path: root/builtin
AgeCommit message (Collapse)Author
2017-04-02push: unmark a local variable as staticBrandon Williams
There isn't any obvious reason for the 'struct string_list push_options' and 'struct string_list_item *item' to be marked as static, so unmark them as being static. Also, clear the push_options string_list to prevent memory leaking. Signed-off-by: Brandon Williams <> Reviewed-by: Jonathan Nieder <> Signed-off-by: Junio C Hamano <>
2017-04-01index-pack: detect local corruption in collision checkJeff King
When we notice that we have a local copy of an incoming object, we compare the two objects to make sure we haven't found a collision. Before we get to the actual object bytes, though, we compare the type and size from sha1_object_info(). If our local object is corrupted, then the type will be OBJ_BAD, which obviously will not match the incoming type, and we'll report "SHA1 COLLISION FOUND" (with capital letters and everything). This is confusing, as the problem is not a collision but rather local corruption. We should report that instead (just like we do if reading the rest of the object content fails a few lines later). Note that we _could_ just ignore the error and mark it as a non-collision. That would let you "git fetch" to replace a corrupted object. But it's not a very reliable method for repairing a repository. The earlier want/have negotiation tries to get the other side to omit objects we already have, and it would not realize that we are "missing" this corrupted object. So we're better off complaining loudly when we see corruption, and letting the user take more drastic measures to repair (like making a full clone elsewhere and copying the pack into place). Note that the test sets transfer.unpackLimit in the receiving repository so that we use index-pack (which is what does the collision check). Normally for such a small push we'd use unpack-objects, which would simply try to write the loose object, and discard the new one when we see that there's already an old one. Signed-off-by: Jeff King <> Signed-off-by: Junio C Hamano <>
2017-03-31Rename sha1_array to oid_arraybrian m. carlson
Since this structure handles an array of object IDs, rename it to struct oid_array. Also rename the accessor functions and the initialization constant. This commit was produced mechanically by providing non-Documentation files to the following Perl one-liners: perl -pi -E 's/struct sha1_array/struct oid_array/g' perl -pi -E 's/\bsha1_array_/oid_array_/g' perl -pi -E 's/SHA1_ARRAY_INIT/OID_ARRAY_INIT/g' Signed-off-by: brian m. carlson <> Signed-off-by: Junio C Hamano <>
2017-03-31Convert sha1_array_for_each_unique and for_each_abbrev to object_idbrian m. carlson
Make sha1_array_for_each_unique take a callback using struct object_id. Since one of these callbacks is an argument to for_each_abbrev, convert those as well. Rename various functions, replacing "sha1" with "oid". Signed-off-by: brian m. carlson <> Signed-off-by: Junio C Hamano <>
2017-03-31Convert sha1_array_lookup to take struct object_idbrian m. carlson
Convert this function by changing the declaration and definition and applying the following semantic patch to update the callers: @@ expression E1, E2; @@ - sha1_array_lookup(E1, E2.hash) + sha1_array_lookup(E1, &E2) @@ expression E1, E2; @@ - sha1_array_lookup(E1, E2->hash) + sha1_array_lookup(E1, E2) Signed-off-by: brian m. carlson <> Signed-off-by: Junio C Hamano <>
2017-03-31Convert remaining callers of sha1_array_lookup to object_idbrian m. carlson
There are a very small number of callers which don't already use struct object_id. Convert them. Signed-off-by: brian m. carlson <> Signed-off-by: Junio C Hamano <>
2017-03-31Make sha1_array_append take a struct object_id *brian m. carlson
Convert the callers to pass struct object_id by changing the function declaration and definition and applying the following semantic patch: @@ expression E1, E2; @@ - sha1_array_append(E1, E2.hash) + sha1_array_append(E1, &E2) @@ expression E1, E2; @@ - sha1_array_append(E1, E2->hash) + sha1_array_append(E1, E2) Signed-off-by: brian m. carlson <> Signed-off-by: Junio C Hamano <>
