2006-06-06 23:51:49 +04:00
|
|
|
/*
|
|
|
|
* Copyright (c) 2005, Junio C Hamano
|
|
|
|
*/
|
|
|
|
#include "cache.h"
|
2014-10-01 14:28:42 +04:00
|
|
|
#include "lockfile.h"
|
chain kill signals for cleanup functions
If a piece of code wanted to do some cleanup before exiting
(e.g., cleaning up a lockfile or a tempfile), our usual
strategy was to install a signal handler that did something
like this:
do_cleanup(); /* actual work */
signal(signo, SIG_DFL); /* restore previous behavior */
raise(signo); /* deliver signal, killing ourselves */
For a single handler, this works fine. However, if we want
to clean up two _different_ things, we run into a problem.
The most recently installed handler will run, but when it
removes itself as a handler, it doesn't put back the first
handler.
This patch introduces sigchain, a tiny library for handling
a stack of signal handlers. You sigchain_push each handler,
and use sigchain_pop to restore whoever was before you in
the stack.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2009-01-22 09:02:35 +03:00
|
|
|
#include "sigchain.h"
|
2006-06-06 23:51:49 +04:00
|
|
|
|
2014-10-01 14:28:28 +04:00
|
|
|
static struct lock_file *volatile lock_file_list;
|
2006-06-06 23:51:49 +04:00
|
|
|
|
2014-10-01 15:14:47 +04:00
|
|
|
static void remove_lock_files(int skip_fclose)
|
2006-06-06 23:51:49 +04:00
|
|
|
{
|
2007-04-21 14:11:10 +04:00
|
|
|
pid_t me = getpid();
|
|
|
|
|
2006-06-06 23:51:49 +04:00
|
|
|
while (lock_file_list) {
|
2014-10-01 15:14:47 +04:00
|
|
|
if (lock_file_list->owner == me) {
|
|
|
|
/* fclose() is not safe to call in a signal handler */
|
|
|
|
if (skip_fclose)
|
|
|
|
lock_file_list->fp = NULL;
|
2014-10-01 14:28:19 +04:00
|
|
|
rollback_lock_file(lock_file_list);
|
2014-10-01 15:14:47 +04:00
|
|
|
}
|
2006-06-06 23:51:49 +04:00
|
|
|
lock_file_list = lock_file_list->next;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-10-01 15:14:47 +04:00
|
|
|
static void remove_lock_files_on_exit(void)
|
|
|
|
{
|
|
|
|
remove_lock_files(0);
|
|
|
|
}
|
|
|
|
|
2014-10-01 14:28:38 +04:00
|
|
|
static void remove_lock_files_on_signal(int signo)
|
2006-06-06 23:51:49 +04:00
|
|
|
{
|
2014-10-01 15:14:47 +04:00
|
|
|
remove_lock_files(1);
|
chain kill signals for cleanup functions
If a piece of code wanted to do some cleanup before exiting
(e.g., cleaning up a lockfile or a tempfile), our usual
strategy was to install a signal handler that did something
like this:
do_cleanup(); /* actual work */
signal(signo, SIG_DFL); /* restore previous behavior */
raise(signo); /* deliver signal, killing ourselves */
For a single handler, this works fine. However, if we want
to clean up two _different_ things, we run into a problem.
The most recently installed handler will run, but when it
removes itself as a handler, it doesn't put back the first
handler.
This patch introduces sigchain, a tiny library for handling
a stack of signal handlers. You sigchain_push each handler,
and use sigchain_pop to restore whoever was before you in
the stack.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2009-01-22 09:02:35 +03:00
|
|
|
sigchain_pop(signo);
|
2006-06-06 23:51:49 +04:00
|
|
|
raise(signo);
|
|
|
|
}
|
|
|
|
|
2007-07-26 21:34:14 +04:00
|
|
|
/*
|
2014-10-01 14:28:35 +04:00
|
|
|
* path = absolute or relative path name
|
2007-07-26 21:34:14 +04:00
|
|
|
*
|
2014-10-01 14:28:35 +04:00
|
|
|
* Remove the last path name element from path (leaving the preceding
|
|
|
|
* "/", if any). If path is empty or the root directory ("/"), set
|
|
|
|
* path to the empty string.
