git@vger.kernel.org list mirror (unofficial, one of many)
 help / color / mirror / code / Atom feed
* [PATCH] refs: remove EINVAL specification from the errno sideband in read_raw_ref_fn
@ 2021-04-23 10:24 Han-Wen Nienhuys via GitGitGadget
  2021-04-23 12:57 ` Jeff King
  2021-04-23 15:31 ` [PATCH v2 0/3] refs: cleanup errno sideband ref related functions Han-Wen Nienhuys via GitGitGadget
  0 siblings, 2 replies; 11+ messages in thread
From: Han-Wen Nienhuys via GitGitGadget @ 2021-04-23 10:24 UTC (permalink / raw)
  To: git; +Cc: Han-Wen Nienhuys, Han-Wen Nienhuys

From: Han-Wen Nienhuys <hanwen@google.com>

A grep for EINVAL */*c reveals that no code inspects EINVAL after reading
references.

The files ref backend does use EINVAL so parse_loose_ref_contents() can
communicate to lock_raw_ref() about garbage following the hex SHA1, or a short
read in files_read_raw_ref(), but the files backend does not call into
refs_read_raw_ref(), so its EINVAL sideband error is unused.

As the errno sideband is unintuitive and error-prone, remove EINVAL
value, as a step towards getting rid of the errno sideband altogether.

Spotted by Ævar Arnfjörð Bjarmason <avarab@gmail.com>.

Signed-off-by: Han-Wen Nienhuys <hanwen@google.com>
---
    refs: remove EINVAL specification from the errno sideband in read_raw…
    
    …_ref_fn
    
    A grep for EINVAL */*c reveals that no code inspects EINVAL after
    reading references.
    
    The files ref backend does use EINVAL so parse_loose_ref_contents() can
    communicate to lock_raw_ref() about garbage following the hex SHA1, or a
    short read in files_read_raw_ref(), but the files backend does not call
    into refs_read_raw_ref(), so its EINVAL sideband error is unused.
    
    As the errno sideband is unintuitive and error-prone, remove EINVAL
    value, as a step towards getting rid of the errno sideband altogether.
    
    Spotted by Ævar Arnfjörð Bjarmason avarab@gmail.com.
    
    Signed-off-by: Han-Wen Nienhuys hanwen@google.com

Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-git-1011%2Fhanwen%2Feinval-sideband-v1
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-git-1011/hanwen/einval-sideband-v1
Pull-Request: https://github.com/git/git/pull/1011

 refs.c               | 2 --
 refs/refs-internal.h | 9 ++++-----
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/refs.c b/refs.c
index 261fd82beb98..3179ebd71b2f 100644
--- a/refs.c
+++ b/refs.c
@@ -1705,7 +1705,6 @@ const char *refs_resolve_ref_unsafe(struct ref_store *refs,
 	if (check_refname_format(refname, REFNAME_ALLOW_ONELEVEL)) {
 		if (!(resolve_flags & RESOLVE_REF_ALLOW_BAD_NAME) ||
 		    !refname_is_safe(refname)) {
-			errno = EINVAL;
 			return NULL;
 		}
 
@@ -1765,7 +1764,6 @@ const char *refs_resolve_ref_unsafe(struct ref_store *refs,
 		if (check_refname_format(refname, REFNAME_ALLOW_ONELEVEL)) {
 			if (!(resolve_flags & RESOLVE_REF_ALLOW_BAD_NAME) ||
 			    !refname_is_safe(refname)) {
-				errno = EINVAL;
 				return NULL;
 			}
 
diff --git a/refs/refs-internal.h b/refs/refs-internal.h
index 467f4b3c936d..29728a339fed 100644
--- a/refs/refs-internal.h
+++ b/refs/refs-internal.h
@@ -617,11 +617,10 @@ typedef int reflog_expire_fn(struct ref_store *ref_store,
  * properly-formatted or even safe reference name. NEITHER INPUT NOR
  * OUTPUT REFERENCE NAMES ARE VALIDATED WITHIN THIS FUNCTION.
  *
- * Return 0 on success. If the ref doesn't exist, set errno to ENOENT
- * and return -1. If the ref exists but is neither a symbolic ref nor
- * an object ID, it is broken; set REF_ISBROKEN in type, set errno to
- * EINVAL, and return -1. If there is another error reading the ref,
- * set errno appropriately and return -1.
+ * Return 0 on success. If the ref doesn't exist, set errno to ENOENT and return
+ * -1. If the ref exists but is neither a symbolic ref nor an object ID, it is
+ * broken; set REF_ISBROKEN in type, and return -1. If there is another error
+ * reading the ref, set errno appropriately and return -1.
  *
  * Backend-specific flags might be set in type as well, regardless of
  * outcome.

base-commit: 311531c9de557d25ac087c1637818bd2aad6eb3a
-- 
gitgitgadget

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH] refs: remove EINVAL specification from the errno sideband in read_raw_ref_fn
  2021-04-23 10:24 [PATCH] refs: remove EINVAL specification from the errno sideband in read_raw_ref_fn Han-Wen Nienhuys via GitGitGadget
@ 2021-04-23 12:57 ` Jeff King
  2021-04-23 15:25   ` Han-Wen Nienhuys
  2021-04-23 15:31 ` [PATCH v2 0/3] refs: cleanup errno sideband ref related functions Han-Wen Nienhuys via GitGitGadget
  1 sibling, 1 reply; 11+ messages in thread
From: Jeff King @ 2021-04-23 12:57 UTC (permalink / raw)
  To: Han-Wen Nienhuys via GitGitGadget; +Cc: git, Han-Wen Nienhuys, Han-Wen Nienhuys

