[PATCH 0/6] more small leak fixes

[PATCH 0/6] more small leak fixes

[Jeff King]

Based on the discussion over in [1], I wondered how close we were to
being able to run some test scripts with a leak-checker like LSan not
complaining. The answer is...not close.

I picked t5526 more or less at random (it was the first failure when I
did a parallel "make test") to see what it would take to get it passing.
After much effort...I have t5526.1, the setup test, running clean. :)

There were quite a few false positives, but it did actually uncover some
legitimate leaks. This series fixes those. I did it independently of the
leak-fix in [2], but it would be fine to just lump it all together as
one topic.

[1] https://lore.kernel.org/git/20200813155426.GA896769@coredump.intra.peff.net/
[2] https://lore.kernel.org/git/20200814111049.GA4101811@coredump.intra.peff.net/

The patches are:

  [1/6]: submodule--helper: use strbuf_release() to free strbufs
  [2/6]: checkout: fix leak of non-existent branch names
  [3/6]: config: fix leaks from git_config_get_string_const()
  [4/6]: config: drop git_config_get_string_const()
  [5/6]: config: fix leak in git_config_get_expiry_in_days()
  [6/6]: submodule--helper: fix leak of core.worktree value

 Documentation/MyFirstContribution.txt |  4 +--
 apply.c                               |  4 +--
 builtin/checkout.c                    |  4 ++-
 builtin/fetch.c                       |  2 +-
 builtin/submodule--helper.c           | 16 +++++------
 cache.h                               |  4 +--
 checkout.c                            |  3 +--
 config.c                              | 39 ++++++++++++++++++++++-----
 config.h                              | 12 ++++++---
 connect.c                             |  4 +--
 editor.c                              |  2 +-
 environment.c                         |  4 +--
 help.c                                |  2 +-
 protocol.c                            |  2 +-
 submodule.c                           |  4 +--
 t/helper/test-config.c                |  2 +-
 16 files changed, 69 insertions(+), 39 deletions(-)

-Peff

[PATCH 1/6] submodule--helper: use strbuf_release() to free strbufs

[Jeff King]

The prepare_to_clone_next_submodule() function has a few local-variable
strbufs. We use strbuf_reset() throughout the function to reuse the
buffers over and over. But at the end of the function we also use
strbuf_reset() as they go out of scope, which means we end up leaking
their heap buffers. This should be strbuf_release() instead.

These were introduced by 48308681b0 (git submodule update: have a
dedicated helper for cloning, 2016-02-29), but it doesn't seem to have
the same mistake elsewhere. Likewise, I looked for other instances of
the pattern in the submodule--helper file but couldn't find any.

Signed-off-by: Jeff King <peff@peff.net>
---
 builtin/submodule--helper.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/builtin/submodule--helper.c b/builtin/submodule--helper.c
index df135abbf1..1762458345 100644
--- a/builtin/submodule--helper.c
+++ b/builtin/submodule--helper.c
@@ -1747,8 +1747,8 @@ static int prepare_to_clone_next_submodule(const struct cache_entry *ce,
 					      "--no-single-branch");
 
 cleanup:
-	strbuf_reset(&displaypath_sb);
-	strbuf_reset(&sb);
+	strbuf_release(&displaypath_sb);
+	strbuf_release(&sb);
 	if (need_free_url)
 		free((void*)url);
 
-- 
2.28.0.596.g9c08d63829

[PATCH 2/6] checkout: fix leak of non-existent branch names

[Jeff King]

We unconditionally write a branch name into a newly allocated buffer in
new_branch_info->path, via setup_branch_path(). We then check to see if
the branch exists; if not, we set that field to NULL, leaking the
memory. We should take care to free() it when doing so.

Signed-off-by: Jeff King <peff@peff.net>
---
 builtin/checkout.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/builtin/checkout.c b/builtin/checkout.c
index 2837195491..bba64108af 100644
--- a/builtin/checkout.c
+++ b/builtin/checkout.c
@@ -1120,8 +1120,10 @@ static void setup_new_branch_info_and_source_tree(
 	if (!check_refname_format(new_branch_info->path, 0) &&
 	    !read_ref(new_branch_info->path, &branch_rev))
 		oidcpy(rev, &branch_rev);
-	else
+	else {
+		free((char *)new_branch_info->path);
 		new_branch_info->path = NULL; /* not an existing branch */
+	}
 
 	new_branch_info->commit = lookup_commit_reference_gently(the_repository, rev, 1);
 	if (!new_branch_info->commit) {
-- 
2.28.0.596.g9c08d63829

[PATCH 3/6] config: fix leaks from git_config_get_string_const()

[Jeff King]

There are two functions to get a single config string:

  - git_config_get_string()

  - git_config_get_string_const()

One might naively think that the first one allocates a new string and
the second one just points us to the internal configset storage. But
in fact they both allocate a new copy; the second one exists only to
avoid having to cast when using it with a const global which we never
intend to free.

The documentation for the function explains that clearly, but it seems
I'm not alone in being surprised by this. Of 17 calls to the function,
13 of them leak the resulting value.

We could obviously fix these by adding the appropriate free(). But it
would be simpler still if we actually had a non-allocating way to get
the string. There's git_config_get_value() but that doesn't quite do
what we want. If the config key is present but is a boolean with no
value (e.g., "[foo]bar" in the file), then we'll get NULL (whereas the
string versions will print an error and die).

So let's introduce a new variant, git_config_get_string_tmp(), that
behaves as these callers expect. We need a new name because we have new
semantics but the same function signature (so even if we converted the
four remaining callers, topics in flight might be surprised). The "tmp"
is because this value should only be held onto for a short time. In
practice it's rare for us to clear and refresh the configset,
invalidating the pointer, but hopefully the "tmp" makes callers think
about the lifetime. In each of the converted cases here the value only
needs to last within the local function or its immediate caller.

Signed-off-by: Jeff King <peff@peff.net>
---
 builtin/fetch.c             |  2 +-
 builtin/submodule--helper.c |  8 ++++----
 config.c                    | 30 ++++++++++++++++++++++++++++++
 config.h                    | 10 ++++++++++
 connect.c                   |  4 ++--
 editor.c                    |  2 +-
 help.c                      |  2 +-
 protocol.c                  |  2 +-
 submodule.c                 |  4 ++--
 t/helper/test-config.c      |  2 +-
 10 files changed, 53 insertions(+), 13 deletions(-)

diff --git a/builtin/fetch.c b/builtin/fetch.c
index c49f0e9752..b3b77f8e2b 100644
--- a/builtin/fetch.c
+++ b/builtin/fetch.c
@@ -645,7 +645,7 @@ static void prepare_format_display(struct ref *ref_map)
 	struct ref *rm;
 	const char *format = "full";
 
-	git_config_get_string_const("fetch.output", &format);
+	git_config_get_string_tmp("fetch.output", &format);
 	if (!strcasecmp(format, "full"))
 		compact_format = 0;
 	else if (!strcasecmp(format, "compact"))
diff --git a/builtin/submodule--helper.c b/builtin/submodule--helper.c
index 1762458345..e09605716e 100644
--- a/builtin/submodule--helper.c
+++ b/builtin/submodule--helper.c
@@ -1511,7 +1511,7 @@ static void determine_submodule_update_strategy(struct repository *r,
 		if (parse_submodule_update_strategy(update, out) < 0)
 			die(_("Invalid update mode '%s' for submodule path '%s'"),
 				update, path);
-	} else if (!repo_config_get_string_const(r, key, &val)) {
+	} else if (!repo_config_get_string_tmp(r, key, &val)) {
 		if (parse_submodule_update_strategy(val, out) < 0)
 			die(_("Invalid update mode '%s' configured for submodule path '%s'"),
 				val, path);
@@ -1667,7 +1667,7 @@ static int prepare_to_clone_next_submodule(const struct cache_entry *ce,
 	}
 
 	key = xstrfmt("submodule.%s.update", sub->name);
-	if (!repo_config_get_string_const(the_repository, key, &update_string)) {
+	if (!repo_config_get_string_tmp(the_repository, key, &update_string)) {
 		update_type = parse_submodule_update_type(update_string);
 	} else {
 		update_type = sub->update_strategy.type;
@@ -1690,7 +1690,7 @@ static int prepare_to_clone_next_submodule(const struct cache_entry *ce,
 
 	strbuf_reset(&sb);
 	strbuf_addf(&sb, "submodule.%s.url", sub->name);
-	if (repo_config_get_string_const(the_repository, sb.buf, &url)) {
+	if (repo_config_get_string_tmp(the_repository, sb.buf, &url)) {
 		if (starts_with_dot_slash(sub->url) ||
 		    starts_with_dot_dot_slash(sub->url)) {
 			url = compute_submodule_clone_url(sub->url);
@@ -1976,7 +1976,7 @@ static const char *remote_submodule_branch(const char *path)
 		return NULL;
 
 	key = xstrfmt("submodule.%s.branch", sub->name);
-	if (repo_config_get_string_const(the_repository, key, &branch))
+	if (repo_config_get_string_tmp(the_repository, key, &branch))
 		branch = sub->branch;
 	free(key);
 
diff --git a/config.c b/config.c
index 2b79fe76ad..2f244c67b6 100644
--- a/config.c
+++ b/config.c
@@ -2020,6 +2020,20 @@ int git_configset_get_string(struct config_set *cs, const char *key, char **dest
 	return git_configset_get_string_const(cs, key, (const char **)dest);
 }
 
+int git_configset_get_string_tmp(struct config_set *cs, const char *key,
+				 const char **dest)
+{
+	const char *value;
+	if (!git_configset_get_value(cs, key, &value)) {
+		if (!value)
+			return config_error_nonbool(key);
+		*dest = value;
+		return 0;
+	} else {
+		return 1;
+	}
+}
+
 int git_configset_get_int(struct config_set *cs, const char *key, int *dest)
 {
 	const char *value;
@@ -2165,6 +2179,17 @@ int repo_config_get_string(struct repository *repo,
 	return repo_config_get_string_const(repo, key, (const char **)dest);
 }
 