|
2007-07-26 21:34:14 +04:00
|
|
|
*/
|
2014-10-01 14:28:35 +04:00
|
|
|
static void trim_last_path_component(struct strbuf *path)
|
2007-07-26 21:34:14 +04:00
|
|
|
{
|
2014-10-01 14:28:35 +04:00
|
|
|
int i = path->len;
|
2007-07-26 21:34:14 +04:00
|
|
|
|
|
|
|
/* back up past trailing slashes, if any */
|
2014-10-01 14:28:35 +04:00
|
|
|
while (i && path->buf[i - 1] == '/')
|
|
|
|
i--;
|
2007-07-26 21:34:14 +04:00
|
|
|
|
|
|
|
/*
|
2014-10-01 14:28:35 +04:00
|
|
|
* then go backwards until a slash, or the beginning of the
|
|
|
|
* string
|
2007-07-26 21:34:14 +04:00
|
|
|
*/
|
2014-10-01 14:28:35 +04:00
|
|
|
while (i && path->buf[i - 1] != '/')
|
|
|
|
i--;
|
|
|
|
|
|
|
|
strbuf_setlen(path, i);
|
2007-07-26 21:34:14 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* We allow "recursive" symbolic links. Only within reason, though */
|
|
|
|
#define MAXDEPTH 5
|
|
|
|
|
|
|
|
/*
|
2014-10-01 14:28:34 +04:00
|
|
|
* path contains a path that might be a symlink.
|
2007-07-26 21:34:14 +04:00
|
|
|
*
|
2014-10-01 14:28:34 +04:00
|
|
|
* If path is a symlink, attempt to overwrite it with a path to the
|
|
|
|
* real file or directory (which may or may not exist), following a
|
|
|
|
* chain of symlinks if necessary. Otherwise, leave path unmodified.
|
2007-07-26 21:34:14 +04:00
|
|
|
*
|
2014-10-01 14:28:34 +04:00
|
|
|
* This is a best-effort routine. If an error occurs, path will
|
|
|
|
* either be left unmodified or will name a different symlink in a
|
|
|
|
* symlink chain that started with the original path.
|
2007-07-26 21:34:14 +04:00
|
|
|
*/
|
2014-10-01 14:28:34 +04:00
|
|
|
static void resolve_symlink(struct strbuf *path)
|
2007-07-26 21:34:14 +04:00
|
|
|
{
|
|
|
|
int depth = MAXDEPTH;
|
2014-10-01 14:28:33 +04:00
|
|
|
static struct strbuf link = STRBUF_INIT;
|
2007-07-26 21:34:14 +04:00
|
|
|
|
|
|
|
while (depth--) {
|
2014-10-01 14:28:34 +04:00
|
|
|
if (strbuf_readlink(&link, path->buf, path->len) < 0)
|
2014-10-01 14:28:33 +04:00
|
|
|
break;
|
2007-07-26 21:34:14 +04:00
|
|
|
|
2014-10-01 14:28:34 +04:00
|
|
|
if (is_absolute_path(link.buf))
|
2007-07-26 21:34:14 +04:00
|
|
|
/* absolute path simply replaces p */
|
2014-10-01 14:28:34 +04:00
|
|
|
strbuf_reset(path);
|
2014-10-01 14:28:35 +04:00
|
|
|
else
|
2007-07-26 21:34:14 +04:00
|
|
|
/*
|
2014-10-01 14:28:33 +04:00
|
|
|
* link is a relative path, so replace the
|
2007-07-26 21:34:14 +04:00
|
|
|
* last element of p with it.