On Fri, Apr 23, 2021 at 10:24:06AM +0000, Han-Wen Nienhuys via GitGitGadget wrote:

> Subject: refs: remove EINVAL specification from the errno sideband in read_raw_ref_fn

The subject says "read_raw_ref_fn", but the patch is touching
refs_resolve_ref_unsafe(). The former is an abstract type, and I didn't
dig to see the relationships, but I'll focus on the code change in the
patch.

> A grep for EINVAL */*c reveals that no code inspects EINVAL after reading
> references.

I don't think that's sufficient, for two reasons:

  - in general we try to be careful about forks and topics in flight,
    which might end up with semantic conflicts. So we don't necessarily
    assume that we can see all code, and prefer if any subtle changes
    like this at least result in a compile failure (e.g., changing
    function name or signature). In practice, this is balanced with how
    likely such code is, how bad the breakage would be, what we're
    gaining, etc.

  - just because they are not looking for EINVAL specifically doesn't
    mean they are not looking at errno at all (e.g., after calling
    refs_resolve_ref_unsafe(), lock_ref_oid_basic() does so). So we have
    to set errno to _something_ after the error. After your patch, we
    don't set it at all for these error returns, and so we'll be left
    with whatever junk was in errno from a previous unrelated syscall,
    which could be very misleading. Since we have to set it to
    something, EINVAL seems like a reasonable value.

I certainly buy the argument that errno is a pretty lousy channel for
passing back error data, for a number of reasons.  If we were going all
the way towards getting rid of errno in this function (and replacing it
with something better, as we must, since some callers _do_ care about
more detailed information), I could see the value. But this patch
doesn't get us anywhere useful and risks regressions in the meantime.

-Peff

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH] refs: remove EINVAL specification from the errno sideband in read_raw_ref_fn
  2021-04-23 12:57 ` Jeff King
@ 2021-04-23 15:25   ` Han-Wen Nienhuys
  0 siblings, 0 replies; 11+ messages in thread
From: Han-Wen Nienhuys @ 2021-04-23 15:25 UTC (permalink / raw)
  To: Jeff King; +Cc: Han-Wen Nienhuys via GitGitGadget, git, Han-Wen Nienhuys

On Fri, Apr 23, 2021 at 2:57 PM Jeff King <peff@peff.net> wrote:
>
> On Fri, Apr 23, 2021 at 10:24:06AM +0000, Han-Wen Nienhuys via GitGitGadget wrote:
>
> > Subject: refs: remove EINVAL specification from the errno sideband in read_raw_ref_fn
>
> The subject says "read_raw_ref_fn", but the patch is touching
> refs_resolve_ref_unsafe(). The former is an abstract type, and I didn't
> dig to see the relationships, but I'll focus on the code change in the
> patch.

Well spotted. I reverted this part (I did glance over existing
callers, and couldn't find anyone inspecting errno)

> > A grep for EINVAL */*c reveals that no code inspects EINVAL after reading
> > references.
>
> I don't think that's sufficient, for two reasons:
>
>   - in general we try to be careful about forks and topics in flight,
>     which might end up with semantic conflicts. So we don't necessarily
>     assume that we can see all code, and prefer if any subtle changes
>     like this at least result in a compile failure (e.g., changing
>     function name or signature). In practice, this is balanced with how
>     likely such code is, how bad the breakage would be, what we're
>     gaining, etc.

would you say this is warranted here? refs.h doesn't mention the word
errno, so this behavior isn't documented at all. I also looked over
the current callers of read_raw_ref, and outside of refs/*.c none seem
to inspect errno.

>   - just because they are not looking for EINVAL specifically doesn't
>     mean they are not looking at errno at all (e.g., after calling
>     refs_resolve_ref_unsafe(), lock_ref_oid_basic() does so). So we have
>     to set errno to _something_ after the error. After your patch, we
>     don't set it at all for these error returns, and so we'll be left
>     with whatever junk was in errno from a previous unrelated syscall,
>     which could be very misleading. Since we have to set it to
>     something, EINVAL seems like a reasonable value.

The function has several exit paths that don't set errno at all, so
the result is kind of random anyway, but I can't see the code I don't
have. I've updated the series, with some real progress to stamping out
errno. Hope this pleases you better.