+int repo_config_get_string_tmp(struct repository *repo,
+			       const char *key, const char **dest)
+{
+	int ret;
+	git_config_check_init(repo);
+	ret = git_configset_get_string_tmp(repo->config, key, dest);
+	if (ret < 0)
+		git_die_config(key, NULL);
+	return ret;
+}
+
 int repo_config_get_int(struct repository *repo,
 			const char *key, int *dest)
 {
@@ -2242,6 +2267,11 @@ int git_config_get_string(const char *key, char **dest)
 	return repo_config_get_string(the_repository, key, dest);
 }
 
+int git_config_get_string_tmp(const char *key, const char **dest)
+{
+	return repo_config_get_string_tmp(the_repository, key, dest);
+}
+
 int git_config_get_int(const char *key, int *dest)
 {
 	return repo_config_get_int(the_repository, key, dest);
diff --git a/config.h b/config.h
index 060874488f..a75b22e0d1 100644
--- a/config.h
+++ b/config.h
@@ -460,6 +460,7 @@ int git_configset_get_value(struct config_set *cs, const char *key, const char *
 
 int git_configset_get_string_const(struct config_set *cs, const char *key, const char **dest);
 int git_configset_get_string(struct config_set *cs, const char *key, char **dest);
+int git_configset_get_string_tmp(struct config_set *cs, const char *key, const char **dest);
 int git_configset_get_int(struct config_set *cs, const char *key, int *dest);
 int git_configset_get_ulong(struct config_set *cs, const char *key, unsigned long *dest);
 int git_configset_get_bool(struct config_set *cs, const char *key, int *dest);
@@ -478,6 +479,8 @@ int repo_config_get_string_const(struct repository *repo,
 				 const char *key, const char **dest);
 int repo_config_get_string(struct repository *repo,
 			   const char *key, char **dest);
+int repo_config_get_string_tmp(struct repository *repo,
+			       const char *key, const char **dest);
 int repo_config_get_int(struct repository *repo,
 			const char *key, int *dest);
 int repo_config_get_ulong(struct repository *repo,
@@ -537,6 +540,13 @@ int git_config_get_string_const(const char *key, const char **dest);
  */
 int git_config_get_string(const char *key, char **dest);
 
+/**
+ * Similar to `git_config_get_string_const`, but does not allocate any new
+ * memory; on success `dest` will point to memory owned by the config
+ * machinery, which could be invalidated if it is discarded and reloaded.
+ */
+int git_config_get_string_tmp(const char *key, const char **dest);
+
 /**
  * Finds and parses the value to an integer for the configuration variable
  * `key`. Dies on error; otherwise, stores the value of the parsed integer in
diff --git a/connect.c b/connect.c
index 0b6aba177e..8b8f56cf6d 100644
--- a/connect.c
+++ b/connect.c
@@ -1052,7 +1052,7 @@ static const char *get_ssh_command(void)
 	if ((ssh = getenv("GIT_SSH_COMMAND")))
 		return ssh;
 
-	if (!git_config_get_string_const("core.sshcommand", &ssh))
+	if (!git_config_get_string_tmp("core.sshcommand", &ssh))
 		return ssh;
 
 	return NULL;
@@ -1071,7 +1071,7 @@ static void override_ssh_variant(enum ssh_variant *ssh_variant)
 {
 	const char *variant = getenv("GIT_SSH_VARIANT");
 
-	if (!variant && git_config_get_string_const("ssh.variant", &variant))
+	if (!variant && git_config_get_string_tmp("ssh.variant", &variant))
 		return;
 
 	if (!strcmp(variant, "auto"))
diff --git a/editor.c b/editor.c
index 91989ee8a1..6303ae0ab0 100644
--- a/editor.c
+++ b/editor.c
@@ -40,7 +40,7 @@ const char *git_sequence_editor(void)
 	const char *editor = getenv("GIT_SEQUENCE_EDITOR");
 
 	if (!editor)
-		git_config_get_string_const("sequence.editor", &editor);
+		git_config_get_string_tmp("sequence.editor", &editor);
 	if (!editor)
 		editor = git_editor();
 
diff --git a/help.c b/help.c
index d478afb2af..4e2468a44d 100644
--- a/help.c
+++ b/help.c
@@ -375,7 +375,7 @@ void list_cmds_by_config(struct string_list *list)
 {
 	const char *cmd_list;
 
-	if (git_config_get_string_const("completion.commands", &cmd_list))
+	if (git_config_get_string_tmp("completion.commands", &cmd_list))
 		return;
 
 	string_list_sort(list);
diff --git a/protocol.c b/protocol.c
index d1dd3424bb..8d964fc65e 100644
--- a/protocol.c
+++ b/protocol.c
@@ -21,7 +21,7 @@ enum protocol_version get_protocol_version_config(void)
 	const char *git_test_k = "GIT_TEST_PROTOCOL_VERSION";
 	const char *git_test_v;
 
-	if (!git_config_get_string_const("protocol.version", &value)) {
+	if (!git_config_get_string_tmp("protocol.version", &value)) {
 		enum protocol_version version = parse_protocol_version(value);
 
 		if (version == protocol_unknown_version)
diff --git a/submodule.c b/submodule.c
index a52b93a87f..d0b70ca536 100644
--- a/submodule.c
+++ b/submodule.c
@@ -194,7 +194,7 @@ void set_diffopt_flags_from_submodule_config(struct diff_options *diffopt,
 		char *key;
 
 		key = xstrfmt("submodule.%s.ignore", submodule->name);
-		if (repo_config_get_string_const(the_repository, key, &ignore))
+		if (repo_config_get_string_tmp(the_repository, key, &ignore))
 			ignore = submodule->ignore;
 		free(key);
 
@@ -1299,7 +1299,7 @@ static int get_fetch_recurse_config(const struct submodule *submodule,
 
 		int fetch_recurse = submodule->fetch_recurse;
 		key = xstrfmt("submodule.%s.fetchRecurseSubmodules", submodule->name);
-		if (!repo_config_get_string_const(spf->r, key, &value)) {
+		if (!repo_config_get_string_tmp(spf->r, key, &value)) {
 			fetch_recurse = parse_fetch_recurse_submodules_arg(key, value);
 		}
 		free(key);
diff --git a/t/helper/test-config.c b/t/helper/test-config.c
index 234c722b48..a6e936721f 100644
--- a/t/helper/test-config.c
+++ b/t/helper/test-config.c
@@ -126,7 +126,7 @@ int cmd__config(int argc, const char **argv)
 			goto exit1;
 		}
 	} else if (argc == 3 && !strcmp(argv[1], "get_string")) {
-		if (!git_config_get_string_const(argv[2], &v)) {
+		if (!git_config_get_string_tmp(argv[2], &v)) {
 			printf("%s\n", v);
 			goto exit0;
 		} else {
-- 
2.28.0.596.g9c08d63829

[PATCH 4/6] config: drop git_config_get_string_const()

[Jeff King]

As evidenced by the leak fixes in the previous commit, the "const" in
git_config_get_string_const() clearly misleads people into thinking that
it does not allocate a copy of the string. We can fix this by renaming
it, but it's easier still to just drop it. Of the four remaining
callers:

  - The one in git_config_parse_expiry() still needs to allocate, since
    that's what its callers expect. We can just use the non-const
    version and cast our pointer. Slightly ugly, but the damage is
    contained in one spot.

  - The two in apply are writing to global "const char *" variables, and
    need to continue allocating. We often mark these as const because we
    assign default string literals to them. But in this case we don't do
    that, so we can just declare them as real "char *" pointers and use
    the non-const version.

  - The call in checkout doesn't actually need a copy; it can just use
    the non-allocating "tmp" version of the function.

The function is also mentioned in the MyFirstContribution document. We
can swap that call out for the non-allocating "tmp" variant, which fits
well in the example given.

Note that this frees up the "const" name, so we could rename the "tmp"
variant back to that. But let's give some time for topics in flight to
adapt to the new code before doing so (if we do it too soon, the
function semantics will change but the compiler won't alert us).

Signed-off-by: Jeff King <peff@peff.net>
---
 Documentation/MyFirstContribution.txt | 4 ++--
 apply.c                               | 4 ++--
 cache.h                               | 4 ++--
 checkout.c                            | 3 +--
 config.c                              | 7 +------
 config.h                              | 8 +-------
 environment.c                         | 4 ++--
 7 files changed, 11 insertions(+), 23 deletions(-)

diff --git a/Documentation/MyFirstContribution.txt b/Documentation/MyFirstContribution.txt
index d85c9b5143..4f85a089ef 100644
--- a/Documentation/MyFirstContribution.txt
+++ b/Documentation/MyFirstContribution.txt
@@ -319,14 +319,14 @@ function body:
 ...
 
 	git_config(git_default_config, NULL);
-	if (git_config_get_string_const("user.name", &cfg_name) > 0)
+	if (git_config_get_string_tmp("user.name", &cfg_name) > 0)
 		printf(_("No name is found in config\n"));
 	else
 		printf(_("Your name: %s\n"), cfg_name);
 ----
 