|
|
|
|
*/
|
2014-10-01 14:28:35 +04:00
|
|
|
trim_last_path_component(path);
|
2014-10-01 14:28:34 +04:00
|
|
|
|
|
|
|
strbuf_addbuf(path, &link);
|
2007-07-26 21:34:14 +04:00
|
|
|
}
|
2014-10-01 14:28:33 +04:00
|
|
|
strbuf_reset(&link);
|
2007-07-26 21:34:14 +04:00
|
|
|
}
|
|
|
|
|
2014-06-20 18:42:48 +04:00
|
|
|
/* Make sure errno contains a meaningful value on error */
|
2008-10-18 02:44:39 +04:00
|
|
|
static int lock_file(struct lock_file *lk, const char *path, int flags)
|
2006-06-06 23:51:49 +04:00
|
|
|
{
|
2014-10-01 14:28:34 +04:00
|
|
|
size_t pathlen = strlen(path);
|
2013-07-06 23:48:52 +04:00
|
|
|
|
2014-10-01 14:28:13 +04:00
|
|
|
if (!lock_file_list) {
|
|
|
|
/* One-time initialization */
|
2014-10-01 14:28:38 +04:00
|
|
|
sigchain_push_common(remove_lock_files_on_signal);
|
2014-10-01 15:14:47 +04:00
|
|
|
atexit(remove_lock_files_on_exit);
|
2014-10-01 14:28:13 +04:00
|
|
|
}
|
|
|
|
|
lockfile: avoid transitory invalid states
Because remove_lock_file() can be called any time by the signal
handler, it is important that any lock_file objects that are in the
lock_file_list are always in a valid state. And since lock_file
objects are often reused (but are never removed from lock_file_list),
that means we have to be careful whenever mutating a lock_file object
to always keep it in a well-defined state.
This was formerly not the case, because part of the state was encoded
by setting lk->filename to the empty string vs. a valid filename. It
is wrong to assume that this string can be updated atomically; for
example, even
strcpy(lk->filename, value)
is unsafe. But the old code was even more reckless; for example,
strcpy(lk->filename, path);
if (!(flags & LOCK_NODEREF))
resolve_symlink(lk->filename, max_path_len);
strcat(lk->filename, ".lock");
During the call to resolve_symlink(), lk->filename contained the name
of the file that was being locked, not the name of the lockfile. If a
signal were raised during that interval, then the signal handler would
have deleted the valuable file!
We could probably continue to use the filename field to encode the
state by being careful to write characters 1..N-1 of the filename
first, and then overwrite the NUL at filename[0] with the first
character of the filename, but that would be awkward and error-prone.
So, instead of using the filename field to determine whether the
lock_file object is active, add a new field "lock_file::active" for
this purpose. Be careful to set this field only when filename really
contains the name of a file that should be deleted on cleanup.
Helped-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-10-01 14:28:27 +04:00
|
|
|
if (lk->active)
|
|
|
|
die("BUG: cannot lock_file(\"%s\") using active struct lock_file",
|
|
|
|
path);
|
2014-10-01 14:28:13 +04:00
|
|
|
if (!lk->on_list) {
|
|
|
|
/* Initialize *lk and add it to lock_file_list: */
|
|
|
|
lk->fd = -1;
|
2014-10-01 15:14:47 +04:00
|
|
|
lk->fp = NULL;
|
lockfile: avoid transitory invalid states
Because remove_lock_file() can be called any time by the signal
handler, it is important that any lock_file objects that are in the
lock_file_list are always in a valid state. And since lock_file
objects are often reused (but are never removed from lock_file_list),
that means we have to be careful whenever mutating a lock_file object
to always keep it in a well-defined state.
This was formerly not the case, because part of the state was encoded
by setting lk->filename to the empty string vs. a valid filename. It
is wrong to assume that this string can be updated atomically; for
example, even
strcpy(lk->filename, value)
is unsafe. But the old code was even more reckless; for example,
strcpy(lk->filename, path);
if (!(flags & LOCK_NODEREF))
resolve_symlink(lk->filename, max_path_len);
strcat(lk->filename, ".lock");
During the call to resolve_symlink(), lk->filename contained the name
of the file that was being locked, not the name of the lockfile. If a
signal were raised during that interval, then the signal handler would
have deleted the valuable file!
We could probably continue to use the filename field to encode the
state by being careful to write characters 1..N-1 of the filename
first, and then overwrite the NUL at filename[0] with the first
character of the filename, but that would be awkward and error-prone.
So, instead of using the filename field to determine whether the
lock_file object is active, add a new field "lock_file::active" for
this purpose. Be careful to set this field only when filename really
contains the name of a file that should be deleted on cleanup.