-- 
Han-Wen Nienhuys - Google Munich
I work 80%. Don't expect answers from me on Fridays.
--

Google Germany GmbH, Erika-Mann-Strasse 33, 80636 Munich

Registergericht und -nummer: Hamburg, HRB 86891

Sitz der Gesellschaft: Hamburg

Geschäftsführer: Paul Manicle, Halimah DeLaine Prado

^ permalink raw reply	[flat|nested] 11+ messages in thread

* [PATCH v2 0/3] refs: cleanup errno sideband ref related functions.
  2021-04-23 10:24 [PATCH] refs: remove EINVAL specification from the errno sideband in read_raw_ref_fn Han-Wen Nienhuys via GitGitGadget
  2021-04-23 12:57 ` Jeff King
@ 2021-04-23 15:31 ` Han-Wen Nienhuys via GitGitGadget
  2021-04-23 15:31   ` [PATCH v2 1/3] refs: remove EINVAL specification from the errno sideband in read_raw_ref_fn Han-Wen Nienhuys via GitGitGadget
                     ` (2 more replies)
  1 sibling, 3 replies; 11+ messages in thread
From: Han-Wen Nienhuys via GitGitGadget @ 2021-04-23 15:31 UTC (permalink / raw)
  To: git; +Cc: Han-Wen Nienhuys, Han-Wen Nienhuys

v2:

 * peff's feedback. For now, leave refs.c alone; instead cleanups in
   files-backend and the ref backend API.

Han-Wen Nienhuys (3):
  refs: remove EINVAL specification from the errno sideband in
    read_raw_ref_fn
  refs/files-backend: stop setting errno from lock_ref_oid_basic
  refs: make errno output explicit for read_raw_ref_fn

 refs.c                |  7 +++++--
 refs/debug.c          |  4 ++--
 refs/files-backend.c  | 26 +++++++++-----------------
 refs/packed-backend.c |  5 +++--
 refs/refs-internal.h  | 14 ++++++++------
 5 files changed, 27 insertions(+), 29 deletions(-)


base-commit: 311531c9de557d25ac087c1637818bd2aad6eb3a
Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-git-1011%2Fhanwen%2Feinval-sideband-v2
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-git-1011/hanwen/einval-sideband-v2
Pull-Request: https://github.com/git/git/pull/1011

Range-diff vs v1:

 1:  ed080f6a9c40 ! 1:  7e8181e77d40 refs: remove EINVAL specification from the errno sideband in read_raw_ref_fn
     @@ Commit message
      
          Signed-off-by: Han-Wen Nienhuys <hanwen@google.com>
      
     - ## refs.c ##
     -@@ refs.c: const char *refs_resolve_ref_unsafe(struct ref_store *refs,
     - 	if (check_refname_format(refname, REFNAME_ALLOW_ONELEVEL)) {
     - 		if (!(resolve_flags & RESOLVE_REF_ALLOW_BAD_NAME) ||
     - 		    !refname_is_safe(refname)) {
     --			errno = EINVAL;
     - 			return NULL;
     - 		}
     - 
     -@@ refs.c: const char *refs_resolve_ref_unsafe(struct ref_store *refs,
     - 		if (check_refname_format(refname, REFNAME_ALLOW_ONELEVEL)) {
     - 			if (!(resolve_flags & RESOLVE_REF_ALLOW_BAD_NAME) ||
     - 			    !refname_is_safe(refname)) {
     --				errno = EINVAL;
     - 				return NULL;
     - 			}
     - 
     -
       ## refs/refs-internal.h ##
      @@ refs/refs-internal.h: typedef int reflog_expire_fn(struct ref_store *ref_store,
        * properly-formatted or even safe reference name. NEITHER INPUT NOR
 -:  ------------ > 2:  db5da7d7fb51 refs/files-backend: stop setting errno from lock_ref_oid_basic
 -:  ------------ > 3:  7fbc1c754f43 refs: make errno output explicit for read_raw_ref_fn

-- 
gitgitgadget

^ permalink raw reply	[flat|nested] 11+ messages in thread

* [PATCH v2 1/3] refs: remove EINVAL specification from the errno sideband in read_raw_ref_fn
  2021-04-23 15:31 ` [PATCH v2 0/3] refs: cleanup errno sideband ref related functions Han-Wen Nienhuys via GitGitGadget
@ 2021-04-23 15:31   ` Han-Wen Nienhuys via GitGitGadget
  2021-04-23 15:31   ` [PATCH v2 2/3] refs/files-backend: stop setting errno from lock_ref_oid_basic Han-Wen Nienhuys via GitGitGadget
  2021-04-23 15:31   ` [PATCH v2 3/3] refs: make errno output explicit for read_raw_ref_fn Han-Wen Nienhuys via GitGitGadget
  2 siblings, 0 replies; 11+ messages in thread
From: Han-Wen Nienhuys via GitGitGadget @ 2021-04-23 15:31 UTC (permalink / raw)
  To: git; +Cc: Han-Wen Nienhuys, Han-Wen Nienhuys, Han-Wen Nienhuys

From: Han-Wen Nienhuys <hanwen@google.com>

A grep for EINVAL */*c reveals that no code inspects EINVAL after reading
references.

The files ref backend does use EINVAL so parse_loose_ref_contents() can
communicate to lock_raw_ref() about garbage following the hex SHA1, or a short
read in files_read_raw_ref(), but the files backend does not call into
refs_read_raw_ref(), so its EINVAL sideband error is unused.

As the errno sideband is unintuitive and error-prone, remove EINVAL
value, as a step towards getting rid of the errno sideband altogether.

Spotted by Ævar Arnfjörð Bjarmason <avarab@gmail.com>.

