Re: [PATCH v2] clone: fix segfault when using --revision and v0/v1 protocol

[Junio C Hamano <gitster@pobox.com>]

"NitroCao via GitGitGadget" <gitgitgadget@gmail.com> writes:

> From: Nitro Cao <jaycecao520@gmail.com>
>
> When `git clone` is used with `--revision` and the protocol version is
> v0 or v1, the client segfaults if the revision does not specify a peer
> reference (e.g. `--revision master` instead of
> `--revision refs/heads/master:master`).
>
> This occurs because `update_remote_refs()` assumes that if
> `remote_head_points_at` is set, `remote_head_points_at->peer_ref` is
> also valid. However, for v0/v1 protocols, all references are fetched
> without filtering, and if the revision lacks a peer reference,
> `peer_ref` remains NULL.
>
> Add a check for `remote_head_points_at->peer_ref` before dereferencing
> it to prevent the segmentation fault.

Hmph.

While your change may skip the code that segfaults, wouldn't it also
stop noticing a broken case where .peer_ref should have been set but
didn't, even when --revision=<rev> parameter is not used in the
command invocation?  IOW, it is better to segfault and draw attention
by Git developers when a valid input is given by the end user and our
code misbehaves (e.g., and fails to to set .peer_ref as it should).

Stepping back a bit, "git clone --help" says the following on
"--revision=<rev>":

    `--revision=<rev>`::
            Create a new repository, and fetch the history leading
            to the given revision _<rev>_ (and nothing else),
            without making any remote-tracking branch, and without
            making any local branch, and detach `HEAD` to
            _<rev>_. The argument can be a ref name
            (e.g. `refs/heads/main` or `refs/tags/v1.0`) that peels
            down to a commit, or a hexadecimal object name.  This
            option is incompatible with `--branch` and `--mirror`.

The intent of running the command with this option seems to me that
we do not want to create any branches, neither remote-tracking nor
local.  Looking at what is done in update_remote_refs(), I think we
still want to honor check_connectivity even when we are in this
"single revision only, detach the HEAD at that commit" mode in order
to ensure the integrity of the data, but we cetainly do not want to
call the write_remote_refs() and the write_followtags() helpers.

Wouldn't the correct fix be more like the following?

 - split out parts from update_remote_refs() that are needed even in
   option_rev mode into a separate helper function, and call that
   from cmd_clone().

 - make the call to update_remote_refs() conditional---specifically,
   we shouldn't be calling it when option_rev is in effect.

>  builtin/clone.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Also, isn't this something we can specify the expected behaviour in
tests?  Not only we want to ensure that nothing segfaults, we would
want to make sure that the resulting repository has no refs and HEAD
is detached at the specified revision.

Thanks.

> diff --git a/builtin/clone.c b/builtin/clone.c
> index b40cee5968..ba8de92563 100644
> --- a/builtin/clone.c
> +++ b/builtin/clone.c
> @@ -558,7 +558,7 @@ static void update_remote_refs(const struct ref *refs,
>  			write_followtags(refs, msg);
>  	}
>  
> -	if (remote_head_points_at && !option_bare) {
> +	if (remote_head_points_at && remote_head_points_at->peer_ref && !option_bare) {
>  		struct strbuf head_ref = STRBUF_INIT;
>  		strbuf_addstr(&head_ref, branch_top);
>  		strbuf_addstr(&head_ref, "HEAD");
>
> base-commit: 67ad42147a7acc2af6074753ebd03d904476118f