Helped-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-10-01 14:28:27 +04:00
|
|
|
lk->active = 0;
|
2014-10-01 14:28:13 +04:00
|
|
|
lk->owner = 0;
|
2014-10-01 14:28:34 +04:00
|
|
|
strbuf_init(&lk->filename, pathlen + LOCK_SUFFIX_LEN);
|
2014-10-01 14:28:13 +04:00
|
|
|
lk->next = lock_file_list;
|
|
|
|
lock_file_list = lk;
|
|
|
|
lk->on_list = 1;
|
2014-10-01 14:28:32 +04:00
|
|
|
} else if (lk->filename.len) {
|
|
|
|
/* This shouldn't happen, but better safe than sorry. */
|
|
|
|
die("BUG: lock_file(\"%s\") called with improperly-reset lock_file object",
|
|
|
|
path);
|
2014-10-01 14:28:13 +04:00
|
|
|
}
|
|
|
|
|
2014-11-02 09:24:37 +03:00
|
|
|
if (flags & LOCK_NO_DEREF) {
|
|
|
|
strbuf_add_absolute_path(&lk->filename, path);
|
|
|
|
} else {
|
|
|
|
struct strbuf resolved_path = STRBUF_INIT;
|
|
|
|
|
|
|
|
strbuf_add(&resolved_path, path, pathlen);
|
|
|
|
resolve_symlink(&resolved_path);
|
|
|
|
strbuf_add_absolute_path(&lk->filename, resolved_path.buf);
|
|
|
|
strbuf_release(&resolved_path);
|
|
|
|
}
|
|
|
|
|
2014-10-01 14:28:32 +04:00
|
|
|
strbuf_addstr(&lk->filename, LOCK_SUFFIX);
|
|
|
|
lk->fd = open(lk->filename.buf, O_RDWR | O_CREAT | O_EXCL, 0666);
|
2014-10-01 14:28:18 +04:00
|
|
|
if (lk->fd < 0) {
|
2014-10-01 14:28:32 +04:00
|
|
|
strbuf_reset(&lk->filename);
|
2013-07-06 23:48:52 +04:00
|
|
|
return -1;
|
2014-06-20 18:42:48 +04:00
|
|
|
}
|
2014-10-01 14:28:18 +04:00
|
|
|
lk->owner = getpid();
|
lockfile: avoid transitory invalid states
Because remove_lock_file() can be called any time by the signal
handler, it is important that any lock_file objects that are in the
lock_file_list are always in a valid state. And since lock_file
objects are often reused (but are never removed from lock_file_list),
that means we have to be careful whenever mutating a lock_file object
to always keep it in a well-defined state.
This was formerly not the case, because part of the state was encoded
by setting lk->filename to the empty string vs. a valid filename. It
is wrong to assume that this string can be updated atomically; for
example, even
strcpy(lk->filename, value)
is unsafe. But the old code was even more reckless; for example,
strcpy(lk->filename, path);
if (!(flags & LOCK_NODEREF))
resolve_symlink(lk->filename, max_path_len);
strcat(lk->filename, ".lock");
During the call to resolve_symlink(), lk->filename contained the name
of the file that was being locked, not the name of the lockfile. If a
signal were raised during that interval, then the signal handler would
have deleted the valuable file!
We could probably continue to use the filename field to encode the
state by being careful to write characters 1..N-1 of the filename
first, and then overwrite the NUL at filename[0] with the first
character of the filename, but that would be awkward and error-prone.
So, instead of using the filename field to determine whether the
lock_file object is active, add a new field "lock_file::active" for
this purpose. Be careful to set this field only when filename really
contains the name of a file that should be deleted on cleanup.
Helped-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-10-01 14:28:27 +04:00
|
|
|
lk->active = 1;
|
2014-10-01 14:28:32 +04:00
|
|
|
if (adjust_shared_perm(lk->filename.buf)) {
|
2014-10-01 14:28:18 +04:00
|
|
|
int save_errno = errno;
|
2014-10-01 14:28:32 +04:00
|
|
|
error("cannot fix permission bits on %s", lk->filename.buf);
|
2014-10-01 14:28:18 +04:00
|
|
|
rollback_lock_file(lk);
|
|
|
|
errno = save_errno;
|
|
|
|
return -1;
|
2006-06-06 23:51:49 +04:00
|
|
|
}
|
2007-11-13 23:05:03 +03:00
|
|
|
return lk->fd;
|
2006-06-06 23:51:49 +04:00
|
|
|
}
|
|
|
|
|
2015-05-11 13:35:25 +03:00
|
|
|
static int sleep_microseconds(long us)
|
|
|
|
{
|
|
|
|
struct timeval tv;
|
|
|
|
tv.tv_sec = 0;
|
|
|
|
tv.tv_usec = us;
|
|
|
|
return select(0, NULL, NULL, NULL, &tv);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Constants defining the gaps between attempts to lock a file. The
|
|
|
|
* first backoff period is approximately INITIAL_BACKOFF_MS
|
|
|
|
* milliseconds. The longest backoff period is approximately
|
|
|
|
* (BACKOFF_MAX_MULTIPLIER * INITIAL_BACKOFF_MS) milliseconds.