 `git_config()` will grab the configuration from config files known to Git and
-apply standard precedence rules. `git_config_get_string_const()` will look up
+apply standard precedence rules. `git_config_get_string_tmp()` will look up
 a specific key ("user.name") and give you the value. There are a number of
 single-key lookup functions like this one; you can see them all (and more info
 about how to use `git_config()`) in `Documentation/technical/api-config.txt`.
diff --git a/apply.c b/apply.c
index 402d80602a..2839dae029 100644
--- a/apply.c
+++ b/apply.c
@@ -30,8 +30,8 @@ struct gitdiff_data {
 
 static void git_apply_config(void)
 {
-	git_config_get_string_const("apply.whitespace", &apply_default_whitespace);
-	git_config_get_string_const("apply.ignorewhitespace", &apply_default_ignorewhitespace);
+	git_config_get_string("apply.whitespace", &apply_default_whitespace);
+	git_config_get_string("apply.ignorewhitespace", &apply_default_ignorewhitespace);
 	git_config(git_xmerge_config, NULL);
 }
 
diff --git a/cache.h b/cache.h
index 0290849c19..4cad61ffa4 100644
--- a/cache.h
+++ b/cache.h
@@ -921,8 +921,8 @@ extern int assume_unchanged;
 extern int prefer_symlink_refs;
 extern int warn_ambiguous_refs;
 extern int warn_on_object_refname_ambiguity;
-extern const char *apply_default_whitespace;
-extern const char *apply_default_ignorewhitespace;
+extern char *apply_default_whitespace;
+extern char *apply_default_ignorewhitespace;
 extern const char *git_attributes_file;
 extern const char *git_hooks_path;
 extern int zlib_compression_level;
diff --git a/checkout.c b/checkout.c
index c72e9f9773..6586e30ca5 100644
--- a/checkout.c
+++ b/checkout.c
@@ -47,15 +47,14 @@ const char *unique_tracking_name(const char *name, struct object_id *oid,
 {
 	struct tracking_name_data cb_data = TRACKING_NAME_DATA_INIT;
 	const char *default_remote = NULL;
-	if (!git_config_get_string_const("checkout.defaultremote", &default_remote))
+	if (!git_config_get_string_tmp("checkout.defaultremote", &default_remote))
 		cb_data.default_remote = default_remote;
 	cb_data.src_ref = xstrfmt("refs/heads/%s", name);
 	cb_data.dst_oid = oid;
 	for_each_remote(check_tracking_name, &cb_data);
 	if (dwim_remotes_matched)
 		*dwim_remotes_matched = cb_data.num_matches;
 	free(cb_data.src_ref);
-	free((char *)default_remote);
 	if (cb_data.num_matches == 1) {
 		free(cb_data.default_dst_ref);
 		free(cb_data.default_dst_oid);
diff --git a/config.c b/config.c
index 2f244c67b6..8bb1945aa9 100644
--- a/config.c
+++ b/config.c
@@ -2257,11 +2257,6 @@ const struct string_list *git_config_get_value_multi(const char *key)
 	return repo_config_get_value_multi(the_repository, key);
 }
 
-int git_config_get_string_const(const char *key, const char **dest)
-{
-	return repo_config_get_string_const(the_repository, key, dest);
-}
-
 int git_config_get_string(const char *key, char **dest)
 {
 	return repo_config_get_string(the_repository, key, dest);
@@ -2304,7 +2299,7 @@ int git_config_get_pathname(const char *key, const char **dest)
 
 int git_config_get_expiry(const char *key, const char **output)
 {
-	int ret = git_config_get_string_const(key, output);
+	int ret = git_config_get_string(key, (char **)output);
 	if (ret)
 		return ret;
 	if (strcmp(*output, "now")) {
diff --git a/config.h b/config.h
index a75b22e0d1..d4d22c34c6 100644
--- a/config.h
+++ b/config.h
@@ -532,16 +532,10 @@ void git_config_clear(void);
  * error message and returns -1. When the configuration variable `key` is
  * not found, returns 1 without touching `dest`.
  */
-int git_config_get_string_const(const char *key, const char **dest);
-
-/**
- * Similar to `git_config_get_string_const`, except that retrieved value
- * copied into the `dest` parameter is a mutable string.
- */
 int git_config_get_string(const char *key, char **dest);
 
 /**
- * Similar to `git_config_get_string_const`, but does not allocate any new
+ * Similar to `git_config_get_string`, but does not allocate any new
  * memory; on success `dest` will point to memory owned by the config
  * machinery, which could be invalidated if it is discarded and reloaded.
  */
diff --git a/environment.c b/environment.c
index 52e0c979ba..bb518c61cd 100644
--- a/environment.c
+++ b/environment.c
@@ -35,8 +35,8 @@ int repository_format_precious_objects;
 int repository_format_worktree_config;
 const char *git_commit_encoding;
 const char *git_log_output_encoding;
-const char *apply_default_whitespace;
-const char *apply_default_ignorewhitespace;
+char *apply_default_whitespace;
+char *apply_default_ignorewhitespace;
 const char *git_attributes_file;
 const char *git_hooks_path;
 int zlib_compression_level = Z_BEST_SPEED;
-- 
2.28.0.596.g9c08d63829

[PATCH 5/6] config: fix leak in git_config_get_expiry_in_days()

[Jeff King]

We use git_config_get_string() to retrieve the expiry value in a newly
allocated string. But after parsing it, we never free it, leaking the
memory.

We could fix this with a free() obviously, but there's an even better
solution: we can use the non-allocating "tmp" variant of the function;
we only need it to be valid for the lifetime of our parse function.

Signed-off-by: Jeff King <peff@peff.net>
---
 config.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config.c b/config.c
index 8bb1945aa9..968ef28e5b 100644
--- a/config.c
+++ b/config.c
@@ -2312,11 +2312,11 @@ int git_config_get_expiry(const char *key, const char **output)
 
 int git_config_get_expiry_in_days(const char *key, timestamp_t *expiry, timestamp_t now)
 {
-	char *expiry_string;
+	const char *expiry_string;
 	intmax_t days;
 	timestamp_t when;
 
-	if (git_config_get_string(key, &expiry_string))
+	if (git_config_get_string_tmp(key, &expiry_string))
 		return 1; /* no such thing */
 
 	if (git_parse_signed(expiry_string, &days, maximum_signed_value_of_type(int))) {
-- 
2.28.0.596.g9c08d63829

[PATCH 6/6] submodule--helper: fix leak of core.worktree value

[Jeff King]

In the ensure_core_worktree() function, we load the core.worktree value
of the submodule repository using repo_config_get_string(). This
function copies the string, but we never free it, leaking the memory.

We can instead use the "tmp" version of that function to avoid the
allocation at all. We don't have to worry about lifetime issues, since
we never even look at the value (we just want to know if it's set).

Signed-off-by: Jeff King <peff@peff.net>
---
 builtin/submodule--helper.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/builtin/submodule--helper.c b/builtin/submodule--helper.c
index e09605716e..a59d8e4bda 100644
--- a/builtin/submodule--helper.c
+++ b/builtin/submodule--helper.c
@@ -2101,7 +2101,7 @@ static int ensure_core_worktree(int argc, const char **argv, const char *prefix)
 {
 	const struct submodule *sub;
 	const char *path;
-	char *cw;
+	const char *cw;
 	struct repository subrepo;
 
 	if (argc != 2)
@@ -2116,7 +2116,7 @@ static int ensure_core_worktree(int argc, const char **argv, const char *prefix)
 	if (repo_submodule_init(&subrepo, the_repository, sub))
 		die(_("could not get a repository handle for submodule '%s'"), path);
 
-	if (!repo_config_get_string(&subrepo, "core.worktree", &cw)) {
+	if (!repo_config_get_string_tmp(&subrepo, "core.worktree", &cw)) {
 		char *cfg_file, *abs_path;
 		const char *rel_path;
 		struct strbuf sb = STRBUF_INIT;
-- 
2.28.0.596.g9c08d63829

Re: [PATCH 0/6] more small leak fixes

[Jeff King]

On Fri, Aug 14, 2020 at 12:13:28PM -0400, Jeff King wrote:

> Based on the discussion over in [1], I wondered how close we were to
> being able to run some test scripts with a leak-checker like LSan not
> complaining. The answer is...not close.
> 
> I picked t5526 more or less at random (it was the first failure when I
> did a parallel "make test") to see what it would take to get it passing.
> After much effort...I have t5526.1, the setup test, running clean. :)

For reference, here are the UNLEAK() calls I had to add to silence the
false positives. Some of these are kind of sketchy. For example,
declaring that wt_status_collect_changes_index() is allowed to leak is a
bit low-level for my tastes (in general it's probably only called once
per program, but it's getting quite far from the bottom of the stack).
But there's actually no convenient way to free the various bits of a
rev_info, so marking it with UNLEAK() is an expedient hack.

---
 builtin/clone.c             | 9 +++++++++
 builtin/init-db.c           | 1 +
 builtin/rev-list.c          | 1 +
 builtin/submodule--helper.c | 4 ++++
 parse-options.c             | 1 +
 wt-status.c                 | 3 +++
 6 files changed, 19 insertions(+)

diff --git a/builtin/clone.c b/builtin/clone.c
index b087ee40c2..b2578c3c50 100644
--- a/builtin/clone.c
+++ b/builtin/clone.c
@@ -998,6 +998,7 @@ int cmd_clone(int argc, const char **argv, const char *prefix)
 	repo_name = argv[0];
 
 	path = get_repo_path(repo_name, &is_bundle);
+	UNLEAK(path);
 	if (path)
 		repo = absolute_pathdup(repo_name);
 	else if (strchr(repo_name, ':')) {
@@ -1047,6 +1048,7 @@ int cmd_clone(int argc, const char **argv, const char *prefix)
 		work_tree = dir;
 		git_dir = mkpathdup("%s/.git", dir);
 	}
+	UNLEAK(git_dir);
 
 	atexit(remove_junk);
 	sigchain_push_common(remove_junk_on_signal);
@@ -1166,6 +1168,7 @@ int cmd_clone(int argc, const char **argv, const char *prefix)
 	transport->family = family;
 
 	path = get_repo_path(remote->url[0], &is_bundle);
+	UNLEAK(path);
 	is_local = option_local != 0 && path && !is_bundle;
 	if (is_local) {
 		if (option_depth)
@@ -1336,5 +1339,11 @@ int cmd_clone(int argc, const char **argv, const char *prefix)
 	junk_mode = JUNK_LEAVE_ALL;
 
