47892
    Unable to create '*.lock': File exists: 2105
    * is at * but expected *: 835
    unable to create directory: 0
    Unable to create '*.lock': No such file or directory: 0

Clearly, more work is still needed in this area.  For example, the "*
is at * but expected *" errors are not really errors at all and should
not be reported as such.  And we might want to consider adding a short
delay and then a retry when acquiring locks.  If I run the same test
script with the following patch, then most or all of the "Unable to
create '*.lock': File exists" errors go away too.

======================================================================
diff --git a/refs.c b/refs.c
index 810f802..b3ff1f5 100644
--- a/refs.c
+++ b/refs.c
@@ -2117,7 +2117,10 @@ static struct ref_lock *lock_ref_sha1_basic(const char *refname,
                         * again:
                         */
                        goto retry;
-               else
+               else if (errno == EEXIST && --attempts > 0) {
+                       usleep(1000);
+                       goto retry;
+               } else
                        unable_to_lock_index_die(ref_file, errno);
        }
        return old_sha1 ? verify_lock(lock, old_sha1, mustexist) : lock;
======================================================================

I hope to do some more work here in the near future.

[1] Version 1: http://thread.gmane.org/gmane.comp.version-control.git/239638

Michael Haggerty (17):
  safe_create_leading_directories(): fix format of "if" chaining
  safe_create_leading_directories(): reduce scope of local variable
  safe_create_leading_directories(): add explicit "slash" pointer
  safe_create_leading_directories(): rename local variable
  safe_create_leading_directories(): split on first of multiple slashes
  safe_create_leading_directories(): always restore slash at end of loop
  safe_create_leading_directories(): introduce enum for return values
  cmd_init_db(): when creating directories, handle errors conservatively
  safe_create_leading_directories(): add new error value SCLD_VANISHED
  lock_ref_sha1_basic(): on SCLD_VANISHED, retry
  lock_ref_sha1_basic(): if locking fails with ENOENT, retry
  remove_dir_recurse(): tighten condition for removing unreadable dir
  remove_dir_recurse(): handle disappearing files and directories
  rename_ref(): extract function rename_tmp_log()
  rename_tmp_log(): handle a possible mkdir/rmdir race
  rename_tmp_log(): limit the number of remote_empty_directories()
    attempts
  rename_tmp_log(): on SCLD_VANISHED, retry

 builtin/init-db.c |  9 +++---
 cache.h           | 25 +++++++++++++--
 dir.c             | 27 +++++++++++-----
 merge-recursive.c |  2 +-
 refs.c            | 92 ++++++++++++++++++++++++++++++++++++++++---------------
 sha1_file.c       | 67 ++++++++++++++++++++++------------------
 6 files changed, 155 insertions(+), 67 deletions(-)

-- 
1.8.5.2

[PATCH v2 01/17] safe_create_leading_directories(): fix format of "if" chaining

[Michael Haggerty]

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 sha1_file.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/sha1_file.c b/sha1_file.c
index daacc0c..c9245a6 100644
--- a/sha1_file.c
+++ b/sha1_file.c
@@ -125,8 +125,7 @@ int safe_create_leading_directories(char *path)
 				*pos = '/';
 				return -3;
 			}
-		}
-		else if (mkdir(path, 0777)) {
+		} else if (mkdir(path, 0777)) {
 			if (errno == EEXIST &&
 			    !stat(path, &st) && S_ISDIR(st.st_mode)) {
 				; /* somebody created it since we checked */
@@ -134,8 +133,7 @@ int safe_create_leading_directories(char *path)
 				*pos = '/';
 				return -1;
 			}
-		}
-		else if (adjust_shared_perm(path)) {
+		} else if (adjust_shared_perm(path)) {
 			*pos = '/';
 			return -2;
 		}
-- 
1.8.5.2

[PATCH v2 02/17] safe_create_leading_directories(): reduce scope of local variable

[Michael Haggerty]

This makes it more obvious that values of "st" don't persist across
loop iterations.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 sha1_file.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sha1_file.c b/sha1_file.c
index c9245a6..cc9957e 100644
--- a/sha1_file.c
+++ b/sha1_file.c
@@ -108,9 +108,10 @@ int mkdir_in_gitdir(const char *path)
 int safe_create_leading_directories(char *path)
 {
 	char *pos = path + offset_1st_component(path);
-	struct stat st;
 
 	while (pos) {
+		struct stat st;
+
 		pos = strchr(pos, '/');
 		if (!pos)
 			break;
-- 
1.8.5.2

[PATCH v2 03/17] safe_create_leading_directories(): add explicit "slash" pointer

[Michael Haggerty]

Keep track of the position of the slash character independently of
"pos", thereby making the purpose of each variable clearer and
working towards other upcoming changes.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 sha1_file.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/sha1_file.c b/sha1_file.c
index cc9957e..197766d 100644
--- a/sha1_file.c
+++ b/sha1_file.c
@@ -111,19 +111,21 @@ int safe_create_leading_directories(char *path)
 
 	while (pos) {
 		struct stat st;
+		char *slash = strchr(pos, '/');
 
-		pos = strchr(pos, '/');
-		if (!pos)
+		if (!slash)
 			break;
-		while (*++pos == '/')
-			;
+		while (*(slash + 1) == '/')
+			slash++;
+		pos = slash + 1;
 		if (!*pos)
 			break;
-		*--pos = '\0';
+
+		*slash = '\0';
 		if (!stat(path, &st)) {
 			/* path exists */
 			if (!S_ISDIR(st.st_mode)) {
-				*pos = '/';
+				*slash = '/';
 				return -3;
 			}
 		} else if (mkdir(path, 0777)) {
@@ -131,14 +133,14 @@ int safe_create_leading_directories(char *path)
 			    !stat(path, &st) && S_ISDIR(st.st_mode)) {
 				; /* somebody created it since we checked */
 			} else {
-				*pos = '/';
+				*slash = '/';
 				return -1;
 			}
 		} else if (adjust_shared_perm(path)) {
-			*pos = '/';
+			*slash = '/';
 			return -2;
 		}
-		*pos++ = '/';
+		*slash = '/';
 	}
 	return 0;
 }
-- 
1.8.5.2

[PATCH v2 04/17] safe_create_leading_directories(): rename local variable

[Michael Haggerty]

Rename "pos" to "next_component", because now it always points at the
next component of the path name that has to be processed.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 sha1_file.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/sha1_file.c b/sha1_file.c
index 197766d..54202e8 100644
--- a/sha1_file.c
+++ b/sha1_file.c
@@ -107,18 +107,18 @@ int mkdir_in_gitdir(const char *path)
 
 int safe_create_leading_directories(char *path)
 {
-	char *pos = path + offset_1st_component(path);
+	char *next_component = path + offset_1st_component(path);
 
-	while (pos) {
+	while (next_component) {
 		struct stat st;
-		char *slash = strchr(pos, '/');
+		char *slash = strchr(next_component, '/');
 
 		if (!slash)
 			break;
 		while (*(slash + 1) == '/')
 			slash++;
-		pos = slash + 1;
-		if (!*pos)
+		next_component = slash + 1;
+		if (!*next_component)
 			break;
 
 		*slash = '\0';
-- 
1.8.5.2

[PATCH v2 05/17] safe_create_leading_directories(): split on first of multiple slashes

[Michael Haggerty]

If the input path has multiple slashes between path components (e.g.,
"foo//bar"), then the old code was breaking the path at the last
slash, not the first one.  So in the above example, the second slash
was overwritten with NUL, resulting in the parent directory being
sought as "foo/".