2017-03-30gc: replace local buffer with git_pathJeff King
We probe the "17/" loose object directory for auto-gc, and use a local buffer to format the path. We can just use git_path() for this. It handles paths of any length (reducing our error handling). And because we feed the result straight to a system call, we can just use the static variant. Note that git_path also knows the string "objects/" is special, and will replace it with git_object_directory() when necessary. Another alternative would be to use sha1_file_name() for the pretend object "170000...", but that ends up being more hassle for no gain, as we have to truncate the final path component. Signed-off-by: Jeff King <>
2017-03-30replace unchecked snprintf calls with heap buffersJeff King
We'd prefer to avoid unchecked snprintf calls because truncation can lead to unexpected results. These are all cases where truncation shouldn't ever happen, because the input to snprintf is fixed in size. That makes them candidates for xsnprintf(), but it's simpler still to just use the heap, and then nobody has to wonder if "100" is big enough. We'll use xstrfmt() where possible, and a strbuf when we need the resulting size or to reuse the same buffer in a loop. Signed-off-by: Jeff King <>
2017-03-30receive-pack: print --pack-header directly into argv arrayJeff King
After receive-pack reads the pack header from the client, it feeds the already-read part to index-pack and unpack-objects via their --pack-header command-line options. To do so, we format it into a fixed buffer, then duplicate it into the child's argv_array. Our buffer is long enough to handle any possible input, so this isn't wrong. But it's more complicated than it needs to be; we can just argv_array_pushf() the final value and avoid the intermediate copy. This drops the magic number and is more efficient, too. Note that we need to push to the argv_array in order, which means we can't do the push until we are in the "unpack-objects versus index-pack" conditional. Rather than duplicate the slightly complicated format specifier, I pushed it into a helper function. Signed-off-by: Jeff King <>
2017-03-30name-rev: replace static buffer with strbufJeff King
When name-rev needs to format an actual name, we do so into a fixed-size buffer. That includes the actual ref tip, as well as any traversal information. Since refs can exceed 1024 bytes, this means you can get a bogus result. E.g., doing: git tag $(perl -e 'print join("/", 1..1024)') git describe --contains HEAD^ results in ".../282/283", when it should be ".../1023/1024~1". We can solve this by using a heap buffer. We'll use a strbuf, which lets us write into the same buffer from our loop without having to reallocate. Signed-off-by: Jeff King <>
2017-03-30avoid using fixed PATH_MAX buffers for refsJeff King
Many functions which handle refs use a PATH_MAX-sized buffer to do so. This is mostly reasonable as we have to write loose refs into the filesystem, and at least on Linux the 4K PATH_MAX is big enough that nobody would care. But: 1. The static PATH_MAX is not always the filesystem limit. 2. On other platforms, PATH_MAX may be much smaller. 3. As we move to alternate ref storage, we won't be bound by filesystem limits. Let's convert these to heap buffers so we don't have to worry about truncation or size limits. We may want to eventually constrain ref lengths for sanity and to prevent malicious names, but we should do so consistently across all platforms, and in a central place (like the ref code). Signed-off-by: Jeff King <>
2017-03-30fetch: use heap buffer to format reflogJeff King
Part of the reflog content comes from the environment, which can be much larger than our fixed buffer. Let's use a heap buffer so we avoid truncating it. Signed-off-by: Jeff King <>
2017-03-30tag: use strbuf to format tag headerJeff King
We format the tag header into a fixed 1024-byte buffer. But since the tag-name and tagger ident can be arbitrarily large, we may unceremoniously die with "tag header too big". Let's just use a strbuf instead. Note that it looks at first glance like we can just format this directly into the "buf" strbuf where it will ultimately go. But that buffer may already contain the tag message, and we have no easy way to prepend formatted data to a strbuf (we can only splice in an already-generated buffer). This isn't a performance-critical path, so going through an extra buffer isn't a big deal. Signed-off-by: Jeff King <>