 	strvec_clear(&ref_prefixes);
+
+	UNLEAK(remote_head_points_at);
+	UNLEAK(refs);
+	UNLEAK(mapped_refs);
+	UNLEAK(repo);
+
 	return err;
 }
diff --git a/builtin/init-db.c b/builtin/init-db.c
index f70076d38e..04087ed7e6 100644
--- a/builtin/init-db.c
+++ b/builtin/init-db.c
@@ -665,6 +665,7 @@ int cmd_init_db(int argc, const char **argv, const char *prefix)
 	UNLEAK(real_git_dir);
 	UNLEAK(git_dir);
 	UNLEAK(work_tree);
+	UNLEAK(template_dir);
 
 	flags |= INIT_DB_EXIST_OK;
 	return init_db(git_dir, real_git_dir, template_dir, hash_algo,
diff --git a/builtin/rev-list.c b/builtin/rev-list.c
index f520111eda..71c92f6747 100644
--- a/builtin/rev-list.c
+++ b/builtin/rev-list.c
@@ -506,6 +506,7 @@ int cmd_rev_list(int argc, const char **argv, const char *prefix)
 		revs.do_not_die_on_missing_tree = 1;
 
 	argc = setup_revisions(argc, argv, &revs, &s_r_opt);
+	UNLEAK(revs);
 
 	memset(&info, 0, sizeof(info));
 	info.revs = &revs;
diff --git a/builtin/submodule--helper.c b/builtin/submodule--helper.c
index a59d8e4bda..850c8ff966 100644
--- a/builtin/submodule--helper.c
+++ b/builtin/submodule--helper.c
@@ -734,6 +734,7 @@ static int module_init(int argc, const char **argv, const char *prefix)
 		info.flags |= OPT_QUIET;
 
 	for_each_listed_submodule(&list, init_submodule_cb, &info);
+	UNLEAK(list);
 
 	return 0;
 }
@@ -1874,6 +1875,8 @@ static int update_submodules(struct submodule_update_clone *suc)
 				   update_clone_task_finished, suc, "submodule",
 				   "parallel/update");
 
+	UNLEAK(*suc);
+
 	/*
 	 * We saved the output and put it out all at once now.
 	 * That means:
@@ -2133,6 +2136,7 @@ static int ensure_core_worktree(int argc, const char **argv, const char *prefix)
 		strbuf_release(&sb);
 	}
 
+	repo_clear(&subrepo);
 	return 0;
 }
 
diff --git a/parse-options.c b/parse-options.c
index c57618d537..b87cb3d70a 100644
--- a/parse-options.c
+++ b/parse-options.c
@@ -675,6 +675,7 @@ static struct option *preprocess_options(struct parse_opt_ctx_t *ctx,
 			newopt[i].short_name = short_name;
 			newopt[i].long_name = long_name;
 			newopt[i].help = strbuf_detach(&help, NULL);
+			UNLEAK(newopt[i].help);
 			break;
 		}
 
diff --git a/wt-status.c b/wt-status.c
index d75399085d..7f605958f2 100644
--- a/wt-status.c
+++ b/wt-status.c
@@ -616,6 +616,7 @@ static void wt_status_collect_changes_worktree(struct wt_status *s)
 	rev.diffopt.rename_score = s->rename_score >= 0 ? s->rename_score : rev.diffopt.rename_score;
 	copy_pathspec(&rev.prune_data, &s->pathspec);
 	run_diff_files(&rev, 0);
+	UNLEAK(rev);
 }
 
 static void wt_status_collect_changes_index(struct wt_status *s)
@@ -627,6 +628,7 @@ static void wt_status_collect_changes_index(struct wt_status *s)
 	memset(&opt, 0, sizeof(opt));
 	opt.def = s->is_initial ? empty_tree_oid_hex() : s->reference;
 	setup_revisions(0, NULL, &rev, &opt);
+	UNLEAK(rev);
 
 	rev.diffopt.flags.override_submodule_config = 1;
 	rev.diffopt.ita_invisible_in_index = 1;
@@ -652,6 +654,7 @@ static void wt_status_collect_changes_index(struct wt_status *s)
 	rev.diffopt.rename_score = s->rename_score >= 0 ? s->rename_score : rev.diffopt.rename_score;
 	copy_pathspec(&rev.prune_data, &s->pathspec);
 	run_diff_index(&rev, 1);
+	UNLEAK(rev);
 }
 
 static void wt_status_collect_changes_initial(struct wt_status *s)
-- 
2.28.0.596.g9c08d63829

Re: [PATCH 0/6] more small leak fixes

[Jeff King]

On Fri, Aug 14, 2020 at 12:25:25PM -0400, Jeff King wrote:

> On Fri, Aug 14, 2020 at 12:13:28PM -0400, Jeff King wrote:
> 
> > Based on the discussion over in [1], I wondered how close we were to
> > being able to run some test scripts with a leak-checker like LSan not
> > complaining. The answer is...not close.
> > 
> > I picked t5526 more or less at random (it was the first failure when I
> > did a parallel "make test") to see what it would take to get it passing.
> > After much effort...I have t5526.1, the setup test, running clean. :)
> 
> For reference, here are the UNLEAK() calls I had to add to silence the
> false positives. Some of these are kind of sketchy. For example,
> declaring that wt_status_collect_changes_index() is allowed to leak is a
> bit low-level for my tastes (in general it's probably only called once
> per program, but it's getting quite far from the bottom of the stack).
> But there's actually no convenient way to free the various bits of a
> rev_info, so marking it with UNLEAK() is an expedient hack.

And by the way, having gone through this exercise, I'm re-convinced that
UNLEAK() is reasonable to keep. A lot of these cases would have been
very awkward with free(). Not insurmountable, but cases where a variable
is sometimes-allocated and sometimes-not get rather tricky.

-Peff

Re: [PATCH 4/6] config: drop git_config_get_string_const()

[Junio C Hamano]

Jeff King <peff@peff.net> writes:

> As evidenced by the leak fixes in the previous commit, the "const" in
> git_config_get_string_const() clearly misleads people into thinking that
> it does not allocate a copy of the string. We can fix this by renaming
> it, but it's easier still to just drop it.

This turns out to be a bit more painful than I imagined.

Do we want to do the same with repo_config_get_string_const(), by
the way?  Which would open the wound even wider, but may be worth
doing for consistency.

Re: [PATCH 4/6] config: drop git_config_get_string_const()

[Jeff King]

On Fri, Aug 14, 2020 at 01:21:32PM -0700, Junio C Hamano wrote:

> Jeff King <peff@peff.net> writes:
> 
> > As evidenced by the leak fixes in the previous commit, the "const" in
> > git_config_get_string_const() clearly misleads people into thinking that
> > it does not allocate a copy of the string. We can fix this by renaming
> > it, but it's easier still to just drop it.
> 
> This turns out to be a bit more painful than I imagined.
> 
> Do we want to do the same with repo_config_get_string_const(), by
> the way?  Which would open the wound even wider, but may be worth
> doing for consistency.

Whoops, I actually meant to do so (and made sure we didn't have any
callers) but forgot to actually include it in patch 4. It doesn't make
any sense to keep those other variants.

The diff is pretty straightforward (see below). I'll include it in a
re-roll (squashed into patch 4), but will wait for any other comments.

It doesn't look like there's any extra fallout from merging this with
"seen".

diff --git a/config.c b/config.c
index 8bb1945aa9..f0367c76ad 100644
--- a/config.c
+++ b/config.c
@@ -2006,20 +2006,15 @@ const struct string_list *git_configset_get_value_multi(struct config_set *cs, c
 	return e ? &e->value_list : NULL;
 }
 
-int git_configset_get_string_const(struct config_set *cs, const char *key, const char **dest)
+int git_configset_get_string(struct config_set *cs, const char *key, char **dest)
 {
 	const char *value;
 	if (!git_configset_get_value(cs, key, &value))
-		return git_config_string(dest, key, value);
+		return git_config_string((const char **)dest, key, value);
 	else
 		return 1;
 }
 
-int git_configset_get_string(struct config_set *cs, const char *key, char **dest)
-{
-	return git_configset_get_string_const(cs, key, (const char **)dest);
-}
-
 int git_configset_get_string_tmp(struct config_set *cs, const char *key,
 				 const char **dest)
 {
@@ -2161,24 +2156,17 @@ const struct string_list *repo_config_get_value_multi(struct repository *repo,
 	return git_configset_get_value_multi(repo->config, key);
 }
 
-int repo_config_get_string_const(struct repository *repo,
-				 const char *key, const char **dest)
+int repo_config_get_string(struct repository *repo,
+			   const char *key, char **dest)
 {
 	int ret;
 	git_config_check_init(repo);
-	ret = git_configset_get_string_const(repo->config, key, dest);
+	ret = git_configset_get_string(repo->config, key, dest);
 	if (ret < 0)
 		git_die_config(key, NULL);
 	return ret;
 }
 
-int repo_config_get_string(struct repository *repo,
-			   const char *key, char **dest)
-{
-	git_config_check_init(repo);
-	return repo_config_get_string_const(repo, key, (const char **)dest);
-}
-
 int repo_config_get_string_tmp(struct repository *repo,
 			       const char *key, const char **dest)
 {
diff --git a/config.h b/config.h
index d4d22c34c6..91cdfbfb41 100644
--- a/config.h
+++ b/config.h
@@ -458,7 +458,6 @@ void git_configset_clear(struct config_set *cs);
  */
 int git_configset_get_value(struct config_set *cs, const char *key, const char **dest);
 
-int git_configset_get_string_const(struct config_set *cs, const char *key, const char **dest);
 int git_configset_get_string(struct config_set *cs, const char *key, char **dest);
 int git_configset_get_string_tmp(struct config_set *cs, const char *key, const char **dest);
 int git_configset_get_int(struct config_set *cs, const char *key, int *dest);
@@ -475,8 +474,6 @@ int repo_config_get_value(struct repository *repo,
 			  const char *key, const char **value);
 const struct string_list *repo_config_get_value_multi(struct repository *repo,
 						      const char *key);
-int repo_config_get_string_const(struct repository *repo,
-				 const char *key, const char **dest);
 int repo_config_get_string(struct repository *repo,
 			   const char *key, char **dest);
 int repo_config_get_string_tmp(struct repository *repo,

Re: [PATCH 4/6] config: drop git_config_get_string_const()

[Junio C Hamano]

Jeff King <peff@peff.net> writes:

> Whoops, I actually meant to do so (and made sure we didn't have any
> callers) but forgot to actually include it in patch 4. It doesn't make
> any sense to keep those other variants.
>
> The diff is pretty straightforward (see below). I'll include it in a
> re-roll (squashed into patch 4), but will wait for any other comments.
>
> It doesn't look like there's any extra fallout from merging this with
> "seen".

