Re: [PATCH v2 3/3] read_loose_refs(): treat NULL_SHA1 loose references as broken

[Michael Haggerty <mhagger@alum.mit.edu>]

On 06/02/2015 07:28 PM, Stefan Beller wrote:
> On Tue, Jun 2, 2015 at 8:57 AM, Michael Haggerty <mhagger@alum.mit.edu> wrote:
>> NULL_SHA1 is never a valid value for a reference. If a loose reference
>> has that value, mark it as broken.
>>
>> Why check NULL_SHA1 and not the nearly 2^160 other SHA-1s that are
>> also invalid in a given repository? Because (a) it is cheap to test
>> for NULL_SHA1, and (b) NULL_SHA1 is often used as a "SHA-1 is invalid"
> 
> I don't quite agree with the reasoning here. Just because it's cheap doesn't
> mean it's right. ;) But I fully agree with (b) so this still makes sense.

Its cheapness improves the cost/benefit ratio of adding this check.

>> value inside of Git client source code (not only ours!), and
>> accidentally writing it to a loose reference file would be an easy
>> mistake to make.
>>
>> Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
>> ---
>>  refs.c                         | 7 +++++++
>>  t/t6301-for-each-ref-errors.sh | 2 +-
>>  2 files changed, 8 insertions(+), 1 deletion(-)
>>
>> diff --git a/refs.c b/refs.c
>> index 47e4e53..c28fde1 100644
>> --- a/refs.c
>> +++ b/refs.c
>> @@ -1321,6 +1321,13 @@ static void read_loose_refs(const char *dirname, struct ref_dir *dir)
>>                                 hashclr(sha1);
>>                                 flag |= REF_ISBROKEN;
>>                         }
>> +
>> +                       if (!(flag & REF_ISBROKEN) && is_null_sha1(sha1)) {
> 
> Why do we do the extra check for !(flag & REF_ISBROKEN) here?

That was an attempt to avoid calling is_null_sha1() unnecessarily. I
think I can make this go away and make the code clearer in general by
restructuring the logic a little bit. I will do that in the next round.

>> +                               /* NULL_SHA1 is never a valid reference value. ...
> 
> ... *by our definition*, because we believe it helps detecting
> errors/mistakes in the future.

It's not even by our definition. It is just astronomically more likely
that NULL_SHA1 got set there due to an error than that it is the SHA-1
of legitimate content. In fact it is so unlikely that we use NULL_SHA1
throughout our code to indicate "invalid SHA-1", ignoring the
theoretical possibility that it could appear some day as a real SHA-1.

I'll try to explain this point better in the comment.

> */
>> +                               hashclr(sha1);
> 
> While this code looks consistent to the rest around, at closer inspection
> this feels a bit redundant to me. If is_null_sha1(sha1) is true, then
> hashclr(sha1); doesn't change the state. Or did I miss a subtle side effect?

You're right, there is no reason to call hashclr() here.

>> +                               flag |= REF_ISBROKEN;
>> +                       }
>> +
>> [...]

Thanks for your review!

Michael

-- 
Michael Haggerty
mhagger@alum.mit.edu