|
|
|
|
*/
|
|
|
|
#define INITIAL_BACKOFF_MS 1L
|
|
|
|
#define BACKOFF_MAX_MULTIPLIER 1000
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Try locking path, retrying with quadratic backoff for at least
|
|
|
|
* timeout_ms milliseconds. If timeout_ms is 0, try locking the file
|
|
|
|
* exactly once. If timeout_ms is -1, try indefinitely.
|
|
|
|
*/
|
|
|
|
static int lock_file_timeout(struct lock_file *lk, const char *path,
|
|
|
|
int flags, long timeout_ms)
|
|
|
|
{
|
|
|
|
int n = 1;
|
|
|
|
int multiplier = 1;
|
|
|
|
long remaining_us = 0;
|
|
|
|
static int random_initialized = 0;
|
|
|
|
|
|
|
|
if (timeout_ms == 0)
|
|
|
|
return lock_file(lk, path, flags);
|
|
|
|
|
|
|
|
if (!random_initialized) {
|
|
|
|
srandom((unsigned int)getpid());
|
|
|
|
random_initialized = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (timeout_ms > 0) {
|
|
|
|
/* avoid overflow */
|
|
|
|
if (timeout_ms <= LONG_MAX / 1000)
|
|
|
|
remaining_us = timeout_ms * 1000;
|
|
|
|
else
|
|
|
|
remaining_us = LONG_MAX;
|
|
|
|
}
|
|
|
|
|
|
|
|
while (1) {
|
|
|
|
long backoff_ms, wait_us;
|
|
|
|
int fd;
|
|
|
|
|
|
|
|
fd = lock_file(lk, path, flags);
|
|
|
|
|
|
|
|
if (fd >= 0)
|
|
|
|
return fd; /* success */
|
|
|
|
else if (errno != EEXIST)
|
|
|
|
return -1; /* failure other than lock held */
|
|
|
|
else if (timeout_ms > 0 && remaining_us <= 0)
|
|
|
|
return -1; /* failure due to timeout */
|
|
|
|
|
|
|
|
backoff_ms = multiplier * INITIAL_BACKOFF_MS;
|
|
|
|
/* back off for between 0.75*backoff_ms and 1.25*backoff_ms */
|
|
|
|
wait_us = (750 + random() % 500) * backoff_ms;
|
|
|
|
sleep_microseconds(wait_us);
|
|
|
|
remaining_us -= wait_us;
|
|
|
|
|
|
|
|
/* Recursion: (n+1)^2 = n^2 + 2n + 1 */
|
|
|
|
multiplier += 2*n + 1;
|
|
|
|
if (multiplier > BACKOFF_MAX_MULTIPLIER)
|
|
|
|
multiplier = BACKOFF_MAX_MULTIPLIER;
|
|
|
|
else
|
|
|
|
n++;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-06-20 18:42:47 +04:00
|
|
|
void unable_to_lock_message(const char *path, int err, struct strbuf *buf)
|
2009-02-19 15:54:18 +03:00
|
|
|
{
|
2009-03-04 18:00:44 +03:00
|
|
|
if (err == EEXIST) {
|
2014-06-20 18:42:47 +04:00
|
|
|
strbuf_addf(buf, "Unable to create '%s.lock': %s.\n\n"
|
2009-02-19 15:54:18 +03:00
|
|
|
"If no other git process is currently running, this probably means a\n"
|
|
|
|
"git process crashed in this repository earlier. Make sure no other git\n"
|
|
|
|
"process is running and remove the file manually to continue.",
|
2011-03-17 14:26:46 +03:00
|
|
|
absolute_path(path), strerror(err));
