From: Michael Haggerty <mhagger@alum.mit.edu>
To: Johannes Sixt <j.sixt@viscovery.net>
Cc: "Junio C Hamano" <gitster@pobox.com>,
git@vger.kernel.org, "Jeff King" <peff@peff.net>,
"Torsten Bögershausen" <tboegi@web.de>,
"Eric Sunshine" <sunshine@sunshineco.com>
Subject: Re: [PATCH v2 18/25] lockfile: avoid transitory invalid states
Date: Mon, 07 Apr 2014 13:13:10 +0200 [thread overview]
Message-ID: <53428846.7060104@alum.mit.edu> (raw)
In-Reply-To: <534242AC.7030908@viscovery.net>
On 04/07/2014 08:16 AM, Johannes Sixt wrote:
> Am 4/7/2014 1:34, schrieb Michael Haggerty:
>> Because remove_lock_file() can be called any time by the signal
>> handler, it is important that any lock_file objects that are in the
>> lock_file_list are always in a valid state. And since lock_file
>> objects are often reused (but are never removed from lock_file_list),
>> that means we have to be careful whenever mutating a lock_file object
>> to always keep it in a well-defined state.
>> ...
>> So, instead of encoding part of the lock_file state in the filename
>> field, add a new bit "LOCK_FLAGS_LOCKFILE_ACTIVE" to flags, and use
>> this bit to distinguish between a lock_file object that is active
>> vs. one that is inactive. Be careful to set this bit only when
>> filename really contains the name of a file that should be deleted on
>> cleanup.
>
> Since this flag is primarily for communication between the main code and a
> signal handler, the only safe way is to define the flag as volatile
> sig_atomic_t, not to make it a bit of a larger type!
Thanks for the feedback. You are obviously right, and I will fix it.
But I have a feeling that this line of thought is going to lead to the
signal handler's not being able to do anything. How far can we afford
to pursue strict correctness? We have
struct lock_file {
struct lock_file *next;
int fd;
pid_t owner;
char on_list;
char filename[PATH_MAX];
};
static struct lock_file *lock_file_list;
The signal handler currently reads
lock_file_list
lock_file::next
lock_file::fd
lock_file::owner
lock_file::filename
*lock_file::filename
and writes lock_file_list. Among other things it calls close(),
unlink(), vsnprintf(), and fprintf() (the last two via warning()).
But most of these actions are undefined under the C99 standard:
> If the signal occurs other than as the result of calling the abort
> or raise function, the behavior is undefined if the signal handler
> refers to any object with static storage duration other than by
> assigning a value to an object declared as volatile sig_atomic_t, or
> the signal handler calls any function in the standard library other
> than the abort function, the _Exit function, or the signal function
> with the first argument equal to the signal number corresponding to
> the signal that caused the invocation of the handler.
I don't have time to rewrite *all* of Git right now, so how can we get
reasonable safety and portability within a feasible amount of work?
Michael
--
Michael Haggerty
mhagger@alum.mit.edu
http://softwareswirl.blogspot.com/
next prev parent reply other threads:[~2014-04-07 11:13 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-06 23:33 [PATCH v2 00/25] Lockfile correctness and refactoring Michael Haggerty
2014-04-06 23:33 ` [PATCH v2 01/25] api-lockfile: expand the documentation Michael Haggerty
2014-04-07 18:46 ` Jeff King
2014-04-06 23:33 ` [PATCH v2 02/25] unable_to_lock_die(): rename function from unable_to_lock_index_die() Michael Haggerty
2014-04-07 18:47 ` Jeff King
2014-04-08 14:04 ` Michael Haggerty
2014-04-06 23:33 ` [PATCH v2 03/25] rollback_lock_file(): do not clear filename redundantly Michael Haggerty
2014-04-06 23:33 ` [PATCH v2 04/25] rollback_lock_file(): set fd to -1 Michael Haggerty
2014-04-06 23:33 ` [PATCH v2 05/25] lockfile: unlock file if lockfile permissions cannot be adjusted Michael Haggerty
2014-04-06 23:33 ` [PATCH v2 06/25] hold_lock_file_for_append(): release lock on errors Michael Haggerty
2014-04-06 23:33 ` [PATCH v2 07/25] lock_file(): always add lock_file object to lock_file_list Michael Haggerty
2014-04-06 23:33 ` [PATCH v2 08/25] struct lock_file: replace on_list field with flags field Michael Haggerty
2014-04-06 23:33 ` [PATCH v2 09/25] lockfile.c: document the various states of lock_file objects Michael Haggerty
2014-04-06 23:33 ` [PATCH v2 10/25] lockfile: define a constant LOCK_SUFFIX_LEN Michael Haggerty
2014-04-06 23:33 ` [PATCH v2 11/25] delete_ref_loose(): don't muck around in the lock_file's filename Michael Haggerty
2014-04-06 23:33 ` [PATCH v2 12/25] prepare_index(): declare return value to be (const char *) Michael Haggerty
2014-04-06 23:33 ` [PATCH v2 13/25] write_packed_entry_fn(): convert cb_data into a (const int *) Michael Haggerty
2014-04-06 23:33 ` [PATCH v2 14/25] lock_file(): exit early if lockfile cannot be opened Michael Haggerty
2014-04-06 23:33 ` [PATCH v2 15/25] remove_lock_file(): call rollback_lock_file() Michael Haggerty
2014-04-06 23:33 ` [PATCH v2 16/25] commit_lock_file(): inline temporary variable Michael Haggerty
2014-04-06 23:33 ` [PATCH v2 17/25] commit_lock_file(): make committing an unlocked lockfile a NOP Michael Haggerty
2014-04-07 19:31 ` Jeff King
2014-04-14 8:21 ` Michael Haggerty
2014-04-06 23:34 ` [PATCH v2 18/25] lockfile: avoid transitory invalid states Michael Haggerty
2014-04-07 6:16 ` Johannes Sixt
2014-04-07 11:13 ` Michael Haggerty [this message]
2014-04-07 12:12 ` Johannes Sixt
2014-04-07 13:12 ` Michael Haggerty
2014-04-07 19:38 ` Jeff King
2014-04-06 23:34 ` [PATCH v2 19/25] try_merge_strategy(): remove redundant lock_file allocation Michael Haggerty
2014-04-06 23:34 ` [PATCH v2 20/25] try_merge_strategy(): use a statically-allocated lock_file object Michael Haggerty
2014-04-06 23:34 ` [PATCH v2 21/25] commit_lock_file(): use a strbuf to manage temporary space Michael Haggerty
2014-04-06 23:34 ` [PATCH v2 22/25] Change lock_file::filename into a strbuf Michael Haggerty
2014-04-06 23:34 ` [PATCH v2 23/25] resolve_symlink(): use a strbuf for internal scratch space Michael Haggerty
2014-04-06 23:34 ` [PATCH v2 24/25] resolve_symlink(): take a strbuf parameter Michael Haggerty
2014-04-06 23:34 ` [PATCH v2 25/25] trim_last_path_elm(): replace last_path_elm() Michael Haggerty
2014-04-07 19:40 ` [PATCH v2 00/25] Lockfile correctness and refactoring Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53428846.7060104@alum.mit.edu \
--to=mhagger@alum.mit.edu \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=j.sixt@viscovery.net \
--cc=peff@peff.net \
--cc=sunshine@sunshineco.com \
--cc=tboegi@web.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).