OK, thanks.

>
> diff --git a/config.c b/config.c
> index 8bb1945aa9..f0367c76ad 100644
> --- a/config.c
> +++ b/config.c
> @@ -2006,20 +2006,15 @@ const struct string_list *git_configset_get_value_multi(struct config_set *cs, c
>  	return e ? &e->value_list : NULL;
>  }
>  
> -int git_configset_get_string_const(struct config_set *cs, const char *key, const char **dest)
> +int git_configset_get_string(struct config_set *cs, const char *key, char **dest)
>  {
>  	const char *value;
>  	if (!git_configset_get_value(cs, key, &value))
> -		return git_config_string(dest, key, value);
> +		return git_config_string((const char **)dest, key, value);
>  	else
>  		return 1;
>  }
>  
> -int git_configset_get_string(struct config_set *cs, const char *key, char **dest)
> -{
> -	return git_configset_get_string_const(cs, key, (const char **)dest);
> -}
> -
>  int git_configset_get_string_tmp(struct config_set *cs, const char *key,
>  				 const char **dest)
>  {
> @@ -2161,24 +2156,17 @@ const struct string_list *repo_config_get_value_multi(struct repository *repo,
>  	return git_configset_get_value_multi(repo->config, key);
>  }
>  
> -int repo_config_get_string_const(struct repository *repo,
> -				 const char *key, const char **dest)
> +int repo_config_get_string(struct repository *repo,
> +			   const char *key, char **dest)
>  {
>  	int ret;
>  	git_config_check_init(repo);
> -	ret = git_configset_get_string_const(repo->config, key, dest);
> +	ret = git_configset_get_string(repo->config, key, dest);
>  	if (ret < 0)
>  		git_die_config(key, NULL);
>  	return ret;
>  }
>  
> -int repo_config_get_string(struct repository *repo,
> -			   const char *key, char **dest)
> -{
> -	git_config_check_init(repo);
> -	return repo_config_get_string_const(repo, key, (const char **)dest);
> -}
> -
>  int repo_config_get_string_tmp(struct repository *repo,
>  			       const char *key, const char **dest)
>  {
> diff --git a/config.h b/config.h
> index d4d22c34c6..91cdfbfb41 100644
> --- a/config.h
> +++ b/config.h
> @@ -458,7 +458,6 @@ void git_configset_clear(struct config_set *cs);
>   */
>  int git_configset_get_value(struct config_set *cs, const char *key, const char **dest);
>  
> -int git_configset_get_string_const(struct config_set *cs, const char *key, const char **dest);
>  int git_configset_get_string(struct config_set *cs, const char *key, char **dest);
>  int git_configset_get_string_tmp(struct config_set *cs, const char *key, const char **dest);
>  int git_configset_get_int(struct config_set *cs, const char *key, int *dest);
> @@ -475,8 +474,6 @@ int repo_config_get_value(struct repository *repo,
>  			  const char *key, const char **value);
>  const struct string_list *repo_config_get_value_multi(struct repository *repo,
>  						      const char *key);
> -int repo_config_get_string_const(struct repository *repo,
> -				 const char *key, const char **dest);
>  int repo_config_get_string(struct repository *repo,
>  			   const char *key, char **dest);
>  int repo_config_get_string_tmp(struct repository *repo,

[PATCH v2 0/7] leak fixes

[Jeff King]

On Fri, Aug 14, 2020 at 12:13:28PM -0400, Jeff King wrote:

> There were quite a few false positives, but it did actually uncover some
> legitimate leaks. This series fixes those. I did it independently of the
> leak-fix in [2], but it would be fine to just lump it all together as
> one topic.

Here's a re-roll that drops the repo_config_get_string_const() and
git_configset_get_string_const() helpers in patch 4, as noticed by
Junio. That's the only patch with changes (range-diff below).

(I also rolled in the earlier leak-fix as "patch 1", which matches what
got queued in jk/leakfix).

  [1/7]: clear_pattern_list(): clear embedded hashmaps
  [2/7]: submodule--helper: use strbuf_release() to free strbufs
  [3/7]: checkout: fix leak of non-existent branch names
  [4/7]: config: fix leaks from git_config_get_string_const()
  [5/7]: config: drop git_config_get_string_const()
  [6/7]: config: fix leak in git_config_get_expiry_in_days()
  [7/7]: submodule--helper: fix leak of core.worktree value

 Documentation/MyFirstContribution.txt |  4 +--
 apply.c                               |  4 +--
 builtin/checkout.c                    |  4 ++-
 builtin/fetch.c                       |  2 +-
 builtin/submodule--helper.c           | 16 ++++-----
 cache.h                               |  4 +--
 checkout.c                            |  3 +-
 config.c                              | 47 +++++++++++++++++----------
 config.h                              | 15 +++++----
 connect.c                             |  4 +--
 dir.c                                 |  2 ++
 editor.c                              |  2 +-
 environment.c                         |  4 +--
 help.c                                |  2 +-
 protocol.c                            |  2 +-
 submodule.c                           |  4 +--
 t/helper/test-config.c                |  2 +-
 17 files changed, 69 insertions(+), 52 deletions(-)

1:  7a878fa4d3 = 1:  24248d0203 clear_pattern_list(): clear embedded hashmaps
2:  84d8edd867 = 2:  5bdbb11601 submodule--helper: use strbuf_release() to free strbufs
3:  76ae8ffb83 = 3:  44f3539461 checkout: fix leak of non-existent branch names
4:  e8f85a47ff = 4:  b1b5444ca1 config: fix leaks from git_config_get_string_const()
5:  9875ddeab3 ! 5:  a82f9724b6 config: drop git_config_get_string_const()
    @@ Commit message
         can swap that call out for the non-allocating "tmp" variant, which fits
         well in the example given.
     
    +    We'll drop the "configset" and "repo" variants, as well (which are
    +    unused).
    +
         Note that this frees up the "const" name, so we could rename the "tmp"
         variant back to that. But let's give some time for topics in flight to
         adapt to the new code before doing so (if we do it too soon, the
    @@ checkout.c: const char *unique_tracking_name(const char *name, struct object_id
      		free(cb_data.default_dst_oid);
     
      ## config.c ##
    +@@ config.c: const struct string_list *git_configset_get_value_multi(struct config_set *cs, c
    + 	return e ? &e->value_list : NULL;
    + }
    + 
    +-int git_configset_get_string_const(struct config_set *cs, const char *key, const char **dest)
    ++int git_configset_get_string(struct config_set *cs, const char *key, char **dest)
    + {
    + 	const char *value;
    + 	if (!git_configset_get_value(cs, key, &value))
    +-		return git_config_string(dest, key, value);
    ++		return git_config_string((const char **)dest, key, value);
    + 	else
    + 		return 1;
    + }
    + 
    +-int git_configset_get_string(struct config_set *cs, const char *key, char **dest)
    +-{
    +-	return git_configset_get_string_const(cs, key, (const char **)dest);
    +-}
    +-
    + int git_configset_get_string_tmp(struct config_set *cs, const char *key,
    + 				 const char **dest)
    + {
    +@@ config.c: const struct string_list *repo_config_get_value_multi(struct repository *repo,
    + 	return git_configset_get_value_multi(repo->config, key);
    + }
    + 
    +-int repo_config_get_string_const(struct repository *repo,
    +-				 const char *key, const char **dest)
    ++int repo_config_get_string(struct repository *repo,
    ++			   const char *key, char **dest)
    + {
    + 	int ret;
    + 	git_config_check_init(repo);
    +-	ret = git_configset_get_string_const(repo->config, key, dest);
    ++	ret = git_configset_get_string(repo->config, key, dest);
    + 	if (ret < 0)
    + 		git_die_config(key, NULL);
    + 	return ret;
    + }
    + 
    +-int repo_config_get_string(struct repository *repo,
    +-			   const char *key, char **dest)
    +-{
    +-	git_config_check_init(repo);
    +-	return repo_config_get_string_const(repo, key, (const char **)dest);
    +-}
    +-
    + int repo_config_get_string_tmp(struct repository *repo,
    + 			       const char *key, const char **dest)
    + {
     @@ config.c: const struct string_list *git_config_get_value_multi(const char *key)
      	return repo_config_get_value_multi(the_repository, key);
      }
    @@ config.c: int git_config_get_pathname(const char *key, const char **dest)
      	if (strcmp(*output, "now")) {
     
      ## config.h ##
    +@@ config.h: void git_configset_clear(struct config_set *cs);
    +  */
    + int git_configset_get_value(struct config_set *cs, const char *key, const char **dest);
    + 
    +-int git_configset_get_string_const(struct config_set *cs, const char *key, const char **dest);
    + int git_configset_get_string(struct config_set *cs, const char *key, char **dest);
    + int git_configset_get_string_tmp(struct config_set *cs, const char *key, const char **dest);
    + int git_configset_get_int(struct config_set *cs, const char *key, int *dest);
    +@@ config.h: int repo_config_get_value(struct repository *repo,
    + 			  const char *key, const char **value);
    + const struct string_list *repo_config_get_value_multi(struct repository *repo,
    + 						      const char *key);
    +-int repo_config_get_string_const(struct repository *repo,
    +-				 const char *key, const char **dest);
    + int repo_config_get_string(struct repository *repo,
    + 			   const char *key, char **dest);
    + int repo_config_get_string_tmp(struct repository *repo,
     @@ config.h: void git_config_clear(void);
       * error message and returns -1. When the configuration variable `key` is
       * not found, returns 1 without touching `dest`.
6:  ee69df55de = 6:  7eefd80257 config: fix leak in git_config_get_expiry_in_days()
7:  c4fd15a2ac = 7:  feb66301fc submodule--helper: fix leak of core.worktree value

[PATCH v2 1/7] clear_pattern_list(): clear embedded hashmaps

[Jeff King]

Commit 96cc8ab531 (sparse-checkout: use hashmaps for cone patterns,
2019-11-21) added some auxiliary hashmaps to the pattern_list struct,
but they're leaked when clear_pattern_list() is called.