When stat() is called on "foo/", it fails with ENOTDIR if "foo" exists
but is not a directory.  This caused the wrong path to be taken in the
subsequent logic.

So instead, split path components at the first intercomponent slash
rather than the last one.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 sha1_file.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sha1_file.c b/sha1_file.c
index 54202e8..f3190c6 100644
--- a/sha1_file.c
+++ b/sha1_file.c
@@ -115,9 +115,10 @@ int safe_create_leading_directories(char *path)
 
 		if (!slash)
 			break;
-		while (*(slash + 1) == '/')
-			slash++;
+
 		next_component = slash + 1;
+		while (*next_component == '/')
+			next_component++;
 		if (!*next_component)
 			break;
 
-- 
1.8.5.2

[PATCH v2 06/17] safe_create_leading_directories(): always restore slash at end of loop

[Michael Haggerty]

Always restore the slash that we scribbled over at the end of the
loop, rather than also fixing it up at each premature exit from the
loop.  This makes it harder to forget to do the cleanup as new paths
are added to the code.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 sha1_file.c | 22 +++++++++-------------
 1 file changed, 9 insertions(+), 13 deletions(-)

diff --git a/sha1_file.c b/sha1_file.c
index f3190c6..4513cbb 100644
--- a/sha1_file.c
+++ b/sha1_file.c
@@ -108,8 +108,9 @@ int mkdir_in_gitdir(const char *path)
 int safe_create_leading_directories(char *path)
 {
 	char *next_component = path + offset_1st_component(path);
+	int ret = 0;
 
-	while (next_component) {
+	while (!ret && next_component) {
 		struct stat st;
 		char *slash = strchr(next_component, '/');
 
@@ -125,25 +126,20 @@ int safe_create_leading_directories(char *path)
 		*slash = '\0';
 		if (!stat(path, &st)) {
 			/* path exists */
-			if (!S_ISDIR(st.st_mode)) {
-				*slash = '/';
-				return -3;
-			}
+			if (!S_ISDIR(st.st_mode))
+				ret = -3;
 		} else if (mkdir(path, 0777)) {
 			if (errno == EEXIST &&
-			    !stat(path, &st) && S_ISDIR(st.st_mode)) {
+			    !stat(path, &st) && S_ISDIR(st.st_mode))
 				; /* somebody created it since we checked */
-			} else {
-				*slash = '/';
-				return -1;
-			}
+			else
+				ret = -1;
 		} else if (adjust_shared_perm(path)) {
-			*slash = '/';
-			return -2;
+			ret = -2;
 		}
 		*slash = '/';
 	}
-	return 0;
+	return ret;
 }
 
 int safe_create_leading_directories_const(const char *path)
-- 
1.8.5.2

[PATCH v2 07/17] safe_create_leading_directories(): introduce enum for return values

[Michael Haggerty]

Instead of returning magic integer values (which a couple of callers
go to the trouble of distinguishing), return values from an enum.  Add
a docstring.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 builtin/init-db.c |  4 ++--
 cache.h           | 17 +++++++++++++++--
 merge-recursive.c |  2 +-
 sha1_file.c       | 16 ++++++++--------
 4 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/builtin/init-db.c b/builtin/init-db.c
index b3f03cf..6f69593 100644
--- a/builtin/init-db.c
+++ b/builtin/init-db.c
@@ -515,10 +515,10 @@ int cmd_init_db(int argc, const char **argv, const char *prefix)
 				saved = shared_repository;
 				shared_repository = 0;
 				switch (safe_create_leading_directories_const(argv[0])) {
-				case -3:
+				case SCLD_EXISTS:
 					errno = EEXIST;
 					/* fallthru */
-				case -1:
+				case SCLD_FAILED:
 					die_errno(_("cannot mkdir %s"), argv[0]);
 					break;
 				default:
diff --git a/cache.h b/cache.h
index ce377e1..c6a4157 100644
--- a/cache.h
+++ b/cache.h
@@ -736,8 +736,21 @@ enum sharedrepo {
 };
 int git_config_perm(const char *var, const char *value);
 int adjust_shared_perm(const char *path);
-int safe_create_leading_directories(char *path);
-int safe_create_leading_directories_const(const char *path);
+
+/*
+ * Create the directory containing the named path, using care to be
+ * somewhat safe against races.  Return one of the scld_error values
+ * to indicate success/failure.
+ */
+enum scld_error {
+	SCLD_OK = 0,
+	SCLD_FAILED = -1,
+	SCLD_PERMS = -2,
+	SCLD_EXISTS = -3
+};
+enum scld_error safe_create_leading_directories(char *path);
+enum scld_error safe_create_leading_directories_const(const char *path);
+
 int mkdir_in_gitdir(const char *path);
 extern void home_config_paths(char **global, char **xdg, char *file);
 extern char *expand_user_path(const char *path);
diff --git a/merge-recursive.c b/merge-recursive.c
index a18bd15..8400a8e 100644
--- a/merge-recursive.c
+++ b/merge-recursive.c
@@ -693,7 +693,7 @@ static int make_room_for_path(struct merge_options *o, const char *path)
 	/* Make sure leading directories are created */
 	status = safe_create_leading_directories_const(path);
 	if (status) {
-		if (status == -3) {
+		if (status == SCLD_EXISTS) {
 			/* something else exists */
 			error(msg, path, _(": perhaps a D/F conflict?"));
 			return -1;
diff --git a/sha1_file.c b/sha1_file.c
index 4513cbb..5594f11 100644
--- a/sha1_file.c
+++ b/sha1_file.c
@@ -105,12 +105,12 @@ int mkdir_in_gitdir(const char *path)
 	return adjust_shared_perm(path);
 }
 
-int safe_create_leading_directories(char *path)
+enum scld_error safe_create_leading_directories(char *path)
 {
 	char *next_component = path + offset_1st_component(path);
-	int ret = 0;
+	enum scld_error ret = SCLD_OK;
 
-	while (!ret && next_component) {
+	while (ret == SCLD_OK && next_component) {
 		struct stat st;
 		char *slash = strchr(next_component, '/');
 
