[PATCH] Fix mkpath abuse in dwim_ref/sha1_name.c

[PATCH] Fix mkpath abuse in dwim_ref/sha1_name.c

[Alex Riesen]

[-- Attachment #1: Type: text/plain, Size: 445 bytes --]

Otherwise the function sometimes fail to resolve obviously correct refnames,
because the string data pointed to by "ref" argument were reused.

Signed-off-by: Alex Riesen <raa.lkml@gmail.com>
---
 sha1_name.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

Frankly, I'm having hard time trying to justify _any_ use of mkpath.
It is a bug waiting to happen every time is any code between the
call site and assignment but strdup.

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-Fix-mkpath-abuse-in-sha1_name.c.patch --]
[-- Type: text/x-patch; name=0001-Fix-mkpath-abuse-in-sha1_name.c.patch, Size: 1529 bytes --]

From 052e137d4ad8687d78bb2570390ed4f6b19f7cba Mon Sep 17 00:00:00 2001
From: Alex Riesen <raa.lkml@gmail.com>
Date: Tue, 14 Oct 2008 18:14:20 +0200
Subject: [PATCH] Fix mkpath abuse in sha1_name.c

Otherwise the function sometimes fail to resolve obviously correct refnames,
because the string data pointed to by "ref" argument were reused.

Signed-off-by: Alex Riesen <raa.lkml@gmail.com>
---
 sha1_name.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/sha1_name.c b/sha1_name.c
index 41b6809..b5b53bf 100644
--- a/sha1_name.c
+++ b/sha1_name.c
@@ -242,6 +242,7 @@ int dwim_ref(const char *str, int len, unsigned char *sha1, char **ref)
 {
 	const char **p, *r;
 	int refs_found = 0;
+	char fullref[PATH_MAX];
 
 	*ref = NULL;
 	for (p = ref_rev_parse_rules; *p; p++) {
@@ -249,7 +250,8 @@ int dwim_ref(const char *str, int len, unsigned char *sha1, char **ref)
 		unsigned char *this_result;
 
 		this_result = refs_found ? sha1_from_ref : sha1;
-		r = resolve_ref(mkpath(*p, len, str), this_result, 1, NULL);
+		snprintf(fullref, sizeof(fullref), *p, len, str);
+		r = resolve_ref(fullref, this_result, 1, NULL);
 		if (r) {
 			if (!refs_found++)
 				*ref = xstrdup(r);
@@ -272,7 +274,7 @@ int dwim_log(const char *str, int len, unsigned char *sha1, char **log)
 		char path[PATH_MAX];
 		const char *ref, *it;
 
-		strcpy(path, mkpath(*p, len, str));
+		snprintf(path, sizeof(path), *p, len, str);
 		ref = resolve_ref(path, hash, 1, NULL);
 		if (!ref)
 			continue;
-- 
1.6.0.2.494.gb25da

Re: [PATCH] Fix mkpath abuse in dwim_ref/sha1_name.c

[Junio C Hamano]

"Alex Riesen" <raa.lkml@gmail.com> writes:

> From: Alex Riesen <raa.lkml@gmail.com>
> Date: Tue, 14 Oct 2008 18:14:20 +0200
> Subject: [PATCH] Fix mkpath abuse in sha1_name.c
>
> Otherwise the function sometimes fail to resolve obviously correct refnames,
> because the string data pointed to by "ref" argument were reused.
>
> Signed-off-by: Alex Riesen <raa.lkml@gmail.com>

The get_pathname() interface has been handy but it indeed is a bug waiting
to happen, and we have fixed occasional breakages by fixing the earlier
callers to stash the returned value away to keep it from getting
overwritten.  I.e. when we have:

	str1 = function_that_uses_get_pathname();
        ...
        str2 = another_function_that_uses_get_pathname();
        some_processing(str1, str2);

and we have too many other calls to functions that use get_pathname() in
the ... section, str1 will become invalid when we try to feed it to
some_processing().  So far our strategy to fix this kind of breakages has
been to rewrite the above to:

	str1 = xstrdup(function_that_uses_get_pathname());
        ...
        str2 = another_function_that_uses_get_pathname();
        some_processing(str1, str2);
	free(str1);

But your patch instead rewrites the computation of str2 by bypassing the
call to "another_function_that_uses_get_pathname()" and duplicating its
logic, which I do not think is a viable approach in the longer term.