Signed-off-by: Han-Wen Nienhuys <hanwen@google.com>
---
 refs/refs-internal.h | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/refs/refs-internal.h b/refs/refs-internal.h
index 467f4b3c936d..29728a339fed 100644
--- a/refs/refs-internal.h
+++ b/refs/refs-internal.h
@@ -617,11 +617,10 @@ typedef int reflog_expire_fn(struct ref_store *ref_store,
  * properly-formatted or even safe reference name. NEITHER INPUT NOR
  * OUTPUT REFERENCE NAMES ARE VALIDATED WITHIN THIS FUNCTION.
  *
- * Return 0 on success. If the ref doesn't exist, set errno to ENOENT
- * and return -1. If the ref exists but is neither a symbolic ref nor
- * an object ID, it is broken; set REF_ISBROKEN in type, set errno to
- * EINVAL, and return -1. If there is another error reading the ref,
- * set errno appropriately and return -1.
+ * Return 0 on success. If the ref doesn't exist, set errno to ENOENT and return
+ * -1. If the ref exists but is neither a symbolic ref nor an object ID, it is
+ * broken; set REF_ISBROKEN in type, and return -1. If there is another error
+ * reading the ref, set errno appropriately and return -1.
  *
  * Backend-specific flags might be set in type as well, regardless of
  * outcome.
-- 
gitgitgadget


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [PATCH v2 2/3] refs/files-backend: stop setting errno from lock_ref_oid_basic
  2021-04-23 15:31 ` [PATCH v2 0/3] refs: cleanup errno sideband ref related functions Han-Wen Nienhuys via GitGitGadget
  2021-04-23 15:31   ` [PATCH v2 1/3] refs: remove EINVAL specification from the errno sideband in read_raw_ref_fn Han-Wen Nienhuys via GitGitGadget
@ 2021-04-23 15:31   ` Han-Wen Nienhuys via GitGitGadget
  2021-04-28  4:20     ` Junio C Hamano
  2021-04-23 15:31   ` [PATCH v2 3/3] refs: make errno output explicit for read_raw_ref_fn Han-Wen Nienhuys via GitGitGadget
  2 siblings, 1 reply; 11+ messages in thread
From: Han-Wen Nienhuys via GitGitGadget @ 2021-04-23 15:31 UTC (permalink / raw)
  To: git; +Cc: Han-Wen Nienhuys, Han-Wen Nienhuys, Han-Wen Nienhuys

From: Han-Wen Nienhuys <hanwen@google.com>

Errno is a global variable written by almost all system calls, and therefore it
is hard to reason about its state.

This is a functional noop, because calls to lock_ref_oid_basic() in this file
are followed by:

* lock_ref_oid_basic (copy/rename rollback error path)

* write_ref_to_lockfile (both in the rollback path and the success path of
  copy/rename)

* create_symref_locked (files_create_symref)

* refs_reflog_exists (reflog expiry)

These calls do I/O and therefore clobber errno. They are not inspecting the
incoming errno.

Signed-off-by: Han-Wen Nienhuys <hanwen@google.com>
---
 refs/files-backend.c | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/refs/files-backend.c b/refs/files-backend.c
index 119972ee16f8..c9511da1d387 100644
--- a/refs/files-backend.c
+++ b/refs/files-backend.c
@@ -910,7 +910,6 @@ static int create_reflock(const char *path, void *cb)
 
 /*
  * Locks a ref returning the lock on success and NULL on failure.
- * On failure errno is set to something meaningful.
  */
 static struct ref_lock *lock_ref_oid_basic(struct files_ref_store *refs,
 					   const char *refname,
@@ -922,7 +921,6 @@ static struct ref_lock *lock_ref_oid_basic(struct files_ref_store *refs,
 {
 	struct strbuf ref_file = STRBUF_INIT;
 	struct ref_lock *lock;
-	int last_errno = 0;
 	int mustexist = (old_oid && !is_null_oid(old_oid));
 	int resolve_flags = RESOLVE_REF_NO_RECURSE;
 	int resolved;
@@ -949,7 +947,6 @@ static struct ref_lock *lock_ref_oid_basic(struct files_ref_store *refs,
 		 * to remain.
 		 */
 		if (remove_empty_directories(&ref_file)) {
-			last_errno = errno;
 			if (!refs_verify_refname_available(
 					    &refs->base,
 					    refname, extras, skip, err))
@@ -962,7 +959,7 @@ static struct ref_lock *lock_ref_oid_basic(struct files_ref_store *refs,
 						     &lock->old_oid, type);
 	}
 	if (!resolved) {
-		last_errno = errno;
+		int last_errno = errno;
 		if (last_errno != ENOTDIR ||
 		    !refs_verify_refname_available(&refs->base, refname,
 						   extras, skip, err))
@@ -981,20 +978,17 @@ static struct ref_lock *lock_ref_oid_basic(struct files_ref_store *refs,
 	if (is_null_oid(&lock->old_oid) &&
 	    refs_verify_refname_available(refs->packed_ref_store, refname,
 					  extras, skip, err)) {
-		last_errno = ENOTDIR;
 		goto error_return;
 	}
 
 	lock->ref_name = xstrdup(refname);
 