@@ -127,26 +127,26 @@ int safe_create_leading_directories(char *path)
 		if (!stat(path, &st)) {
 			/* path exists */
 			if (!S_ISDIR(st.st_mode))
-				ret = -3;
+				ret = SCLD_EXISTS;
 		} else if (mkdir(path, 0777)) {
 			if (errno == EEXIST &&
 			    !stat(path, &st) && S_ISDIR(st.st_mode))
 				; /* somebody created it since we checked */
 			else
-				ret = -1;
+				ret = SCLD_FAILED;
 		} else if (adjust_shared_perm(path)) {
-			ret = -2;
+			ret = SCLD_PERMS;
 		}
 		*slash = '/';
 	}
 	return ret;
 }
 
-int safe_create_leading_directories_const(const char *path)
+enum scld_error safe_create_leading_directories_const(const char *path)
 {
 	/* path points to cache entries, so xstrdup before messing with it */
 	char *buf = xstrdup(path);
-	int result = safe_create_leading_directories(buf);
+	enum scld_error result = safe_create_leading_directories(buf);
 	free(buf);
 	return result;
 }
-- 
1.8.5.2

[PATCH v2 08/17] cmd_init_db(): when creating directories, handle errors conservatively

[Michael Haggerty]

safe_create_leading_directories_const() returns a non-zero value on
error.  The old code at this calling site recognized a couple of
particular error values, and treated all other return values as
success.  Instead, be more conservative: recognize the errors we are
interested in, but treat any other nonzero values as failures.  This
is more robust in case somebody adds another possible return value
without telling us.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 builtin/init-db.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/builtin/init-db.c b/builtin/init-db.c
index 6f69593..c7c76bb 100644
--- a/builtin/init-db.c
+++ b/builtin/init-db.c
@@ -515,13 +515,14 @@ int cmd_init_db(int argc, const char **argv, const char *prefix)
 				saved = shared_repository;
 				shared_repository = 0;
 				switch (safe_create_leading_directories_const(argv[0])) {
+				case SCLD_OK:
+				case SCLD_PERMS:
+					break;
 				case SCLD_EXISTS:
 					errno = EEXIST;
 					/* fallthru */
-				case SCLD_FAILED:
-					die_errno(_("cannot mkdir %s"), argv[0]);
-					break;
 				default:
+					die_errno(_("cannot mkdir %s"), argv[0]);
 					break;
 				}
 				shared_repository = saved;
-- 
1.8.5.2

[PATCH v2 09/17] safe_create_leading_directories(): add new error value SCLD_VANISHED

[Michael Haggerty]

Add a new possible error result that can be returned by
safe_create_leading_directories() and
safe_create_leading_directories_const(): SCLD_VANISHED.  This value
indicates that a file or directory on the path existed at one point
(either it already existed or the function created it), but then it
disappeared.  This probably indicates that another process deleted the
directory while we were working.  If SCLD_VANISHED is returned, the
caller might want to retry the function call, as there is a chance
that a new attempt will succeed.

Why doesn't safe_create_leading_directories() do the retrying
internally?  Because an empty directory isn't really ever safe until
it holds a file.  So even if safe_create_leading_directories() were
absolutely sure that the directory existed before it returned, there
would be no guarantee that the directory still existed when the caller
tried to write something in it.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 cache.h     | 10 +++++++++-
 sha1_file.c | 11 +++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/cache.h b/cache.h
index c6a4157..f34c0a7 100644
--- a/cache.h
+++ b/cache.h
@@ -741,12 +741,20 @@ int adjust_shared_perm(const char *path);
  * Create the directory containing the named path, using care to be
  * somewhat safe against races.  Return one of the scld_error values
  * to indicate success/failure.
+ *
+ * SCLD_VANISHED indicates that one of the ancestor directories of the
+ * path existed at one point during the function call and then
+ * suddenly vanished, probably because another process pruned the
+ * directory while we were working.  To be robust against this kind of
+ * race, callers might want to try invoking the function again when it
+ * returns SCLD_VANISHED.
  */
 enum scld_error {
 	SCLD_OK = 0,
 	SCLD_FAILED = -1,
 	SCLD_PERMS = -2,
-	SCLD_EXISTS = -3
+	SCLD_EXISTS = -3,
+	SCLD_VANISHED = -4
 };
 enum scld_error safe_create_leading_directories(char *path);
 enum scld_error safe_create_leading_directories_const(const char *path);
diff --git a/sha1_file.c b/sha1_file.c
index 5594f11..69a4e95 100644
--- a/sha1_file.c
+++ b/sha1_file.c
@@ -132,6 +132,17 @@ enum scld_error safe_create_leading_directories(char *path)
 			if (errno == EEXIST &&
 			    !stat(path, &st) && S_ISDIR(st.st_mode))
 				; /* somebody created it since we checked */
+			else if (errno == ENOENT)
+				/*
+				 * Either mkdir() failed because
+				 * somebody just pruned the containing
+				 * directory, or stat() failed because
+				 * the file that was in our way was
+				 * just removed.  Either way, inform
+				 * the caller that it might be worth
+				 * trying again:
+				 */
+				ret = SCLD_VANISHED;
 			else
 				ret = SCLD_FAILED;
 		} else if (adjust_shared_perm(path)) {
-- 
1.8.5.2

[PATCH v2 10/17] lock_ref_sha1_basic(): on SCLD_VANISHED, retry

[Michael Haggerty]

If safe_create_leading_directories() fails because a file along the
path unexpectedly vanished, try again (up to 3 times).

This can occur if another process is deleting directories at the same
time as we are trying to make them.  For example, "git pack-refs
--all" tries to delete the loose refs and any empty directories that
are left behind.  If a pack-refs process is running, then it might
delete a directory that we need to put a new loose reference in.

If safe_create_leading_directories() thinks this might have happened,
then take its advice and try again (maximum three attempts).

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 refs.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/refs.c b/refs.c
index 3926136..6eb8a02 100644
--- a/refs.c
+++ b/refs.c
@@ -2039,6 +2039,7 @@ static struct ref_lock *lock_ref_sha1_basic(const char *refname,
 	int type, lflags;
 	int mustexist = (old_sha1 && !is_null_sha1(old_sha1));
 	int missing = 0;
+	int attempts = 3;
 
 	lock = xcalloc(1, sizeof(struct ref_lock));
 	lock->lock_fd = -1;
@@ -2093,7 +2094,15 @@ static struct ref_lock *lock_ref_sha1_basic(const char *refname,
 	if ((flags & REF_NODEREF) && (type & REF_ISSYMREF))
 		lock->force_write = 1;
 
-	if (safe_create_leading_directories(ref_file)) {
+ retry:
+	switch (safe_create_leading_directories(ref_file)) {
+	case SCLD_OK:
+		break; /* success */
+	case SCLD_VANISHED:
+		if (--attempts > 0)
+			goto retry;
+		/* fall through */
+	default:
 		last_errno = errno;
 		error("unable to create directory for %s", ref_file);
 		goto error_return;
-- 
1.8.5.2

[PATCH v2 11/17] lock_ref_sha1_basic(): if locking fails with ENOENT, retry

[Michael Haggerty]

If hold_lock_file_for_update() fails with errno==ENOENT, it might be
because somebody else (for example, a pack-refs process) has just
deleted one of the lockfile's ancestor directories.  So if this
condition is detected, try again (up to 3 times).