Signed-off-by: Jeff King <peff@peff.net>
---
 dir.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/dir.c b/dir.c
index fe64be30ed..9411b94e9b 100644
--- a/dir.c
+++ b/dir.c
@@ -916,6 +916,8 @@ void clear_pattern_list(struct pattern_list *pl)
 		free(pl->patterns[i]);
 	free(pl->patterns);
 	free(pl->filebuf);
+	hashmap_free_entries(&pl->recursive_hashmap, struct pattern_entry, ent);
+	hashmap_free_entries(&pl->parent_hashmap, struct pattern_entry, ent);
 
 	memset(pl, 0, sizeof(*pl));
 }
-- 
2.28.0.605.g35fde94f44

[PATCH v2 2/7] submodule--helper: use strbuf_release() to free strbufs

[Jeff King]

The prepare_to_clone_next_submodule() function has a few local-variable
strbufs. We use strbuf_reset() throughout the function to reuse the
buffers over and over. But at the end of the function we also use
strbuf_reset() as they go out of scope, which means we end up leaking
their heap buffers. This should be strbuf_release() instead.

These were introduced by 48308681b0 (git submodule update: have a
dedicated helper for cloning, 2016-02-29), but it doesn't seem to have
the same mistake elsewhere. Likewise, I looked for other instances of
the pattern in the submodule--helper file but couldn't find any.

Signed-off-by: Jeff King <peff@peff.net>
---
 builtin/submodule--helper.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/builtin/submodule--helper.c b/builtin/submodule--helper.c
index df135abbf1..1762458345 100644
--- a/builtin/submodule--helper.c
+++ b/builtin/submodule--helper.c
@@ -1747,8 +1747,8 @@ static int prepare_to_clone_next_submodule(const struct cache_entry *ce,
 					      "--no-single-branch");
 
 cleanup:
-	strbuf_reset(&displaypath_sb);
-	strbuf_reset(&sb);
+	strbuf_release(&displaypath_sb);
+	strbuf_release(&sb);
 	if (need_free_url)
 		free((void*)url);
 
-- 
2.28.0.605.g35fde94f44

[PATCH v2 3/7] checkout: fix leak of non-existent branch names

[Jeff King]

We unconditionally write a branch name into a newly allocated buffer in
new_branch_info->path, via setup_branch_path(). We then check to see if
the branch exists; if not, we set that field to NULL, leaking the
memory. We should take care to free() it when doing so.

Signed-off-by: Jeff King <peff@peff.net>
---
 builtin/checkout.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/builtin/checkout.c b/builtin/checkout.c
index 2837195491..bba64108af 100644
--- a/builtin/checkout.c
+++ b/builtin/checkout.c
@@ -1120,8 +1120,10 @@ static void setup_new_branch_info_and_source_tree(
 	if (!check_refname_format(new_branch_info->path, 0) &&
 	    !read_ref(new_branch_info->path, &branch_rev))
 		oidcpy(rev, &branch_rev);
-	else
+	else {
+		free((char *)new_branch_info->path);
 		new_branch_info->path = NULL; /* not an existing branch */
+	}
 
 	new_branch_info->commit = lookup_commit_reference_gently(the_repository, rev, 1);
 	if (!new_branch_info->commit) {
-- 
2.28.0.605.g35fde94f44

[PATCH v2 4/7] config: fix leaks from git_config_get_string_const()

[Jeff King]

There are two functions to get a single config string:

  - git_config_get_string()

  - git_config_get_string_const()

One might naively think that the first one allocates a new string and
the second one just points us to the internal configset storage. But
in fact they both allocate a new copy; the second one exists only to
avoid having to cast when using it with a const global which we never
intend to free.

The documentation for the function explains that clearly, but it seems
I'm not alone in being surprised by this. Of 17 calls to the function,
13 of them leak the resulting value.

We could obviously fix these by adding the appropriate free(). But it
would be simpler still if we actually had a non-allocating way to get
the string. There's git_config_get_value() but that doesn't quite do
what we want. If the config key is present but is a boolean with no
value (e.g., "[foo]bar" in the file), then we'll get NULL (whereas the
string versions will print an error and die).

So let's introduce a new variant, git_config_get_string_tmp(), that
behaves as these callers expect. We need a new name because we have new
semantics but the same function signature (so even if we converted the
four remaining callers, topics in flight might be surprised). The "tmp"
is because this value should only be held onto for a short time. In
practice it's rare for us to clear and refresh the configset,
invalidating the pointer, but hopefully the "tmp" makes callers think
about the lifetime. In each of the converted cases here the value only
needs to last within the local function or its immediate caller.

Signed-off-by: Jeff King <peff@peff.net>
---
 builtin/fetch.c             |  2 +-
 builtin/submodule--helper.c |  8 ++++----
 config.c                    | 30 ++++++++++++++++++++++++++++++
 config.h                    | 10 ++++++++++
 connect.c                   |  4 ++--
 editor.c                    |  2 +-
 help.c                      |  2 +-
 protocol.c                  |  2 +-
 submodule.c                 |  4 ++--
 t/helper/test-config.c      |  2 +-
 10 files changed, 53 insertions(+), 13 deletions(-)

diff --git a/builtin/fetch.c b/builtin/fetch.c
index c49f0e9752..b3b77f8e2b 100644
--- a/builtin/fetch.c
+++ b/builtin/fetch.c
@@ -645,7 +645,7 @@ static void prepare_format_display(struct ref *ref_map)
 	struct ref *rm;
 	const char *format = "full";
 
-	git_config_get_string_const("fetch.output", &format);
+	git_config_get_string_tmp("fetch.output", &format);
 	if (!strcasecmp(format, "full"))
 		compact_format = 0;
 	else if (!strcasecmp(format, "compact"))
diff --git a/builtin/submodule--helper.c b/builtin/submodule--helper.c
index 1762458345..e09605716e 100644
--- a/builtin/submodule--helper.c
+++ b/builtin/submodule--helper.c
@@ -1511,7 +1511,7 @@ static void determine_submodule_update_strategy(struct repository *r,
 		if (parse_submodule_update_strategy(update, out) < 0)
 			die(_("Invalid update mode '%s' for submodule path '%s'"),
 				update, path);
-	} else if (!repo_config_get_string_const(r, key, &val)) {
+	} else if (!repo_config_get_string_tmp(r, key, &val)) {
 		if (parse_submodule_update_strategy(val, out) < 0)
 			die(_("Invalid update mode '%s' configured for submodule path '%s'"),
 				val, path);
@@ -1667,7 +1667,7 @@ static int prepare_to_clone_next_submodule(const struct cache_entry *ce,
 	}
 
 	key = xstrfmt("submodule.%s.update", sub->name);
-	if (!repo_config_get_string_const(the_repository, key, &update_string)) {
+	if (!repo_config_get_string_tmp(the_repository, key, &update_string)) {
 		update_type = parse_submodule_update_type(update_string);
 	} else {
 		update_type = sub->update_strategy.type;
@@ -1690,7 +1690,7 @@ static int prepare_to_clone_next_submodule(const struct cache_entry *ce,
 
 	strbuf_reset(&sb);
 	strbuf_addf(&sb, "submodule.%s.url", sub->name);
-	if (repo_config_get_string_const(the_repository, sb.buf, &url)) {
+	if (repo_config_get_string_tmp(the_repository, sb.buf, &url)) {
 		if (starts_with_dot_slash(sub->url) ||
 		    starts_with_dot_dot_slash(sub->url)) {
 			url = compute_submodule_clone_url(sub->url);
@@ -1976,7 +1976,7 @@ static const char *remote_submodule_branch(const char *path)
 		return NULL;
 
 	key = xstrfmt("submodule.%s.branch", sub->name);
-	if (repo_config_get_string_const(the_repository, key, &branch))
+	if (repo_config_get_string_tmp(the_repository, key, &branch))
 		branch = sub->branch;
 	free(key);
 
diff --git a/config.c b/config.c
index 2b79fe76ad..2f244c67b6 100644
--- a/config.c
+++ b/config.c
@@ -2020,6 +2020,20 @@ int git_configset_get_string(struct config_set *cs, const char *key, char **dest
 	return git_configset_get_string_const(cs, key, (const char **)dest);
 }
 
+int git_configset_get_string_tmp(struct config_set *cs, const char *key,
+				 const char **dest)
+{
+	const char *value;
+	if (!git_configset_get_value(cs, key, &value)) {
+		if (!value)
+			return config_error_nonbool(key);
+		*dest = value;
+		return 0;
+	} else {
+		return 1;
+	}
+}
+
 int git_configset_get_int(struct config_set *cs, const char *key, int *dest)
 {
 	const char *value;
@@ -2165,6 +2179,17 @@ int repo_config_get_string(struct repository *repo,
 	return repo_config_get_string_const(repo, key, (const char **)dest);
 }
 