2017-03-30Merge branch 'bc/push-cert-receive-fix'Junio C Hamano
"git receive-pack" could have been forced to die by attempting allocate an unreasonably large amount of memory with a crafted push certificate; this has been fixed. * bc/push-cert-receive-fix: builtin/receive-pack: fix incorrect pointer arithmetic
2017-03-30Merge branch 'mg/describe-debug-l10n'Junio C Hamano
Some debugging output from "git describe" were marked for l10n, but some weren't. Mark missing ones for l10n. * mg/describe-debug-l10n: l10n: de: translate describe debug terms describe: localize debug output fully
2017-03-30Merge branch 'bw/recurse-submodules-relative-fix'Junio C Hamano
A few commands that recently learned the "--recurse-submodule" option misbehaved when started from a subdirectory of the superproject. * bw/recurse-submodules-relative-fix: ls-files: fix bug when recursing with relative pathspec ls-files: fix typo in variable name grep: fix bug when recursing with relative pathspec setup: allow for prefix to be passed to git commands grep: fix help text typo
2017-03-30Merge branch 'bw/submodule-is-active'Junio C Hamano
"what URL do we want to update this submodule?" and "are we interested in this submodule?" are split into two distinct concepts, and then the way used to express the latter got extended, paving a way to make it easier to manage a project with many submodules and make it possible to later extend use of multiple worktrees for a project with submodules. * bw/submodule-is-active: submodule add: respect and submodule.<name>.active submodule--helper init: set submodule.<name>.active clone: teach --recurse-submodules to optionally take a pathspec submodule init: initialize active submodules submodule: decouple url and submodule interest submodule--helper clone: check for configured submodules using helper submodule sync: use submodule--helper is-active submodule sync: skip work for inactive submodules submodule status: use submodule--helper is-active submodule--helper: add is-active subcommand
2017-03-30Merge branch 'jc/merge-drop-old-syntax'Junio C Hamano
Stop supporting "git merge <message> HEAD <commit>" syntax that has been deprecated since October 2007, and issues a deprecation warning message since v2.5.0. * jc/merge-drop-old-syntax: merge: drop 'git merge <message> HEAD <commit>' syntax
2017-03-30difftool: avoid strcpyJeff King
In order to checkout files, difftool reads "diff --raw" output and feeds the names to checkout_entry(). That function requires us to have a "struct cache_entry". And because that struct uses a FLEX_ARRAY for the name field, we have to actually copy in our new name. The current code allocates a single re-usable cache_entry that can hold a name up to PATH_MAX, and then copies filenames into it using strcpy(). But there's no guarantee that incoming names are smaller than PATH_MAX. They've come from "diff --raw" output which might be diffing between two trees (and hence we'd be subject to the PATH_MAX of some other system, or even none at all if they were created directly via "update-index"). We can fix this by using make_cache_entry() to create a correctly-sized cache_entry for each name. This incurs an extra allocation per file, but this is negligible compared to actually writing out the file contents. To make this simpler, we can push this procedure into a new helper function. Note that we can also get rid of the "len" variables for src_path and dst_path (and in fact we must, as the compiler complains that they are unused). Signed-off-by: Jeff King <> Acked-by: Johannes Schindelin <> Signed-off-by: Junio C Hamano <>
2017-03-30update-index: fix xgetcwd() related memory leakChristian Couder
As xgetcwd() returns an allocated buffer, we should free this buffer when we don't need it any more. This was found by Coverity. Reported-by: Jeff King <> Signed-off-by: Christian Couder <> Signed-off-by: Junio C Hamano <>
