Re: [PATCH 2/2] compat/mingw: fix EACCESS when opening files with `O_CREAT | O_EXCL`

[Patrick Steinhardt <ps@pks.im>]

On Sun, Mar 16, 2025 at 01:01:25AM +0100, Johannes Schindelin wrote:
> On Thu, 13 Mar 2025, Patrick Steinhardt wrote:
> > In our CI systems we can observe that t0610 fails rather frequently.
> > This testcase races a bunch of git-update-ref(1) processes with one
> > another which are all trying to update a unique reference, where we
> > expect that all processes succeed and end up updating the reftable
> > stack. The error message in this case looks like the following:
> >
> >     fatal: update_ref failed for ref 'refs/heads/branch-88': reftable: transaction prepare: I/O error
> 
> I saw this error plenty of times and was wondering whether there would be
> a way to get more useful information in the error message.
> 
> After all, I/O errors come in all shapes and forms, and telling the user
> that _something_ was wrong but forcing them to recreate the issue in a GDB
> session is an excellent recipe to cause frustration.
> 
> So I'd like to suggest to improve the user experience substantially by
> augmenting the rather generic `I/O error` with details as to what
> operation failed, with what exact error, on what file.

Agreed, the error handling isn't great. The very least we should be
doing is to print `errno`, but even that I consider to be suboptimal.
Ideally we'd have structured error handling that allows us to return
richer errors to the caller, but that is a much bigger undertaking.

[snip]
> > Fix the issue by translating the error to `EEXIST`. This makes the
> > lockfile subsystem handle the error correctly: in case a timeout is set
> > it will now retry acquiring the lockfile until the timeout has expired.
> >
> > With this, t0610 is now always passing on my machine whereas it was
> > previously failing in around 20-30% of all test runs.
> 
> It is good that you fixed this issue!
> 
> However, `ERROR_ACCESS_DENIED` most often means one of two things:
> 
> - The file in question exists but is opened exclusively by another process
>   (which might be Defender, the anti-malware scanner), or
> 
> - The current user lacks the permission to create this particular file,
>   i.e. it is really what `EACCES` would mean on Linux.
> 
> While the first condition clearly can be interpreted as "file exists" in
> the way this patch wants to do, the latter cannot be. And the patch
> touches a function that is exclusively used by the `lockfile` machinery,
> each and every caller of `open(..., ... O_CREAT)` is affected by this
> change.

I feared as much. I was hoping that the second case would cause a
different error equivalent to EPERM, and the documentation didn't really
say anything about this.

> This has ramifications e.g. when running in a worktree where the user has
> no write permission (but which they indicated as safe via
> `safe.directory`). Git would then no longer report correctly whe it cannot
> write files because the user lacks permission to do that, but would
> instead claim that the file already exists, when that is not true.
> 
> Maybe there is a place higher in the stack trace where Git could instead
> learn to handle `EACCES`? E.g. treat it the same as `EEXIST`, or maybe
> alternatively make it Windows-specific and introduce a back-off plan?

The place that would need to learn about it is the lockfile subsystem.
But we basically have the same issue here that we cannot know why we got
EACCESS in the first place. So retrying may or may not be the correct
thing to do in this context, same as in `mingw_open()`.

While implementing the workaround I wondered whether we are able to get
clearer error messages if we were able to verify a few additional data
points:

  - If creating the file fails with ERROR_ACCESS_DENIED we could check
    whether the parent directory is accessible to us, and if it is then
    we can assume that the error is due to an existing file. But that
    falls apart rather quickly when thinking about edge cases, like an
    unwritable file in a writable directory.

  - We could stat the file in question to check whether it exists. But
    given that our case only happens when we have lost a race it may be
    unwise to build on top of an already-racy mechanism.

All of these feel hacky, so... I don't have a good idea for how to fix
this. It is unfortunate that `CreateFileW()` throws these two errors
into the same bag and doesn't give us any hints which of both errors has
happened.

Patrick