 	if (raceproof_create_file(ref_file.buf, create_reflock, &lock->lk)) {
-		last_errno = errno;
 		unable_to_lock_message(ref_file.buf, errno, err);
 		goto error_return;
 	}
 
 	if (verify_lock(&refs->base, lock, old_oid, mustexist, err)) {
-		last_errno = errno;
 		goto error_return;
 	}
 	goto out;
@@ -1005,7 +999,6 @@ static struct ref_lock *lock_ref_oid_basic(struct files_ref_store *refs,
 
  out:
 	strbuf_release(&ref_file);
-	errno = last_errno;
 	return lock;
 }
 
-- 
gitgitgadget


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [PATCH v2 3/3] refs: make errno output explicit for read_raw_ref_fn
  2021-04-23 15:31 ` [PATCH v2 0/3] refs: cleanup errno sideband ref related functions Han-Wen Nienhuys via GitGitGadget
  2021-04-23 15:31   ` [PATCH v2 1/3] refs: remove EINVAL specification from the errno sideband in read_raw_ref_fn Han-Wen Nienhuys via GitGitGadget
  2021-04-23 15:31   ` [PATCH v2 2/3] refs/files-backend: stop setting errno from lock_ref_oid_basic Han-Wen Nienhuys via GitGitGadget
@ 2021-04-23 15:31   ` Han-Wen Nienhuys via GitGitGadget
  2 siblings, 0 replies; 11+ messages in thread
From: Han-Wen Nienhuys via GitGitGadget @ 2021-04-23 15:31 UTC (permalink / raw)
  To: git; +Cc: Han-Wen Nienhuys, Han-Wen Nienhuys, Han-Wen Nienhuys

From: Han-Wen Nienhuys <hanwen@google.com>

read_raw_ref_fn needs to supply a credible errno for a number of cases. These
are primarily:

1) The files backend calls read_raw_ref from lock_raw_ref, and uses the
resulting error codes to create/remove directories as needed.

2) ENOENT should be translated in a zero OID, optionally with REF_ISBROKEN set,
returning the last successfully resolved symref. This is necessary so
read_raw_ref("HEAD") on an empty repo returns refs/heads/main (or the default branch
du-jour), and we know on which branch to create the first commit.

Make this information flow explicit by adding a failure_errno to the signature
of read_raw_ref. All errnos from the files backend are still propagated
unchanged, even though inspection suggests only ENOTDIR, EISDIR and ENOENT are
relevant.

Signed-off-by: Han-Wen Nienhuys <hanwen@google.com>
---
 refs.c                |  7 +++++--
 refs/debug.c          |  4 ++--
 refs/files-backend.c  | 17 ++++++++---------
 refs/packed-backend.c |  5 +++--
 refs/refs-internal.h  |  9 ++++++---
 5 files changed, 24 insertions(+), 18 deletions(-)

diff --git a/refs.c b/refs.c
index 261fd82beb98..43e2ad6b612a 100644
--- a/refs.c
+++ b/refs.c
@@ -1675,13 +1675,16 @@ int refs_read_raw_ref(struct ref_store *ref_store,
 		      const char *refname, struct object_id *oid,
 		      struct strbuf *referent, unsigned int *type)
 {
+	int result, failure;
 	if (!strcmp(refname, "FETCH_HEAD") || !strcmp(refname, "MERGE_HEAD")) {
 		return refs_read_special_head(ref_store, refname, oid, referent,
 					      type);
 	}
 
-	return ref_store->be->read_raw_ref(ref_store, refname, oid, referent,
-					   type);
+	result = ref_store->be->read_raw_ref(ref_store, refname, oid, referent,
+					     type, &failure);
+	errno = failure;
+	return result;
 }
 
 /* This function needs to return a meaningful errno on failure */
diff --git a/refs/debug.c b/refs/debug.c
index 922e64fa6ad9..887dbb14be6e 100644
--- a/refs/debug.c
+++ b/refs/debug.c
@@ -238,14 +238,14 @@ debug_ref_iterator_begin(struct ref_store *ref_store, const char *prefix,
 
 static int debug_read_raw_ref(struct ref_store *ref_store, const char *refname,
 			      struct object_id *oid, struct strbuf *referent,
-			      unsigned int *type)
+			      unsigned int *type, int *failure_errno)
 {
 	struct debug_ref_store *drefs = (struct debug_ref_store *)ref_store;
 	int res = 0;
 
 	oidcpy(oid, &null_oid);
 	res = drefs->refs->be->read_raw_ref(drefs->refs, refname, oid, referent,
-					    type);
+					    type, failure_errno);
 
 	if (res == 0) {
 		trace_printf_key(&trace_refs, "read_raw_ref: %s: %s (=> %s) type %x: %d\n",
diff --git a/refs/files-backend.c b/refs/files-backend.c
index c9511da1d387..3ba3a96e1c6b 100644
--- a/refs/files-backend.c
+++ b/refs/files-backend.c
@@ -343,7 +343,7 @@ static struct ref_cache *get_loose_ref_cache(struct files_ref_store *refs)
 
 static int files_read_raw_ref(struct ref_store *ref_store,
 			      const char *refname, struct object_id *oid,
-			      struct strbuf *referent, unsigned int *type)
+			      struct strbuf *referent, unsigned int *type, int *failure_errno)
 {
 	struct files_ref_store *refs =
 		files_downcast(ref_store, REF_STORE_READ, "read_raw_ref");
@@ -354,7 +354,6 @@ static int files_read_raw_ref(struct ref_store *ref_store,
 	struct stat st;
 	int fd;
 	int ret = -1;
-	int save_errno;
 	int remaining_retries = 3;
 