2017-03-28odb_mkstemp: write filename into strbufJeff King
The odb_mkstemp() function expects the caller to provide a fixed buffer to write the resulting tempfile name into. But it creates the template using snprintf without checking the return value. This means we could silently truncate the filename. In practice, it's unlikely that the truncation would end in the template-pattern that mkstemp needs to open the file. So we'd probably end up failing either way, unless the path was specially crafted. The simplest fix would be to notice the truncation and die. However, we can observe that most callers immediately xstrdup() the result anyway. So instead, let's switch to using a strbuf, which is easier for them (and isn't a big deal for the other 2 callers, who can just strbuf_release when they're done with it). Note that many of the callers used static buffers, but this was purely to avoid putting a large buffer on the stack. We never passed the static buffers out of the function, so there's no complicated memory handling we need to change. Signed-off-by: Jeff King <>
2017-03-28do not check odb_mkstemp return value for errorsJeff King
The odb_mkstemp function does not return an error; it dies on failure instead. But many of its callers compare the resulting descriptor against -1 and die themselves. Mostly this is just pointless, but it does raise a question when looking at the callers: if they show the results of the "template" buffer after a failure, what's in it? The answer is: it doesn't matter, because it cannot happen. So let's make that clear by removing the bogus error checks. In bitmap_writer_finish(), we can drop the error-handling code entirely. In the other two cases, it's shared with the open() in another code path; we can just move the error-check next to that open() call. And while we're at it, let's flesh out the function's docstring a bit to make the error behavior clear. Signed-off-by: Jeff King <>
2017-03-28Merge branch 'jk/fast-import-cleanup'Junio C Hamano
Code clean-up. * jk/fast-import-cleanup: pack.h: define largest possible encoded object size encode_in_pack_object_header: respect output buffer length fast-import: use xsnprintf for formatting headers fast-import: use xsnprintf for writing sha1s
2017-03-28Merge branch 'sb/checkout-recurse-submodules'Junio C Hamano
"git checkout" is taught the "--recurse-submodules" option. * sb/checkout-recurse-submodules: builtin/read-tree: add --recurse-submodules switch builtin/checkout: add --recurse-submodules switch entry.c: create submodules when interesting unpack-trees: check if we can perform the operation for submodules unpack-trees: pass old oid to verify_clean_submodule update submodules: add submodule_move_head submodule.c: get_super_prefix_or_empty update submodules: move up prepare_submodule_repo_env submodules: introduce check to see whether to touch a submodule update submodules: add a config option to determine if submodules are updated update submodules: add submodule config parsing make is_submodule_populated gently define tests for recursing into submodules replace sha1 by hash lib-submodule-update: teach test_submodule_content the -C <dir> flag do not use ./. as submodule remote reorder create_lib_submodule_repo submodule--helper.c: remove duplicate code connect_work_tree_and_git_dir: safely create leading directories
2017-03-28Merge branch 'bw/grep-recurse-submodules'Junio C Hamano
Build fix for NO_PTHREADS build. * bw/grep-recurse-submodules: grep: fix builds with with no thread support grep: set default output method
2017-03-28Merge branch 'rs/update-hook-optim' into maintJunio C Hamano
Code clean-up. * rs/update-hook-optim: receive-pack: simplify run_update_post_hook()
2017-03-28Merge branch 'rs/shortlog-cleanup' into maintJunio C Hamano
Code clean-up. * rs/shortlog-cleanup: shortlog: don't set after_subject to an empty string
2017-03-28Merge branch 'jk/pack-name-cleanups' into maintJunio C Hamano
Code clean-up. * jk/pack-name-cleanups: index-pack: make pointer-alias fallbacks safer replace snprintf with odb_pack_name() odb_pack_keep(): stop generating keepfile name sha1_file.c: make pack-name helper globally accessible move odb_* declarations out of git-compat-util.h