+int repo_config_get_string_tmp(struct repository *repo,
+			       const char *key, const char **dest)
+{
+	int ret;
+	git_config_check_init(repo);
+	ret = git_configset_get_string_tmp(repo->config, key, dest);
+	if (ret < 0)
+		git_die_config(key, NULL);
+	return ret;
+}
+
 int repo_config_get_int(struct repository *repo,
 			const char *key, int *dest)
 {
@@ -2242,6 +2267,11 @@ int git_config_get_string(const char *key, char **dest)
 	return repo_config_get_string(the_repository, key, dest);
 }
 
+int git_config_get_string_tmp(const char *key, const char **dest)
+{
+	return repo_config_get_string_tmp(the_repository, key, dest);
+}
+
 int git_config_get_int(const char *key, int *dest)
 {
 	return repo_config_get_int(the_repository, key, dest);
diff --git a/config.h b/config.h
index 060874488f..a75b22e0d1 100644
--- a/config.h
+++ b/config.h
@@ -460,6 +460,7 @@ int git_configset_get_value(struct config_set *cs, const char *key, const char *
 
 int git_configset_get_string_const(struct config_set *cs, const char *key, const char **dest);
 int git_configset_get_string(struct config_set *cs, const char *key, char **dest);
+int git_configset_get_string_tmp(struct config_set *cs, const char *key, const char **dest);
 int git_configset_get_int(struct config_set *cs, const char *key, int *dest);
 int git_configset_get_ulong(struct config_set *cs, const char *key, unsigned long *dest);
 int git_configset_get_bool(struct config_set *cs, const char *key, int *dest);
@@ -478,6 +479,8 @@ int repo_config_get_string_const(struct repository *repo,
 				 const char *key, const char **dest);
 int repo_config_get_string(struct repository *repo,
 			   const char *key, char **dest);
+int repo_config_get_string_tmp(struct repository *repo,
+			       const char *key, const char **dest);
 int repo_config_get_int(struct repository *repo,
 			const char *key, int *dest);
 int repo_config_get_ulong(struct repository *repo,
@@ -537,6 +540,13 @@ int git_config_get_string_const(const char *key, const char **dest);
  */
 int git_config_get_string(const char *key, char **dest);
 
+/**
+ * Similar to `git_config_get_string_const`, but does not allocate any new
+ * memory; on success `dest` will point to memory owned by the config
+ * machinery, which could be invalidated if it is discarded and reloaded.
+ */
+int git_config_get_string_tmp(const char *key, const char **dest);
+
 /**
  * Finds and parses the value to an integer for the configuration variable
  * `key`. Dies on error; otherwise, stores the value of the parsed integer in
diff --git a/connect.c b/connect.c
index 0b6aba177e..8b8f56cf6d 100644
--- a/connect.c
+++ b/connect.c
@@ -1052,7 +1052,7 @@ static const char *get_ssh_command(void)
 	if ((ssh = getenv("GIT_SSH_COMMAND")))
 		return ssh;
 
-	if (!git_config_get_string_const("core.sshcommand", &ssh))
+	if (!git_config_get_string_tmp("core.sshcommand", &ssh))
 		return ssh;
 
 	return NULL;
@@ -1071,7 +1071,7 @@ static void override_ssh_variant(enum ssh_variant *ssh_variant)
 {
 	const char *variant = getenv("GIT_SSH_VARIANT");
 
-	if (!variant && git_config_get_string_const("ssh.variant", &variant))
+	if (!variant && git_config_get_string_tmp("ssh.variant", &variant))
 		return;
 
 	if (!strcmp(variant, "auto"))
diff --git a/editor.c b/editor.c
index 91989ee8a1..6303ae0ab0 100644
--- a/editor.c
+++ b/editor.c
@@ -40,7 +40,7 @@ const char *git_sequence_editor(void)
 	const char *editor = getenv("GIT_SEQUENCE_EDITOR");
 
 	if (!editor)
-		git_config_get_string_const("sequence.editor", &editor);
+		git_config_get_string_tmp("sequence.editor", &editor);
 	if (!editor)
 		editor = git_editor();
 
diff --git a/help.c b/help.c
index d478afb2af..4e2468a44d 100644
--- a/help.c
+++ b/help.c
@@ -375,7 +375,7 @@ void list_cmds_by_config(struct string_list *list)
 {
 	const char *cmd_list;
 
-	if (git_config_get_string_const("completion.commands", &cmd_list))
+	if (git_config_get_string_tmp("completion.commands", &cmd_list))
 		return;
 
 	string_list_sort(list);
diff --git a/protocol.c b/protocol.c
index d1dd3424bb..8d964fc65e 100644
--- a/protocol.c
+++ b/protocol.c
@@ -21,7 +21,7 @@ enum protocol_version get_protocol_version_config(void)
 	const char *git_test_k = "GIT_TEST_PROTOCOL_VERSION";
 	const char *git_test_v;
 
-	if (!git_config_get_string_const("protocol.version", &value)) {
+	if (!git_config_get_string_tmp("protocol.version", &value)) {
 		enum protocol_version version = parse_protocol_version(value);
 
 		if (version == protocol_unknown_version)
diff --git a/submodule.c b/submodule.c
index a52b93a87f..d0b70ca536 100644
--- a/submodule.c
+++ b/submodule.c
@@ -194,7 +194,7 @@ void set_diffopt_flags_from_submodule_config(struct diff_options *diffopt,
 		char *key;
 
 		key = xstrfmt("submodule.%s.ignore", submodule->name);
-		if (repo_config_get_string_const(the_repository, key, &ignore))
+		if (repo_config_get_string_tmp(the_repository, key, &ignore))
 			ignore = submodule->ignore;
 		free(key);
 
@@ -1299,7 +1299,7 @@ static int get_fetch_recurse_config(const struct submodule *submodule,
 
 		int fetch_recurse = submodule->fetch_recurse;
 		key = xstrfmt("submodule.%s.fetchRecurseSubmodules", submodule->name);
-		if (!repo_config_get_string_const(spf->r, key, &value)) {
+		if (!repo_config_get_string_tmp(spf->r, key, &value)) {
 			fetch_recurse = parse_fetch_recurse_submodules_arg(key, value);
 		}
 		free(key);
diff --git a/t/helper/test-config.c b/t/helper/test-config.c
index 234c722b48..a6e936721f 100644
--- a/t/helper/test-config.c
+++ b/t/helper/test-config.c
@@ -126,7 +126,7 @@ int cmd__config(int argc, const char **argv)
 			goto exit1;
 		}
 	} else if (argc == 3 && !strcmp(argv[1], "get_string")) {
-		if (!git_config_get_string_const(argv[2], &v)) {
+		if (!git_config_get_string_tmp(argv[2], &v)) {
 			printf("%s\n", v);
 			goto exit0;
 		} else {
-- 
2.28.0.605.g35fde94f44

[PATCH v2 5/7] config: drop git_config_get_string_const()

[Jeff King]

As evidenced by the leak fixes in the previous commit, the "const" in
git_config_get_string_const() clearly misleads people into thinking that
it does not allocate a copy of the string. We can fix this by renaming
it, but it's easier still to just drop it. Of the four remaining
callers:

  - The one in git_config_parse_expiry() still needs to allocate, since
    that's what its callers expect. We can just use the non-const
    version and cast our pointer. Slightly ugly, but the damage is
    contained in one spot.

  - The two in apply are writing to global "const char *" variables, and
    need to continue allocating. We often mark these as const because we
    assign default string literals to them. But in this case we don't do
    that, so we can just declare them as real "char *" pointers and use
    the non-const version.

  - The call in checkout doesn't actually need a copy; it can just use
    the non-allocating "tmp" version of the function.

The function is also mentioned in the MyFirstContribution document. We
can swap that call out for the non-allocating "tmp" variant, which fits
well in the example given.

We'll drop the "configset" and "repo" variants, as well (which are
unused).

Note that this frees up the "const" name, so we could rename the "tmp"
variant back to that. But let's give some time for topics in flight to
adapt to the new code before doing so (if we do it too soon, the
function semantics will change but the compiler won't alert us).

Signed-off-by: Jeff King <peff@peff.net>
---
 Documentation/MyFirstContribution.txt |  4 ++--
 apply.c                               |  4 ++--
 cache.h                               |  4 ++--
 checkout.c                            |  3 +--
 config.c                              | 29 ++++++---------------------
 config.h                              | 11 +---------
 environment.c                         |  4 ++--
 7 files changed, 16 insertions(+), 43 deletions(-)

diff --git a/Documentation/MyFirstContribution.txt b/Documentation/MyFirstContribution.txt
index d85c9b5143..4f85a089ef 100644
--- a/Documentation/MyFirstContribution.txt
+++ b/Documentation/MyFirstContribution.txt
@@ -319,14 +319,14 @@ function body:
 ...
 
 	git_config(git_default_config, NULL);
-	if (git_config_get_string_const("user.name", &cfg_name) > 0)
+	if (git_config_get_string_tmp("user.name", &cfg_name) > 0)
 		printf(_("No name is found in config\n"));
 	else
 		printf(_("Your name: %s\n"), cfg_name);
 ----
 