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 refs.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/refs.c b/refs.c
index 6eb8a02..8a3d3ea 100644
--- a/refs.c
+++ b/refs.c
@@ -2081,7 +2081,7 @@ static struct ref_lock *lock_ref_sha1_basic(const char *refname,
 
 	lock->lk = xcalloc(1, sizeof(struct lock_file));
 
-	lflags = LOCK_DIE_ON_ERROR;
+	lflags = 0;
 	if (flags & REF_NODEREF) {
 		refname = orig_refname;
 		lflags |= LOCK_NODEREF;
@@ -2109,6 +2109,17 @@ static struct ref_lock *lock_ref_sha1_basic(const char *refname,
 	}
 
 	lock->lock_fd = hold_lock_file_for_update(lock->lk, ref_file, lflags);
+	if (lock->lock_fd < 0) {
+		if (errno == ENOENT && --attempts > 0)
+			/*
+			 * Maybe somebody just deleted one of the
+			 * directories leading to ref_file.  Try
+			 * again:
+			 */
+			goto retry;
+		else
+			unable_to_lock_index_die(ref_file, errno);
+	}
 	return old_sha1 ? verify_lock(lock, old_sha1, mustexist) : lock;
 
  error_return:
-- 
1.8.5.2

[PATCH v2 12/17] remove_dir_recurse(): tighten condition for removing unreadable dir

[Michael Haggerty]

If opendir() fails on the top-level directory, it makes sense to try
to delete it anyway--but only if the failure was due to EACCES.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 dir.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/dir.c b/dir.c
index 23b6de4..11e1520 100644
--- a/dir.c
+++ b/dir.c
@@ -1476,8 +1476,11 @@ static int remove_dir_recurse(struct strbuf *path, int flag, int *kept_up)
 	flag &= ~REMOVE_DIR_KEEP_TOPLEVEL;
 	dir = opendir(path->buf);
 	if (!dir) {
-		/* an empty dir could be removed even if it is unreadble */
-		if (!keep_toplevel)
+		if (errno == EACCES && !keep_toplevel)
+			/*
+			 * An empty dir could be removable even if it
+			 * is unreadable:
+			 */
 			return rmdir(path->buf);
 		else
 			return -1;
-- 
1.8.5.2

[PATCH v2 13/17] remove_dir_recurse(): handle disappearing files and directories

[Michael Haggerty]

If a file or directory that we are trying to remove disappears (e.g.,
because another process has pruned it), do not consider it an error.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 dir.c | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/dir.c b/dir.c
index 11e1520..716b613 100644
--- a/dir.c
+++ b/dir.c
@@ -1476,7 +1476,9 @@ static int remove_dir_recurse(struct strbuf *path, int flag, int *kept_up)
 	flag &= ~REMOVE_DIR_KEEP_TOPLEVEL;
 	dir = opendir(path->buf);
 	if (!dir) {
-		if (errno == EACCES && !keep_toplevel)
+		if (errno == ENOENT)
+			return keep_toplevel ? -1 : 0;
+		else if (errno == EACCES && !keep_toplevel)
 			/*
 			 * An empty dir could be removable even if it
 			 * is unreadable:
@@ -1496,13 +1498,21 @@ static int remove_dir_recurse(struct strbuf *path, int flag, int *kept_up)
 
 		strbuf_setlen(path, len);
 		strbuf_addstr(path, e->d_name);
-		if (lstat(path->buf, &st))
-			; /* fall thru */
-		else if (S_ISDIR(st.st_mode)) {
+		if (lstat(path->buf, &st)) {
+			if (errno == ENOENT)
+				/*
+				 * file disappeared, which is what we
+				 * wanted anyway
+				 */
+				continue;
+			/* fall thru */
+		} else if (S_ISDIR(st.st_mode)) {
 			if (!remove_dir_recurse(path, flag, &kept_down))
 				continue; /* happy */
-		} else if (!only_empty && !unlink(path->buf))
+		} else if (!only_empty &&
+			   (!unlink(path->buf) || errno == ENOENT)) {
 			continue; /* happy, too */
+		}
 
 		/* path too long, stat fails, or non-directory still exists */
 		ret = -1;
@@ -1512,7 +1522,7 @@ static int remove_dir_recurse(struct strbuf *path, int flag, int *kept_up)
 
 	strbuf_setlen(path, original_len);
 	if (!ret && !keep_toplevel && !kept_down)
-		ret = rmdir(path->buf);
+		ret = (!rmdir(path->buf) || errno == ENOENT) ? 0 : -1;
 	else if (kept_up)
 		/*
 		 * report the uplevel that it is not an error that we
-- 
1.8.5.2

[PATCH v2 14/17] rename_ref(): extract function rename_tmp_log()

[Michael Haggerty]

It's about to become a bit more complex.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 refs.c | 52 ++++++++++++++++++++++++++++++----------------------
 1 file changed, 30 insertions(+), 22 deletions(-)

diff --git a/refs.c b/refs.c
index 8a3d3ea..5bc01a7 100644
--- a/refs.c
+++ b/refs.c
@@ -2528,6 +2528,35 @@ int delete_ref(const char *refname, const unsigned char *sha1, int delopt)
  */
 #define TMP_RENAMED_LOG  "logs/refs/.tmp-renamed-log"
 
+static int rename_tmp_log(const char *newrefname)
+{
+	if (safe_create_leading_directories(git_path("logs/%s", newrefname))) {
+		error("unable to create directory for %s", newrefname);
+		return -1;
+	}
+
+ retry:
+	if (rename(git_path(TMP_RENAMED_LOG), git_path("logs/%s", newrefname))) {
+		if (errno==EISDIR || errno==ENOTDIR) {
+			/*
+			 * rename(a, b) when b is an existing
+			 * directory ought to result in ISDIR, but
+			 * Solaris 5.8 gives ENOTDIR.  Sheesh.
+			 */
+			if (remove_empty_directories(git_path("logs/%s", newrefname))) {
+				error("Directory not empty: logs/%s", newrefname);
+				return -1;
+			}
+			goto retry;
+		} else {
+			error("unable to move logfile "TMP_RENAMED_LOG" to logs/%s: %s",
+				newrefname, strerror(errno));
+			return -1;
+		}
+	}
+	return 0;
+}
+
 int rename_ref(const char *oldrefname, const char *newrefname, const char *logmsg)
 {
 	unsigned char sha1[20], orig_sha1[20];
@@ -2575,30 +2604,9 @@ int rename_ref(const char *oldrefname, const char *newrefname, const char *logms
 		}
 	}
 