 	*type = 0;
@@ -459,10 +458,9 @@ static int files_read_raw_ref(struct ref_store *ref_store,
 	ret = parse_loose_ref_contents(buf, oid, referent, type);
 
 out:
-	save_errno = errno;
+	*failure_errno = errno;
 	strbuf_release(&sb_path);
 	strbuf_release(&sb_contents);
-	errno = save_errno;
 	return ret;
 }
 
@@ -541,6 +539,7 @@ static int lock_raw_ref(struct files_ref_store *refs,
 	struct strbuf ref_file = STRBUF_INIT;
 	int attempts_remaining = 3;
 	int ret = TRANSACTION_GENERIC_ERROR;
+	int failure_errno = 0;
 
 	assert(err);
 	files_assert_main_repository(refs, "lock_raw_ref");
@@ -630,8 +629,8 @@ static int lock_raw_ref(struct files_ref_store *refs,
 	 */
 
 	if (files_read_raw_ref(&refs->base, refname,
-			       &lock->old_oid, referent, type)) {
-		if (errno == ENOENT) {
+			       &lock->old_oid, referent, type, &failure_errno)) {
+		if (failure_errno == ENOENT) {
 			if (mustexist) {
 				/* Garden variety missing reference. */
 				strbuf_addf(err, "unable to resolve reference '%s'",
@@ -655,7 +654,7 @@ static int lock_raw_ref(struct files_ref_store *refs,
 				 *   reference named "refs/foo/bar/baz".
 				 */
 			}
-		} else if (errno == EISDIR) {
+		} else if (failure_errno == EISDIR) {
 			/*
 			 * There is a directory in the way. It might have
 			 * contained references that have been deleted. If
@@ -693,13 +692,13 @@ static int lock_raw_ref(struct files_ref_store *refs,
 					goto error_return;
 				}
 			}
-		} else if (errno == EINVAL && (*type & REF_ISBROKEN)) {
+		} else if (failure_errno == EINVAL && (*type & REF_ISBROKEN)) {
 			strbuf_addf(err, "unable to resolve reference '%s': "
 				    "reference broken", refname);
 			goto error_return;
 		} else {
 			strbuf_addf(err, "unable to resolve reference '%s': %s",
-				    refname, strerror(errno));
+				    refname, strerror(failure_errno));
 			goto error_return;
 		}
 
diff --git a/refs/packed-backend.c b/refs/packed-backend.c
index dfecdbc1db60..9a09ad7f5f29 100644
--- a/refs/packed-backend.c
+++ b/refs/packed-backend.c
@@ -726,7 +726,8 @@ static struct snapshot *get_snapshot(struct packed_ref_store *refs)
 
 static int packed_read_raw_ref(struct ref_store *ref_store,
 			       const char *refname, struct object_id *oid,
-			       struct strbuf *referent, unsigned int *type)
+			       struct strbuf *referent, unsigned int *type,
+			       int *failure_errno)
 {
 	struct packed_ref_store *refs =
 		packed_downcast(ref_store, REF_STORE_READ, "read_raw_ref");
@@ -739,7 +740,7 @@ static int packed_read_raw_ref(struct ref_store *ref_store,
 
 	if (!rec) {
 		/* refname is not a packed reference. */
-		errno = ENOENT;
+		*failure_errno = ENOENT;
 		return -1;
 	}
 
diff --git a/refs/refs-internal.h b/refs/refs-internal.h
index 29728a339fed..15cc0ddd68ab 100644
--- a/refs/refs-internal.h
+++ b/refs/refs-internal.h
@@ -617,9 +617,11 @@ typedef int reflog_expire_fn(struct ref_store *ref_store,
  * properly-formatted or even safe reference name. NEITHER INPUT NOR
  * OUTPUT REFERENCE NAMES ARE VALIDATED WITHIN THIS FUNCTION.
  *
- * Return 0 on success. If the ref doesn't exist, set errno to ENOENT and return
+ * Return 0 on success. If the ref doesn't exist, set failure_errno to ENOENT and return
  * -1. If the ref exists but is neither a symbolic ref nor an object ID, it is
- * broken; set REF_ISBROKEN in type, and return -1. If there is another error
+ * broken; set REF_ISBROKEN in type, and return -1. For the files backend, EISDIR and ENOTDIR
+ * may be set if the ref name is a directory
+ * If there is another error
  * reading the ref, set errno appropriately and return -1.
  *
  * Backend-specific flags might be set in type as well, regardless of
@@ -636,7 +638,8 @@ typedef int reflog_expire_fn(struct ref_store *ref_store,
  */
 typedef int read_raw_ref_fn(struct ref_store *ref_store,
 			    const char *refname, struct object_id *oid,
-			    struct strbuf *referent, unsigned int *type);
+			    struct strbuf *referent, unsigned int *type,
+			    int *failure_errno);
 