2017-03-28Merge branch 'jk/rev-parse-cleanup' into maintJunio C Hamano
Code clean-up. * jk/rev-parse-cleanup: rev-parse: simplify parsing of ref options rev-parse: add helper for parsing "--foo/--foo=" rev-parse: use skip_prefix when parsing options
2017-03-28Merge branch 'rs/blame-code-cleanup' into maintJunio C Hamano
Code clean-up. * rs/blame-code-cleanup: blame: move blame_entry duplication to add_blame_entry()
2017-03-28Merge branch 'mm/fetch-show-error-message-on-unadvertised-object' into maintJunio C Hamano
"git fetch" that requests a commit by object name, when the other side does not allow such an request, failed without much explanation. * mm/fetch-show-error-message-on-unadvertised-object: fetch-pack: add specific error for fetching an unadvertised object fetch_refs_via_pack: call report_unmatched_refs fetch-pack: move code to report unmatched refs to a function
2017-03-28Merge branch 'jk/interpret-branch-name' into maintJunio C Hamano
"git branch @" created refs/heads/@ as a branch, and in general the code that handled @{-1} and @{upstream} was a bit too loose in disambiguating. * jk/interpret-branch-name: checkout: restrict @-expansions when finding branch strbuf_check_ref_format(): expand only local branches branch: restrict @-expansions when deleting t3204: test git-branch @-expansion corner cases interpret_branch_name: allow callers to restrict expansions strbuf_branchname: add docstring strbuf_branchname: drop return value interpret_branch_name: move docstring to header file interpret_branch_name(): handle auto-namelen for @{-1}
2017-03-28Merge branch 'jk/delta-chain-limit' into maintJunio C Hamano
"git repack --depth=<n>" for a long time busted the specified depth when reusing delta from existing packs. This has been corrected. * jk/delta-chain-limit: pack-objects: convert recursion to iteration in break_delta_chain() pack-objects: enforce --depth limit in reused deltas
2017-03-28sha1-array: convert internal storage for struct sha1_array to object_idbrian m. carlson
Make the internal storage for struct sha1_array use an array of struct object_id internally. Update the users of this struct which inspect its internals. Signed-off-by: brian m. carlson <> Signed-off-by: Junio C Hamano <>
2017-03-28builtin/pull: convert to struct object_idbrian m. carlson
Convert virtually all uses of unsigned char [20] to struct object_id. Leave all the arguments that come from struct sha1_array, as these will be converted in a later patch. Signed-off-by: brian m. carlson <> Signed-off-by: Junio C Hamano <>
2017-03-28submodule: convert check_for_new_submodule_commits to object_idbrian m. carlson
All of the callers of this function have been converted, so convert this function and update the callers. This function also calls sha1_array_append, which we'll convert shortly. Signed-off-by: brian m. carlson <> Signed-off-by: Junio C Hamano <>
2017-03-28builtin/receive-pack: convert portions to struct object_idbrian m. carlson
Convert some hardcoded constants into uses of parse_oid_hex. Additionally, convert all uses of struct command, and miscellaneous other functions necessary for that. This work is necessary to be able to convert sha1_array_append later on. To avoid needing to specify a constant, reject shallow lines with the wrong length instead of simply ignoring them. Note that in queue_command we are guaranteed to have a NUL-terminated buffer or at least one byte of overflow that we can safely read, so the linelen check can be elided. We would die in such a case, but not read invalid memory. Signed-off-by: brian m. carlson <> Signed-off-by: Junio C Hamano <>
2017-03-28builtin/receive-pack: fix incorrect pointer arithmeticbrian m. carlson
If we had already processed the last newline in a push certificate, we would end up subtracting NULL from the end-of-certificate pointer when computing the length of the line. This would have resulted in an absurdly large length, and possibly a buffer overflow. Instead, subtract the beginning-of-certificate pointer from the end-of-certificate pointer, which is what's expected. Note that this situation should never occur, since not only do we require the certificate to be newline terminated, but the signature will only be read from the beginning of a line. Nevertheless, it seems prudent to correct it. Signed-off-by: brian m. carlson <> Signed-off-by: Junio C Hamano <>