-	if (log && safe_create_leading_directories(git_path("logs/%s", newrefname))) {
-		error("unable to create directory for %s", newrefname);
+	if (log && rename_tmp_log(newrefname))
 		goto rollback;
-	}
 
- retry:
-	if (log && rename(git_path(TMP_RENAMED_LOG), git_path("logs/%s", newrefname))) {
-		if (errno==EISDIR || errno==ENOTDIR) {
-			/*
-			 * rename(a, b) when b is an existing
-			 * directory ought to result in ISDIR, but
-			 * Solaris 5.8 gives ENOTDIR.  Sheesh.
-			 */
-			if (remove_empty_directories(git_path("logs/%s", newrefname))) {
-				error("Directory not empty: logs/%s", newrefname);
-				goto rollback;
-			}
-			goto retry;
-		} else {
-			error("unable to move logfile "TMP_RENAMED_LOG" to logs/%s: %s",
-				newrefname, strerror(errno));
-			goto rollback;
-		}
-	}
 	logmoved = log;
 
 	lock = lock_ref_sha1_basic(newrefname, NULL, 0, NULL);
-- 
1.8.5.2

[PATCH v2 15/17] rename_tmp_log(): handle a possible mkdir/rmdir race

[Michael Haggerty]

If a directory vanishes while renaming the temporary reflog file,
retry (up to 3 times).  This could happen if another process deletes
the directory created by safe_create_leading_directories() just before
we rename the file into the directory.

As far as I can tell, this race could not occur internal to git.  The
only time that a directory under $GIT_DIR/logs is deleted is if room
has to be made for a log file for a reference with the same name;
for example, in the following sequence:

    git branch foo/bar    # Creates file .git/logs/refs/heads/foo/bar
    git branch -d foo/bar # Deletes file but leaves .git/logs/refs/heads/foo/
    git branch foo        # Deletes .git/logs/refs/heads/foo/

But the only reason the last command deletes the directory is because
it wants to create a file with the same name.  So if another process
(e.g.,

    git branch foo/baz

) wants to create that directory, one of the two is doomed to failure
anyway because of a D/F conflict.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 refs.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/refs.c b/refs.c
index 5bc01a7..8de636e 100644
--- a/refs.c
+++ b/refs.c
@@ -2530,12 +2530,14 @@ int delete_ref(const char *refname, const unsigned char *sha1, int delopt)
 
 static int rename_tmp_log(const char *newrefname)
 {
+	int attempts = 3;
+
+ retry:
 	if (safe_create_leading_directories(git_path("logs/%s", newrefname))) {
 		error("unable to create directory for %s", newrefname);
 		return -1;
 	}
 
- retry:
 	if (rename(git_path(TMP_RENAMED_LOG), git_path("logs/%s", newrefname))) {
 		if (errno==EISDIR || errno==ENOTDIR) {
 			/*
@@ -2548,6 +2550,13 @@ static int rename_tmp_log(const char *newrefname)
 				return -1;
 			}
 			goto retry;
+		} else if (errno == ENOENT && --attempts > 0) {
+			/*
+			 * Maybe another process just deleted one of
+			 * the directories in the path to newrefname.
+			 * Try again from the beginning.
+			 */
+			goto retry;
 		} else {
 			error("unable to move logfile "TMP_RENAMED_LOG" to logs/%s: %s",
 				newrefname, strerror(errno));
-- 
1.8.5.2

[PATCH v2 16/17] rename_tmp_log(): limit the number of remote_empty_directories() attempts

[Michael Haggerty]

This doesn't seem to be a likely error, but we've got the counter
anyway, so we might as well use it for an added bit of safety.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 refs.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/refs.c b/refs.c
index 8de636e..490525a 100644
--- a/refs.c
+++ b/refs.c
@@ -2530,7 +2530,7 @@ int delete_ref(const char *refname, const unsigned char *sha1, int delopt)
 
 static int rename_tmp_log(const char *newrefname)
 {
-	int attempts = 3;
+	int attempts = 4;
 
  retry:
 	if (safe_create_leading_directories(git_path("logs/%s", newrefname))) {
@@ -2539,7 +2539,7 @@ static int rename_tmp_log(const char *newrefname)
 	}
 
 	if (rename(git_path(TMP_RENAMED_LOG), git_path("logs/%s", newrefname))) {
-		if (errno==EISDIR || errno==ENOTDIR) {
+		if ((errno==EISDIR || errno==ENOTDIR) && --attempts > 0) {
 			/*
 			 * rename(a, b) when b is an existing
 			 * directory ought to result in ISDIR, but
-- 
1.8.5.2

[PATCH v2 17/17] rename_tmp_log(): on SCLD_VANISHED, retry

[Michael Haggerty]

If safe_create_leading_directories() fails because a file along the
path unexpectedly vanished, try again from the beginning.  Try at most
3 times.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 refs.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/refs.c b/refs.c
index 490525a..810f802 100644
--- a/refs.c
+++ b/refs.c
@@ -2533,7 +2533,14 @@ static int rename_tmp_log(const char *newrefname)
 	int attempts = 4;
 
  retry:
-	if (safe_create_leading_directories(git_path("logs/%s", newrefname))) {
+	switch (safe_create_leading_directories(git_path("logs/%s", newrefname))) {
+	case SCLD_OK:
+		break; /* success */
+	case SCLD_VANISHED:
+		if (--attempts > 0)
+			goto retry;
+		/* fall through */
+	default:
 		error("unable to create directory for %s", newrefname);
 		return -1;
 	}
-- 
1.8.5.2

Re: [PATCH v2 10/17] lock_ref_sha1_basic(): on SCLD_VANISHED, retry

[Junio C Hamano]

Michael Haggerty <mhagger@alum.mit.edu> writes:

> If safe_create_leading_directories() fails because a file along the
> path unexpectedly vanished, try again (up to 3 times).
>
> This can occur if another process is deleting directories at the same
> time as we are trying to make them.  For example, "git pack-refs
> --all" tries to delete the loose refs and any empty directories that
> are left behind.  If a pack-refs process is running, then it might
> delete a directory that we need to put a new loose reference in.
>
> If safe_create_leading_directories() thinks this might have happened,
> then take its advice and try again (maximum three attempts).
>
> Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
> ---
>  refs.c | 11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/refs.c b/refs.c
> index 3926136..6eb8a02 100644
> --- a/refs.c
> +++ b/refs.c
> @@ -2039,6 +2039,7 @@ static struct ref_lock *lock_ref_sha1_basic(const char *refname,
>  	int type, lflags;
>  	int mustexist = (old_sha1 && !is_null_sha1(old_sha1));
>  	int missing = 0;
> +	int attempts = 3;
>  
>  	lock = xcalloc(1, sizeof(struct ref_lock));
>  	lock->lock_fd = -1;
> @@ -2093,7 +2094,15 @@ static struct ref_lock *lock_ref_sha1_basic(const char *refname,
>  	if ((flags & REF_NODEREF) && (type & REF_ISSYMREF))
>  		lock->force_write = 1;
>  
> -	if (safe_create_leading_directories(ref_file)) {
> + retry:
> +	switch (safe_create_leading_directories(ref_file)) {
> +	case SCLD_OK:
> +		break; /* success */
> +	case SCLD_VANISHED:
> +		if (--attempts > 0)
> +			goto retry;
> +		/* fall through */

Hmph.