 struct ref_storage_be {
 	struct ref_storage_be *next;
-- 
gitgitgadget

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH v2 2/3] refs/files-backend: stop setting errno from lock_ref_oid_basic
  2021-04-23 15:31   ` [PATCH v2 2/3] refs/files-backend: stop setting errno from lock_ref_oid_basic Han-Wen Nienhuys via GitGitGadget
@ 2021-04-28  4:20     ` Junio C Hamano
  2021-04-28 10:55       ` Han-Wen Nienhuys
  0 siblings, 1 reply; 11+ messages in thread
From: Junio C Hamano @ 2021-04-28  4:20 UTC (permalink / raw)
  To: Han-Wen Nienhuys via GitGitGadget; +Cc: git, Han-Wen Nienhuys, Han-Wen Nienhuys

"Han-Wen Nienhuys via GitGitGadget" <gitgitgadget@gmail.com> writes:

> From: Han-Wen Nienhuys <hanwen@google.com>
>
> Errno is a global variable written by almost all system calls, and therefore it
> is hard to reason about its state.
>
> This is a functional noop, because calls to lock_ref_oid_basic() in this file
> are followed by:
>
> * lock_ref_oid_basic (copy/rename rollback error path)
>
> * write_ref_to_lockfile (both in the rollback path and the success path of
>   copy/rename)
>
> * create_symref_locked (files_create_symref)
>
> * refs_reflog_exists (reflog expiry)
>
> These calls do I/O and therefore clobber errno. They are not inspecting the
> incoming errno.

Hmph, are you saying that these calls do I/O and always the I/O
would fail?  A system call that is successfull don't touch errno;
only the calls that resulted in failure do.

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH v2 2/3] refs/files-backend: stop setting errno from lock_ref_oid_basic
  2021-04-28  4:20     ` Junio C Hamano
@ 2021-04-28 10:55       ` Han-Wen Nienhuys
  2021-04-29  1:55         ` Junio C Hamano
  0 siblings, 1 reply; 11+ messages in thread
From: Han-Wen Nienhuys @ 2021-04-28 10:55 UTC (permalink / raw)
  To: Junio C Hamano; +Cc: Han-Wen Nienhuys via GitGitGadget, git, Han-Wen Nienhuys

On Wed, Apr 28, 2021 at 6:20 AM Junio C Hamano <gitster@pobox.com> wrote:
> > These calls do I/O and therefore clobber errno. They are not inspecting the
> > incoming errno.
>
> Hmph, are you saying that these calls do I/O and always the I/O
> would fail?  A system call that is successfull don't touch errno;
> only the calls that resulted in failure do.

I'm saying that callers cannot reliably observe the errno result of
lock_ref_oid_basic, because it might be clobbered by a failing
follow-up call.

-- 
Han-Wen Nienhuys - Google Munich
I work 80%. Don't expect answers from me on Fridays.
--

Google Germany GmbH, Erika-Mann-Strasse 33, 80636 Munich

Registergericht und -nummer: Hamburg, HRB 86891

Sitz der Gesellschaft: Hamburg

Geschäftsführer: Paul Manicle, Halimah DeLaine Prado

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH v2 2/3] refs/files-backend: stop setting errno from lock_ref_oid_basic
  2021-04-28 10:55       ` Han-Wen Nienhuys
@ 2021-04-29  1:55         ` Junio C Hamano
  2021-04-29  8:52           ` Han-Wen Nienhuys
  0 siblings, 1 reply; 11+ messages in thread
From: Junio C Hamano @ 2021-04-29  1:55 UTC (permalink / raw)
  To: Han-Wen Nienhuys; +Cc: Han-Wen Nienhuys via GitGitGadget, git, Han-Wen Nienhuys

Han-Wen Nienhuys <hanwen@google.com> writes:

> On Wed, Apr 28, 2021 at 6:20 AM Junio C Hamano <gitster@pobox.com> wrote:
>> > These calls do I/O and therefore clobber errno. They are not inspecting the
>> > incoming errno.
>>
>> Hmph, are you saying that these calls do I/O and always the I/O
>> would fail?  A system call that is successfull don't touch errno;
>> only the calls that resulted in failure do.
>
> I'm saying that callers cannot reliably observe the errno result of
> lock_ref_oid_basic, because it might be clobbered by a failing
> follow-up call.

Sorry, I still do not quite get it.  For example, you cite that a
call to lock_ref_oid_basic() in files_create_symref() is followed by
create_symref_locked() that may clobber errno when the latter fails.

But a failing lock_ref_oid_basic() would yield NULL and causes the
caller to leave, before calling create_symref_locked() and letting
it clobber errno, and the caller of files_create_symref() can
observe, when it returns -1 to signal an error, the errno left by
lock_ref_oid_basic(), no?  I would understand it if no caller of
files_create_symref() cares what is in errno when it receives
negative return to signal a failure, though.

And when lock_ref_oid_basic() did not fail, create_symref_locked()
calls helpers that can fail (e.g. fdopen_lock_file()) and result in
errno getting updated to record how it failed (this is also reported
to the user via "error(... strerror(errno))").