2017-03-27describe: localize debug output fullyMichael J Gruber
git describe --debug localizes all debug messages but not the terms head, lightweight, annotated that it outputs for the candidates. Localize them, too. Signed-off-by: Michael J Gruber <> Signed-off-by: Junio C Hamano <>
2017-03-27Merge branch 'sb/describe-broken'Junio C Hamano
"git describe --dirty" dies when it cannot be determined if the state in the working tree matches that of HEAD (e.g. broken repository or broken submodule). The command learned a new option "git describe --broken" to give "$name-broken" (where $name is the description of HEAD) in such a case. * sb/describe-broken: builtin/describe: introduce --broken flag
2017-03-27Merge branch 'sb/push-options-via-transport'Junio C Hamano
Recently we started passing the "--push-options" through the external remote helper interface; now the "smart HTTP" remote helper understands what to do with the passed information. * sb/push-options-via-transport: remote-curl: allow push options send-pack: send push options correctly in stateless-rpc case
2017-03-27Merge branch 'jk/prefix-filename'Junio C Hamano
Code clean-up with minor bugfixes. * jk/prefix-filename: bundle: use prefix_filename with bundle path prefix_filename: simplify windows #ifdef prefix_filename: return newly allocated string prefix_filename: drop length parameter prefix_filename: move docstring to header file hash-object: fix buffer reuse with --path in a subdirectory
2017-03-27builtin/pull: convert portions to struct object_idbrian m. carlson
Convert the caller of sha1_array_append to struct object_id. Signed-off-by: brian m. carlson <> Signed-off-by: Junio C Hamano <>
2017-03-27builtin/diff: convert to struct object_idbrian m. carlson
Signed-off-by: brian m. carlson <> Signed-off-by: Junio C Hamano <>
2017-03-27Convert GIT_SHA1_RAWSZ used for allocation to GIT_MAX_RAWSZbrian m. carlson
Since we will likely be introducing a new hash function at some point, and that hash function might be longer than 20 bytes, use the constant GIT_MAX_RAWSZ, which is designed to be suitable for allocations, instead of GIT_SHA1_RAWSZ. This will ease the transition down the line by distinguishing between places where we need to allocate memory suitable for the largest hash from those where we need to handle the current hash. Signed-off-by: brian m. carlson <> Signed-off-by: Junio C Hamano <>
2017-03-27Convert GIT_SHA1_HEXSZ used for allocation to GIT_MAX_HEXSZbrian m. carlson
Since we will likely be introducing a new hash function at some point, and that hash function might be longer than 40 hex characters, use the constant GIT_MAX_HEXSZ, which is designed to be suitable for allocations, instead of GIT_SHA1_HEXSZ. This will ease the transition down the line by distinguishing between places where we need to allocate memory suitable for the largest hash from those where we need to handle the current hash. Signed-off-by: brian m. carlson <> Signed-off-by: Junio C Hamano <>
2017-03-24Merge branch 'rs/update-hook-optim'Junio C Hamano
Code clean-up. * rs/update-hook-optim: receive-pack: simplify run_update_post_hook()
2017-03-24Merge branch 'rs/shortlog-cleanup'Junio C Hamano
Code clean-up. * rs/shortlog-cleanup: shortlog: don't set after_subject to an empty string
2017-03-24Merge branch 'jk/grep-no-index-fix' into maintJunio C Hamano
The code to parse the command line "git grep <patterns>... <rev> [[--] <pathspec>...]" has been cleaned up, and a handful of bugs have been fixed (e.g. we used to check "--" if it is a rev). * jk/grep-no-index-fix: grep: treat revs the same for --untracked as for --no-index grep: do not diagnose misspelt revs with --no-index grep: avoid resolving revision names in --no-index case grep: fix "--" rev/pathspec disambiguation grep: re-order rev-parsing loop grep: do not unnecessarily query repo for "--" grep: move thread initialization a little lower