Having no backoff/sleep at all might be OK here as long as the other
side that removes does not retry (and I do not think the other side
would, even though I haven't read through the series to the end yet
;-)).

This may be just a style thing, but I find that the variable name
"attempts" that starts out as 3 quite misleading, as its value is
not "the number of attempts made" but "the remaining number of
attempts allowed."  Starting it from 0 and then

	if (attempts++ < MAX_ATTEMPTS)
		goto retry;

would be one way to clarify it.  Renaming it to remaining_attempts
would be another.

> +	default:
>  		last_errno = errno;
>  		error("unable to create directory for %s", ref_file);
>  		goto error_return;

Re: [PATCH v2 13/17] remove_dir_recurse(): handle disappearing files and directories

[Junio C Hamano]

Michael Haggerty <mhagger@alum.mit.edu> writes:

> If a file or directory that we are trying to remove disappears (e.g.,
> because another process has pruned it), do not consider it an error.
>
> Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
> ---
>  dir.c | 22 ++++++++++++++++------
>  1 file changed, 16 insertions(+), 6 deletions(-)
>
> diff --git a/dir.c b/dir.c
> index 11e1520..716b613 100644
> --- a/dir.c
> +++ b/dir.c
> @@ -1476,7 +1476,9 @@ static int remove_dir_recurse(struct strbuf *path, int flag, int *kept_up)
>  	flag &= ~REMOVE_DIR_KEEP_TOPLEVEL;
>  	dir = opendir(path->buf);
>  	if (!dir) {
> -		if (errno == EACCES && !keep_toplevel)
> +		if (errno == ENOENT)
> +			return keep_toplevel ? -1 : 0;

If we were told that "foo/bar must go, but do not bother removing
foo/", is it an error if foo itself did not exist?  I think this
step does not change the behaviour from the original (we used to say
"oh, we were told to keep_toplevel, and the top-level cannot be read
for whatever reason, so it is an error"), but because this series is
giving us a finer grained error diagnosis, we may want to think
about it further, perhaps as a follow-up.

I also wonder why the keep-toplevel logic is in this "recurse" part
of the callchain. If everything in "foo/bar/" can be removed but
"foo/bar/" is unreadable, it is OK, when opendir("foo/bar") failed
with EACCESS, to attempt to rmdir("foo/bar") whether we were told
not to attempt removing "foo/", no?

> +		else if (errno == EACCES && !keep_toplevel)

That is, I am wondering why this part just checks !keep_toplevel,
not

	(!keep_toplevel || has_dir_separator(path->buf))

or something.

>  			/*
>  			 * An empty dir could be removable even if it
>  			 * is unreadable:
> @@ -1496,13 +1498,21 @@ static int remove_dir_recurse(struct strbuf *path, int flag, int *kept_up)
>  
>  		strbuf_setlen(path, len);
>  		strbuf_addstr(path, e->d_name);
> -		if (lstat(path->buf, &st))
> -			; /* fall thru */
> -		else if (S_ISDIR(st.st_mode)) {
> +		if (lstat(path->buf, &st)) {
> +			if (errno == ENOENT)
> +				/*
> +				 * file disappeared, which is what we
> +				 * wanted anyway
> +				 */
> +				continue;
> +			/* fall thru */
> +		} else if (S_ISDIR(st.st_mode)) {
>  			if (!remove_dir_recurse(path, flag, &kept_down))
>  				continue; /* happy */
> -		} else if (!only_empty && !unlink(path->buf))
> +		} else if (!only_empty &&
> +			   (!unlink(path->buf) || errno == ENOENT)) {
>  			continue; /* happy, too */
> +		}
>  
>  		/* path too long, stat fails, or non-directory still exists */
>  		ret = -1;
> @@ -1512,7 +1522,7 @@ static int remove_dir_recurse(struct strbuf *path, int flag, int *kept_up)
>  
>  	strbuf_setlen(path, original_len);
>  	if (!ret && !keep_toplevel && !kept_down)
> -		ret = rmdir(path->buf);
> +		ret = (!rmdir(path->buf) || errno == ENOENT) ? 0 : -1;
>  	else if (kept_up)
>  		/*
>  		 * report the uplevel that it is not an error that we

Re: [PATCH v2 17/17] rename_tmp_log(): on SCLD_VANISHED, retry

[Junio C Hamano]

Michael Haggerty <mhagger@alum.mit.edu> writes:

> If safe_create_leading_directories() fails because a file along the
> path unexpectedly vanished, try again from the beginning.  Try at most
> 3 times.

As the previous step bumped it from 3 to 4 without explanation, the
above no longer reflects reality ;-)

The series mostly looked sane from a cursory read.

Will re-queue.  Thanks.


>
> Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
> ---
>  refs.c | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/refs.c b/refs.c
> index 490525a..810f802 100644
> --- a/refs.c
> +++ b/refs.c
> @@ -2533,7 +2533,14 @@ static int rename_tmp_log(const char *newrefname)
>  	int attempts = 4;
>  
>   retry:
> -	if (safe_create_leading_directories(git_path("logs/%s", newrefname))) {
> +	switch (safe_create_leading_directories(git_path("logs/%s", newrefname))) {
> +	case SCLD_OK:
> +		break; /* success */
> +	case SCLD_VANISHED:
> +		if (--attempts > 0)
> +			goto retry;
> +		/* fall through */
> +	default:
>  		error("unable to create directory for %s", newrefname);
>  		return -1;
>  	}

Re: [PATCH v2 03/17] safe_create_leading_directories(): add explicit "slash" pointer

[Junio C Hamano]

Michael Haggerty <mhagger@alum.mit.edu> writes:

> Keep track of the position of the slash character independently of
> "pos", thereby making the purpose of each variable clearer and
> working towards other upcoming changes.
>
> Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
> ---

This step has an interaction with $gmane/239878 where Windows folks
want it to pay attention to is_dir_sep()---over there, a backslash
could separate directory path components.