So a caller of files_create_symref() may not be able to tell between
lock_ref_oid_basic() and create_symref_locked() which one caused the
files_create_symref() call to fail, but in either case it should be
able to inspect errno to learn what kind of error we got from the
underlying system, no?


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH v2 2/3] refs/files-backend: stop setting errno from lock_ref_oid_basic
  2021-04-29  1:55         ` Junio C Hamano
@ 2021-04-29  8:52           ` Han-Wen Nienhuys
  0 siblings, 0 replies; 11+ messages in thread
From: Han-Wen Nienhuys @ 2021-04-29  8:52 UTC (permalink / raw)
  To: Junio C Hamano; +Cc: Han-Wen Nienhuys via GitGitGadget, git, Han-Wen Nienhuys

On Thu, Apr 29, 2021 at 3:55 AM Junio C Hamano <gitster@pobox.com> wrote:
>
> Han-Wen Nienhuys <hanwen@google.com> writes:
>
> > On Wed, Apr 28, 2021 at 6:20 AM Junio C Hamano <gitster@pobox.com> wrote:
> >> > These calls do I/O and therefore clobber errno. They are not inspecting the
> >> > incoming errno.
> >>
> >> Hmph, are you saying that these calls do I/O and always the I/O
> >> would fail?  A system call that is successfull don't touch errno;
> >> only the calls that resulted in failure do.
> >
> > I'm saying that callers cannot reliably observe the errno result of
> > lock_ref_oid_basic, because it might be clobbered by a failing
> > follow-up call.
>
> Sorry, I still do not quite get it.  For example, you cite that a
> call to lock_ref_oid_basic() in files_create_symref() is followed by
> create_symref_locked() that may clobber errno when the latter fails.
>
> But a failing lock_ref_oid_basic() would yield NULL and causes the
> caller to leave, before calling create_symref_locked() and letting
> it clobber errno, and the caller of files_create_symref() can
> observe, when it returns -1 to signal an error, the errno left by
> lock_ref_oid_basic(), no?  I would understand it if no caller of
> files_create_symref() cares what is in errno when it receives
> negative return to signal a failure, though.

You're right; I didn't look carefully enough.  I did a grep over the
source code for create_symref() now, and couldn't find callers that
inspect errno; the same for reflog_expire().

I'll update the commit message to reflect this.

> And when lock_ref_oid_basic() did not fail, create_symref_locked()
> calls helpers that can fail (e.g. fdopen_lock_file()) and result in
> errno getting updated to record how it failed (this is also reported
> to the user via "error(... strerror(errno))").
>
> So a caller of files_create_symref() may not be able to tell between
> lock_ref_oid_basic() and create_symref_locked() which one caused the
> files_create_symref() call to fail, but in either case it should be
> able to inspect errno to learn what kind of error we got from the
> underlying system, no?

I disagree.  create_symref in the refs API gets an error strbuf_t. If
the function wants to say something to the user, it should use that
mechanism. If other operations are meant to provide reasonable error
messages, they should also get an error strbuf.

The files backend touches many files as part of its operation. If the
error is something like EPERM, errno reporting leaves no channel to
describe which file and which syscall is the offending one (is it
packed-refs.lock, refs/heads/branch.lock, refs/heads/ ; is it the
creat/rename/unlink syscall?). It's not a realistic mechanism to use
for errors that are meant to be understandable for users.

The errno mechanism is also poorly adjusted for alternate backends. If
there is corrupted data in a reftable file, the library returns
REFTABLE_FORMAT_ERROR, but what errno would correspond to that?

-- 
Han-Wen Nienhuys - Google Munich
I work 80%. Don't expect answers from me on Fridays.
--

Google Germany GmbH, Erika-Mann-Strasse 33, 80636 Munich

Registergericht und -nummer: Hamburg, HRB 86891

Sitz der Gesellschaft: Hamburg

Geschäftsführer: Paul Manicle, Halimah DeLaine Prado

^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2021-04-29  8:52 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-23 10:24 [PATCH] refs: remove EINVAL specification from the errno sideband in read_raw_ref_fn Han-Wen Nienhuys via GitGitGadget
2021-04-23 12:57 ` Jeff King
2021-04-23 15:25   ` Han-Wen Nienhuys
2021-04-23 15:31 ` [PATCH v2 0/3] refs: cleanup errno sideband ref related functions Han-Wen Nienhuys via GitGitGadget
2021-04-23 15:31   ` [PATCH v2 1/3] refs: remove EINVAL specification from the errno sideband in read_raw_ref_fn Han-Wen Nienhuys via GitGitGadget
2021-04-23 15:31   ` [PATCH v2 2/3] refs/files-backend: stop setting errno from lock_ref_oid_basic Han-Wen Nienhuys via GitGitGadget
2021-04-28  4:20     ` Junio C Hamano
2021-04-28 10:55       ` Han-Wen Nienhuys
2021-04-29  1:55         ` Junio C Hamano
2021-04-29  8:52           ` Han-Wen Nienhuys
2021-04-23 15:31   ` [PATCH v2 3/3] refs: make errno output explicit for read_raw_ref_fn Han-Wen Nienhuys via GitGitGadget

Code repositories for project(s) associated with this inbox:

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).