 `git_config()` will grab the configuration from config files known to Git and
-apply standard precedence rules. `git_config_get_string_const()` will look up
+apply standard precedence rules. `git_config_get_string_tmp()` will look up
 a specific key ("user.name") and give you the value. There are a number of
 single-key lookup functions like this one; you can see them all (and more info
 about how to use `git_config()`) in `Documentation/technical/api-config.txt`.
diff --git a/apply.c b/apply.c
index 402d80602a..2839dae029 100644
--- a/apply.c
+++ b/apply.c
@@ -30,8 +30,8 @@ struct gitdiff_data {
 
 static void git_apply_config(void)
 {
-	git_config_get_string_const("apply.whitespace", &apply_default_whitespace);
-	git_config_get_string_const("apply.ignorewhitespace", &apply_default_ignorewhitespace);
+	git_config_get_string("apply.whitespace", &apply_default_whitespace);
+	git_config_get_string("apply.ignorewhitespace", &apply_default_ignorewhitespace);
 	git_config(git_xmerge_config, NULL);
 }
 
diff --git a/cache.h b/cache.h
index 0290849c19..4cad61ffa4 100644
--- a/cache.h
+++ b/cache.h
@@ -921,8 +921,8 @@ extern int assume_unchanged;
 extern int prefer_symlink_refs;
 extern int warn_ambiguous_refs;
 extern int warn_on_object_refname_ambiguity;
-extern const char *apply_default_whitespace;
-extern const char *apply_default_ignorewhitespace;
+extern char *apply_default_whitespace;
+extern char *apply_default_ignorewhitespace;
 extern const char *git_attributes_file;
 extern const char *git_hooks_path;
 extern int zlib_compression_level;
diff --git a/checkout.c b/checkout.c
index c72e9f9773..6586e30ca5 100644
--- a/checkout.c
+++ b/checkout.c
@@ -47,15 +47,14 @@ const char *unique_tracking_name(const char *name, struct object_id *oid,
 {
 	struct tracking_name_data cb_data = TRACKING_NAME_DATA_INIT;
 	const char *default_remote = NULL;
-	if (!git_config_get_string_const("checkout.defaultremote", &default_remote))
+	if (!git_config_get_string_tmp("checkout.defaultremote", &default_remote))
 		cb_data.default_remote = default_remote;
 	cb_data.src_ref = xstrfmt("refs/heads/%s", name);
 	cb_data.dst_oid = oid;
 	for_each_remote(check_tracking_name, &cb_data);
 	if (dwim_remotes_matched)
 		*dwim_remotes_matched = cb_data.num_matches;
 	free(cb_data.src_ref);
-	free((char *)default_remote);
 	if (cb_data.num_matches == 1) {
 		free(cb_data.default_dst_ref);
 		free(cb_data.default_dst_oid);
diff --git a/config.c b/config.c
index 2f244c67b6..f0367c76ad 100644
--- a/config.c
+++ b/config.c
@@ -2006,20 +2006,15 @@ const struct string_list *git_configset_get_value_multi(struct config_set *cs, c
 	return e ? &e->value_list : NULL;
 }
 
-int git_configset_get_string_const(struct config_set *cs, const char *key, const char **dest)
+int git_configset_get_string(struct config_set *cs, const char *key, char **dest)
 {
 	const char *value;
 	if (!git_configset_get_value(cs, key, &value))
-		return git_config_string(dest, key, value);
+		return git_config_string((const char **)dest, key, value);
 	else
 		return 1;
 }
 
-int git_configset_get_string(struct config_set *cs, const char *key, char **dest)
-{
-	return git_configset_get_string_const(cs, key, (const char **)dest);
-}
-
 int git_configset_get_string_tmp(struct config_set *cs, const char *key,
 				 const char **dest)
 {
@@ -2161,24 +2156,17 @@ const struct string_list *repo_config_get_value_multi(struct repository *repo,
 	return git_configset_get_value_multi(repo->config, key);
 }
 
-int repo_config_get_string_const(struct repository *repo,
-				 const char *key, const char **dest)
+int repo_config_get_string(struct repository *repo,
+			   const char *key, char **dest)
 {
 	int ret;
 	git_config_check_init(repo);
-	ret = git_configset_get_string_const(repo->config, key, dest);
+	ret = git_configset_get_string(repo->config, key, dest);
 	if (ret < 0)
 		git_die_config(key, NULL);
 	return ret;
 }
 
-int repo_config_get_string(struct repository *repo,
-			   const char *key, char **dest)
-{
-	git_config_check_init(repo);
-	return repo_config_get_string_const(repo, key, (const char **)dest);
-}
-
 int repo_config_get_string_tmp(struct repository *repo,
 			       const char *key, const char **dest)
 {
@@ -2257,11 +2245,6 @@ const struct string_list *git_config_get_value_multi(const char *key)
 	return repo_config_get_value_multi(the_repository, key);
 }
 
-int git_config_get_string_const(const char *key, const char **dest)
-{
-	return repo_config_get_string_const(the_repository, key, dest);
-}
-
 int git_config_get_string(const char *key, char **dest)
 {
 	return repo_config_get_string(the_repository, key, dest);
@@ -2304,7 +2287,7 @@ int git_config_get_pathname(const char *key, const char **dest)
 
 int git_config_get_expiry(const char *key, const char **output)
 {
-	int ret = git_config_get_string_const(key, output);
+	int ret = git_config_get_string(key, (char **)output);
 	if (ret)
 		return ret;
 	if (strcmp(*output, "now")) {
diff --git a/config.h b/config.h
index a75b22e0d1..91cdfbfb41 100644
--- a/config.h
+++ b/config.h
@@ -458,7 +458,6 @@ void git_configset_clear(struct config_set *cs);
  */
 int git_configset_get_value(struct config_set *cs, const char *key, const char **dest);
 
-int git_configset_get_string_const(struct config_set *cs, const char *key, const char **dest);
 int git_configset_get_string(struct config_set *cs, const char *key, char **dest);
 int git_configset_get_string_tmp(struct config_set *cs, const char *key, const char **dest);
 int git_configset_get_int(struct config_set *cs, const char *key, int *dest);
@@ -475,8 +474,6 @@ int repo_config_get_value(struct repository *repo,
 			  const char *key, const char **value);
 const struct string_list *repo_config_get_value_multi(struct repository *repo,
 						      const char *key);
-int repo_config_get_string_const(struct repository *repo,
-				 const char *key, const char **dest);
 int repo_config_get_string(struct repository *repo,
 			   const char *key, char **dest);
 int repo_config_get_string_tmp(struct repository *repo,
@@ -532,16 +529,10 @@ void git_config_clear(void);
  * error message and returns -1. When the configuration variable `key` is
  * not found, returns 1 without touching `dest`.
  */
-int git_config_get_string_const(const char *key, const char **dest);
-
-/**
- * Similar to `git_config_get_string_const`, except that retrieved value
- * copied into the `dest` parameter is a mutable string.
- */
 int git_config_get_string(const char *key, char **dest);
 
 /**
- * Similar to `git_config_get_string_const`, but does not allocate any new
+ * Similar to `git_config_get_string`, but does not allocate any new
  * memory; on success `dest` will point to memory owned by the config
  * machinery, which could be invalidated if it is discarded and reloaded.
  */
diff --git a/environment.c b/environment.c
index 52e0c979ba..bb518c61cd 100644
--- a/environment.c
+++ b/environment.c
@@ -35,8 +35,8 @@ int repository_format_precious_objects;
 int repository_format_worktree_config;
 const char *git_commit_encoding;
 const char *git_log_output_encoding;
-const char *apply_default_whitespace;
-const char *apply_default_ignorewhitespace;
+char *apply_default_whitespace;
+char *apply_default_ignorewhitespace;
 const char *git_attributes_file;
 const char *git_hooks_path;
 int zlib_compression_level = Z_BEST_SPEED;
-- 
2.28.0.605.g35fde94f44

[PATCH v2 6/7] config: fix leak in git_config_get_expiry_in_days()

[Jeff King]

We use git_config_get_string() to retrieve the expiry value in a newly
allocated string. But after parsing it, we never free it, leaking the
memory.

We could fix this with a free() obviously, but there's an even better
solution: we can use the non-allocating "tmp" variant of the function;
we only need it to be valid for the lifetime of our parse function.

Signed-off-by: Jeff King <peff@peff.net>
---
 config.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config.c b/config.c
index f0367c76ad..2bdff4457b 100644
--- a/config.c
+++ b/config.c
@@ -2300,11 +2300,11 @@ int git_config_get_expiry(const char *key, const char **output)
 
 int git_config_get_expiry_in_days(const char *key, timestamp_t *expiry, timestamp_t now)
 {
-	char *expiry_string;
+	const char *expiry_string;
 	intmax_t days;
 	timestamp_t when;
 
-	if (git_config_get_string(key, &expiry_string))
+	if (git_config_get_string_tmp(key, &expiry_string))
 		return 1; /* no such thing */
 
 	if (git_parse_signed(expiry_string, &days, maximum_signed_value_of_type(int))) {
-- 
2.28.0.605.g35fde94f44

[PATCH v2 7/7] submodule--helper: fix leak of core.worktree value

[Jeff King]

In the ensure_core_worktree() function, we load the core.worktree value
of the submodule repository using repo_config_get_string(). This
function copies the string, but we never free it, leaking the memory.

We can instead use the "tmp" version of that function to avoid the
allocation at all. We don't have to worry about lifetime issues, since
we never even look at the value (we just want to know if it's set).

Signed-off-by: Jeff King <peff@peff.net>
---
 builtin/submodule--helper.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/builtin/submodule--helper.c b/builtin/submodule--helper.c
index e09605716e..a59d8e4bda 100644
--- a/builtin/submodule--helper.c
+++ b/builtin/submodule--helper.c
@@ -2101,7 +2101,7 @@ static int ensure_core_worktree(int argc, const char **argv, const char *prefix)
 {
 	const struct submodule *sub;
 	const char *path;
-	char *cw;
+	const char *cw;
 	struct repository subrepo;
 
 	if (argc != 2)
@@ -2116,7 +2116,7 @@ static int ensure_core_worktree(int argc, const char **argv, const char *prefix)
 	if (repo_submodule_init(&subrepo, the_repository, sub))
 		die(_("could not get a repository handle for submodule '%s'"), path);
 
-	if (!repo_config_get_string(&subrepo, "core.worktree", &cw)) {
+	if (!repo_config_get_string_tmp(&subrepo, "core.worktree", &cw)) {
 		char *cfg_file, *abs_path;
 		const char *rel_path;
 		struct strbuf sb = STRBUF_INIT;
-- 
2.28.0.605.g35fde94f44