AFAIK, the function was meant to be used only on paths we internally
generate, and the paths we internally generate all are slash
separated, so it could be argued that feeding a path, whose path
components are separated by backslashes, that we obtained from the
end user without converting it to the internal form in some
codepaths (e.g. "$there" in "git clone $url $there") are bugs we
acquired over time that need to be fixed, but it is easy enough to
use is_dir_sep() here to work it around, and doing so will
not negatively affect

 1. UNIX-only projects by forbidding use of a byte with backslash in
    it as a path component character (yes, I am imagining using
    Shift-JIS that can use a backslash as the second byte of
    two-byte character in the pathname on UNIX); and

 2. UNIX-and-Windows mixed projects, as you cannot sanely use such a
    pathname with backslash as part of a path component if its tree
    needs to be checked out on Windows.


>  sha1_file.c | 20 +++++++++++---------
>  1 file changed, 11 insertions(+), 9 deletions(-)
>
> diff --git a/sha1_file.c b/sha1_file.c
> index cc9957e..197766d 100644
> --- a/sha1_file.c
> +++ b/sha1_file.c
> @@ -111,19 +111,21 @@ int safe_create_leading_directories(char *path)
>  
>  	while (pos) {
>  		struct stat st;
> +		char *slash = strchr(pos, '/');
>  
> -		pos = strchr(pos, '/');
> -		if (!pos)
> +		if (!slash)
>  			break;
> -		while (*++pos == '/')
> -			;
> +		while (*(slash + 1) == '/')
> +			slash++;
> +		pos = slash + 1;
>  		if (!*pos)
>  			break;
> -		*--pos = '\0';
> +
> +		*slash = '\0';
>  		if (!stat(path, &st)) {
>  			/* path exists */
>  			if (!S_ISDIR(st.st_mode)) {
> -				*pos = '/';
> +				*slash = '/';
>  				return -3;
>  			}
>  		} else if (mkdir(path, 0777)) {
> @@ -131,14 +133,14 @@ int safe_create_leading_directories(char *path)
>  			    !stat(path, &st) && S_ISDIR(st.st_mode)) {
>  				; /* somebody created it since we checked */
>  			} else {
> -				*pos = '/';
> +				*slash = '/';
>  				return -1;
>  			}
>  		} else if (adjust_shared_perm(path)) {
> -			*pos = '/';
> +			*slash = '/';
>  			return -2;
>  		}
> -		*pos++ = '/';
> +		*slash = '/';
>  	}
>  	return 0;
>  }

Re: [PATCH v2 03/17] safe_create_leading_directories(): add explicit "slash" pointer

[Michael Haggerty]

On 01/06/2014 07:32 PM, Junio C Hamano wrote:
> Michael Haggerty <mhagger@alum.mit.edu> writes:
> 
>> Keep track of the position of the slash character independently of
>> "pos", thereby making the purpose of each variable clearer and
>> working towards other upcoming changes.
>>
>> Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
>> ---
> 
> This step has an interaction with $gmane/239878 where Windows folks
> want it to pay attention to is_dir_sep()---over there, a backslash
> could separate directory path components.
> 
> AFAIK, the function was meant to be used only on paths we internally
> generate, and the paths we internally generate all are slash
> separated, so it could be argued that feeding a path, whose path
> components are separated by backslashes, that we obtained from the
> end user without converting it to the internal form in some
> codepaths (e.g. "$there" in "git clone $url $there") are bugs we
> acquired over time that need to be fixed, but it is easy enough to
> use is_dir_sep() here to work it around, and doing so will
> not negatively affect
> 
>  1. UNIX-only projects by forbidding use of a byte with backslash in
>     it as a path component character (yes, I am imagining using
>     Shift-JIS that can use a backslash as the second byte of
>     two-byte character in the pathname on UNIX); and
> 
>  2. UNIX-and-Windows mixed projects, as you cannot sanely use such a
>     pathname with backslash as part of a path component if its tree
>     needs to be checked out on Windows.

I agree that it would be reasonable to use is_dir_sep() in the
implementation of this function, at least unless/until somebody does the
work to figure out whether callers should really only be passing it
forward-slash-normalized paths.

Please be careful, though, because I don't think this function is
capable of handling arbitrary Windows paths, like for example
//host/path format, either before or after my change.

Let me know if you would like me to merge or rebase the is_dir_sep()
changes into this patch series.

Michael

-- 
Michael Haggerty
mhagger@alum.mit.edu
http://softwareswirl.blogspot.com/

Re: [PATCH v2 13/17] remove_dir_recurse(): handle disappearing files and directories

[Michael Haggerty]

On 01/06/2014 07:18 PM, Junio C Hamano wrote:
> Michael Haggerty <mhagger@alum.mit.edu> writes:
> 
>> If a file or directory that we are trying to remove disappears (e.g.,
>> because another process has pruned it), do not consider it an error.
>>
>> Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
>> ---
>>  dir.c | 22 ++++++++++++++++------
>>  1 file changed, 16 insertions(+), 6 deletions(-)
>>
>> diff --git a/dir.c b/dir.c
>> index 11e1520..716b613 100644
>> --- a/dir.c
>> +++ b/dir.c
>> @@ -1476,7 +1476,9 @@ static int remove_dir_recurse(struct strbuf *path, int flag, int *kept_up)
>>  	flag &= ~REMOVE_DIR_KEEP_TOPLEVEL;
>>  	dir = opendir(path->buf);
>>  	if (!dir) {
>> -		if (errno == EACCES && !keep_toplevel)
>> +		if (errno == ENOENT)
>> +			return keep_toplevel ? -1 : 0;
> 
> If we were told that "foo/bar must go, but do not bother removing
> foo/", is it an error if foo itself did not exist?  I think this
> step does not change the behaviour from the original (we used to say
> "oh, we were told to keep_toplevel, and the top-level cannot be read
> for whatever reason, so it is an error"), but because this series is
> giving us a finer grained error diagnosis, we may want to think
> about it further, perhaps as a follow-up.

Indeed, this is a design choice that I should have explained.  I
implemented it this way to keep the behavior the same as the old code in
this situation, and because I thought that if the caller explicitly asks
for the toplevel path to be kept, and that path doesn't even exist at
the entrance to the function, then something is screwy and it is better
to return an error than to keep going.

It would even be possible to argue that if keep_toplevel is set but path
is missing, then this function should call
safe_create_leading_directories(path).

Changing this behavior would require an audit to see which behavior
would be most useful to the callers.  I think that is out of the scope
of this patch series.

> I also wonder why the keep-toplevel logic is in this "recurse" part
> of the callchain. If everything in "foo/bar/" can be removed but
> "foo/bar/" is unreadable, it is OK, when opendir("foo/bar") failed
> with EACCESS, to attempt to rmdir("foo/bar") whether we were told
> not to attempt removing "foo/", no?
> 
>> +		else if (errno == EACCES && !keep_toplevel)
> 
> That is, I am wondering why this part just checks !keep_toplevel,
> not
> 
> 	(!keep_toplevel || has_dir_separator(path->buf))
> 
> or something.