> diff --git a/sha1_name.c b/sha1_name.c
> index 41b6809..b5b53bf 100644
> --- a/sha1_name.c
> +++ b/sha1_name.c
> @@ -242,6 +242,7 @@ int dwim_ref(const char *str, int len, unsigned char *sha1, char **ref)
>  {
>  	const char **p, *r;
>  	int refs_found = 0;
> +	char fullref[PATH_MAX];
>  
>  	*ref = NULL;
>  	for (p = ref_rev_parse_rules; *p; p++) {
> @@ -249,7 +250,8 @@ int dwim_ref(const char *str, int len, unsigned char *sha1, char **ref)
>  		unsigned char *this_result;
>  
>  		this_result = refs_found ? sha1_from_ref : sha1;
> -		r = resolve_ref(mkpath(*p, len, str), this_result, 1, NULL);
> +		snprintf(fullref, sizeof(fullref), *p, len, str);
> +		r = resolve_ref(fullref, this_result, 1, NULL);
>  		if (r) {
>  			if (!refs_found++)
>  				*ref = xstrdup(r);

I suspect that I am grossly misleading the code, but I wonder why this xstrdup()
is not protecting us from the reusing of "the string data pointed to by
"ref" argument".  Are you fixing the overwriting of the string pointed to
by "str" argument instead?

What specific call chain has this breakage you found?

Re: [PATCH] Fix mkpath abuse in dwim_ref/sha1_name.c

[Alex Riesen]

Junio C Hamano, Wed, Oct 15, 2008 01:17:52 +0200:
> "Alex Riesen" <raa.lkml@gmail.com> writes:
> >
> > Otherwise the function sometimes fail to resolve obviously correct refnames,
> > because the string data pointed to by "ref" argument were reused.
> >
> But your patch instead rewrites the computation of str2 by bypassing the
> call to "another_function_that_uses_get_pathname()" and duplicating its
> logic, which I do not think is a viable approach in the longer term.

There is not enough logic to bypass there. It's just a dumb sprintf!
I actually saved a useless call (two, if automatic inlining
optimization doesn't work).

> > diff --git a/sha1_name.c b/sha1_name.c
> > index 41b6809..b5b53bf 100644
> > --- a/sha1_name.c
> > +++ b/sha1_name.c
> > @@ -242,6 +242,7 @@ int dwim_ref(const char *str, int len, unsigned char *sha1, char **ref)
> >  {
> >  	const char **p, *r;
> >  	int refs_found = 0;
> > +	char fullref[PATH_MAX];
> >  
> >  	*ref = NULL;
> >  	for (p = ref_rev_parse_rules; *p; p++) {
> > @@ -249,7 +250,8 @@ int dwim_ref(const char *str, int len, unsigned char *sha1, char **ref)
> >  		unsigned char *this_result;
> >  
> >  		this_result = refs_found ? sha1_from_ref : sha1;
> > -		r = resolve_ref(mkpath(*p, len, str), this_result, 1, NULL);
> > +		snprintf(fullref, sizeof(fullref), *p, len, str);
> > +		r = resolve_ref(fullref, this_result, 1, NULL);
> >  		if (r) {
> >  			if (!refs_found++)
> >  				*ref = xstrdup(r);
> 
> I suspect that I am grossly misleading the code, but I wonder why this xstrdup()
> is not protecting us from the reusing of "the string data pointed to by
> "ref" argument".  Are you fixing the overwriting of the string pointed to
> by "str" argument instead?

Yes, I mistyped. xstrdup's called after the breakage happened.

> What specific call chain has this breakage you found?

That's up to this function from builtin_rev_parse and resolve_ref
we're about to call.

Re: [PATCH] Fix mkpath abuse in dwim_ref/sha1_name.c

[Junio C Hamano]

Alex Riesen <raa.lkml@gmail.com> writes:

> Junio C Hamano, Wed, Oct 15, 2008 01:17:52 +0200:
>> "Alex Riesen" <raa.lkml@gmail.com> writes:
>> >
>> > Otherwise the function sometimes fail to resolve obviously correct refnames,
>> > because the string data pointed to by "ref" argument were reused.
>> >
>> But your patch instead rewrites the computation of str2 by bypassing the
>> call to "another_function_that_uses_get_pathname()" and duplicating its
>> logic, which I do not think is a viable approach in the longer term.
>
> There is not enough logic to bypass there. It's just a dumb sprintf!

But didn't you lose call to cleanup_path()?

Re: [PATCH] Fix mkpath abuse in dwim_ref/sha1_name.c

[Alex Riesen]

2008/10/15 Junio C Hamano <gitster@pobox.com>:
> Alex Riesen <raa.lkml@gmail.com> writes:
>
>> Junio C Hamano, Wed, Oct 15, 2008 01:17:52 +0200:
>>> "Alex Riesen" <raa.lkml@gmail.com> writes:
>>> >
>>> > Otherwise the function sometimes fail to resolve obviously correct refnames,
>>> > because the string data pointed to by "ref" argument were reused.
>>> >
>>> But your patch instead rewrites the computation of str2 by bypassing the
>>> call to "another_function_that_uses_get_pathname()" and duplicating its
>>> logic, which I do not think is a viable approach in the longer term.
>>
>> There is not enough logic to bypass there. It's just a dumb sprintf!
>
> But didn't you lose call to cleanup_path()?
>

In this case?