I'm not sure I understand your point.  Please note that the
REMOVE_DIR_KEEP_TOPLEVEL bit is cleared from flags before this function
recurses.  So in recursive invocations, keep_toplevel will always be
false, and the rmdir(path->buf) codepath will be permitted.  Does that
answer your question?

Michael

-- 
Michael Haggerty
mhagger@alum.mit.edu
http://softwareswirl.blogspot.com/

Re: [PATCH v2 10/17] lock_ref_sha1_basic(): on SCLD_VANISHED, retry

[Michael Haggerty]

On 01/06/2014 06:54 PM, Junio C Hamano wrote:
> Michael Haggerty <mhagger@alum.mit.edu> writes:
> 
>> If safe_create_leading_directories() fails because a file along the
>> path unexpectedly vanished, try again (up to 3 times).
>>
>> This can occur if another process is deleting directories at the same
>> time as we are trying to make them.  For example, "git pack-refs
>> --all" tries to delete the loose refs and any empty directories that
>> are left behind.  If a pack-refs process is running, then it might
>> delete a directory that we need to put a new loose reference in.
>>
>> If safe_create_leading_directories() thinks this might have happened,
>> then take its advice and try again (maximum three attempts).
>>
>> Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
>> ---
>>  refs.c | 11 ++++++++++-
>>  1 file changed, 10 insertions(+), 1 deletion(-)
>>
>> diff --git a/refs.c b/refs.c
>> index 3926136..6eb8a02 100644
>> --- a/refs.c
>> +++ b/refs.c
>> @@ -2039,6 +2039,7 @@ static struct ref_lock *lock_ref_sha1_basic(const char *refname,
>>  	int type, lflags;
>>  	int mustexist = (old_sha1 && !is_null_sha1(old_sha1));
>>  	int missing = 0;
>> +	int attempts = 3;
>>  
>>  	lock = xcalloc(1, sizeof(struct ref_lock));
>>  	lock->lock_fd = -1;
>> @@ -2093,7 +2094,15 @@ static struct ref_lock *lock_ref_sha1_basic(const char *refname,
>>  	if ((flags & REF_NODEREF) && (type & REF_ISSYMREF))
>>  		lock->force_write = 1;
>>  
>> -	if (safe_create_leading_directories(ref_file)) {
>> + retry:
>> +	switch (safe_create_leading_directories(ref_file)) {
>> +	case SCLD_OK:
>> +		break; /* success */
>> +	case SCLD_VANISHED:
>> +		if (--attempts > 0)
>> +			goto retry;
>> +		/* fall through */
> 
> Hmph.
> 
> Having no backoff/sleep at all might be OK here as long as the other
> side that removes does not retry (and I do not think the other side
> would, even though I haven't read through the series to the end yet
> ;-)).

remove_dir_recurse() only tries deleting directories once (I haven't
changed that).  And from a broader perspective, it would be pretty silly
for any tidy-up-directories function to try deleting things more than
once.  So I don't think it is a problem.  But even in the worst case,
this function only tries three times before giving up, so it shouldn't
be a disaster.

> This may be just a style thing, but I find that the variable name
> "attempts" that starts out as 3 quite misleading, as its value is
> not "the number of attempts made" but "the remaining number of
> attempts allowed."  Starting it from 0 and then
> 
> 	if (attempts++ < MAX_ATTEMPTS)
> 		goto retry;
> 
> would be one way to clarify it.  Renaming it to remaining_attempts
> would be another.

I just renamed the variable to attempts_remaining.  (I thought I was
following your suggestion, but now I see that I put the words in the
opposite order; oh well, I think it's fine either way.)

Thanks for your review!  I will wait a day or so for any additional
comments, and then send a v3.

Michael

-- 
Michael Haggerty
mhagger@alum.mit.edu
http://softwareswirl.blogspot.com/

Re: [PATCH v2 17/17] rename_tmp_log(): on SCLD_VANISHED, retry

[Michael Haggerty]

On 01/06/2014 07:21 PM, Junio C Hamano wrote:
> Michael Haggerty <mhagger@alum.mit.edu> writes:
> 
>> If safe_create_leading_directories() fails because a file along the
>> path unexpectedly vanished, try again from the beginning.  Try at most
>> 3 times.
> 
> As the previous step bumped it from 3 to 4 without explanation, the
> above no longer reflects reality ;-)

Good catch.  The increment 3 -> 4 was because the first call to rename()
is optimistic, and can fail once even if there is no race.  I will
change the commit message of 16/17 to explain this point, and of 17/17
to match reality.

> The series mostly looked sane from a cursory read.
> 
> Will re-queue.  Thanks.

Michael

-- 
Michael Haggerty
mhagger@alum.mit.edu
http://softwareswirl.blogspot.com/

Re: [PATCH v2 13/17] remove_dir_recurse(): handle disappearing files and directories

[Junio C Hamano]

Michael Haggerty <mhagger@alum.mit.edu> writes:

> I'm not sure I understand your point.  Please note that the
> REMOVE_DIR_KEEP_TOPLEVEL bit is cleared from flags before this function
> recurses.  So in recursive invocations, keep_toplevel will always be
> false, and the rmdir(path->buf) codepath will be permitted.  Does that
> answer your question?

Yes; thanks.

Re: [PATCH v2 03/17] safe_create_leading_directories(): add explicit "slash" pointer

[Junio C Hamano]

Michael Haggerty <mhagger@alum.mit.edu> writes:

> I agree that it would be reasonable to use is_dir_sep() in the
> implementation of this function, at least unless/until somebody does the
> work to figure out whether callers should really only be passing it
> forward-slash-normalized paths.
>
> Please be careful, though, because I don't think this function is
> capable of handling arbitrary Windows paths, like for example
> //host/path format, either before or after my change.
>
> Let me know if you would like me to merge or rebase the is_dir_sep()
> changes into this patch series.

I'd want SSchuberth and windows folks to be at least aware of this
series and preferrably see that they offer inputs to this series,
making their is_dir_sep() change just one step in this series.  That
way I have one less series to worry about ;-)

Thanks.

Re: [PATCH v2 03/17] safe_create_leading_directories(): add explicit "slash" pointer

[Sebastian Schuberth]

On Tue, Jan 7, 2014 at 6:41 PM, Junio C Hamano <gitster@pobox.com> wrote:

>> Let me know if you would like me to merge or rebase the is_dir_sep()
>> changes into this patch series.
>
> I'd want SSchuberth and windows folks to be at least aware of this
> series and preferrably see that they offer inputs to this series,
> making their is_dir_sep() change just one step in this series.  That
> way I have one less series to worry about ;-)

Thanks Junio for pointing out Michael's series to me and resolving the
initial merge conflict. However, as written in my reply to Michael's
mail of today, I'd prefer to take Michael's patch that applies cleanly
on top of v3 of his mh/safe-create-leading-directories instead of your
merge conflict resolution.

-- 
Sebastian Schuberth