|
2009-09-27 03:15:09 +04:00
|
|
|
} else
|
2014-06-20 18:42:47 +04:00
|
|
|
strbuf_addf(buf, "Unable to create '%s.lock': %s",
|
2011-03-17 14:26:46 +03:00
|
|
|
absolute_path(path), strerror(err));
|
2009-09-27 03:15:09 +04:00
|
|
|
}
|
|
|
|
|
2014-10-01 14:28:05 +04:00
|
|
|
NORETURN void unable_to_lock_die(const char *path, int err)
|
2009-09-27 03:15:09 +04:00
|
|
|
{
|
2014-06-20 18:42:47 +04:00
|
|
|
struct strbuf buf = STRBUF_INIT;
|
|
|
|
|
|
|
|
unable_to_lock_message(path, err, &buf);
|
|
|
|
die("%s", buf.buf);
|
2009-02-19 15:54:18 +03:00
|
|
|
}
|
|
|
|
|
2014-06-20 18:42:48 +04:00
|
|
|
/* This should return a meaningful errno on failure */
|
2015-05-11 13:35:25 +03:00
|
|
|
int hold_lock_file_for_update_timeout(struct lock_file *lk, const char *path,
|
|
|
|
int flags, long timeout_ms)
|
2006-08-12 12:03:47 +04:00
|
|
|
{
|
2015-05-11 13:35:25 +03:00
|
|
|
int fd = lock_file_timeout(lk, path, flags, timeout_ms);
|
2008-10-18 02:44:39 +04:00
|
|
|
if (fd < 0 && (flags & LOCK_DIE_ON_ERROR))
|
2014-10-01 14:28:05 +04:00
|
|
|
unable_to_lock_die(path, errno);
|
2006-08-12 12:03:47 +04:00
|
|
|
return fd;
|
|
|
|
}
|
|
|
|
|
2008-10-18 02:44:39 +04:00
|
|
|
int hold_lock_file_for_append(struct lock_file *lk, const char *path, int flags)
|
2008-04-18 03:32:26 +04:00
|
|
|
{
|
|
|
|
int fd, orig_fd;
|
|
|
|
|
2008-10-18 02:44:39 +04:00
|
|
|
fd = lock_file(lk, path, flags);
|
2008-04-18 03:32:26 +04:00
|
|
|
if (fd < 0) {
|
2008-10-18 02:44:39 +04:00
|
|
|
if (flags & LOCK_DIE_ON_ERROR)
|
2014-10-01 14:28:05 +04:00
|
|
|
unable_to_lock_die(path, errno);
|
2008-04-18 03:32:26 +04:00
|
|
|
return fd;
|
|
|
|
}
|
|
|
|
|
|
|
|
orig_fd = open(path, O_RDONLY);
|
|
|
|
if (orig_fd < 0) {
|
|
|
|
if (errno != ENOENT) {
|
2014-10-01 14:28:40 +04:00
|
|
|
int save_errno = errno;
|
|
|
|
|
2008-10-18 02:44:39 +04:00
|
|
|
if (flags & LOCK_DIE_ON_ERROR)
|
2008-04-18 03:32:26 +04:00
|
|
|
die("cannot open '%s' for copying", path);
|
2014-10-01 14:28:12 +04:00
|
|
|
rollback_lock_file(lk);
|
2014-10-01 14:28:40 +04:00
|
|
|
error("cannot open '%s' for copying", path);
|
|
|
|
errno = save_errno;
|
|
|
|
return -1;
|
2008-04-18 03:32:26 +04:00
|
|
|
}
|
|
|
|
} else if (copy_fd(orig_fd, fd)) {
|
2014-10-01 14:28:40 +04:00
|
|
|
int save_errno = errno;
|
|
|
|
|
2008-10-18 02:44:39 +04:00
|
|
|
if (flags & LOCK_DIE_ON_ERROR)
|
2015-05-19 20:55:16 +03:00
|
|
|
die("failed to prepare '%s' for appending", path);
|
2014-08-26 19:23:24 +04:00
|
|
|
close(orig_fd);
|
2014-10-01 14:28:12 +04:00
|
|
|
rollback_lock_file(lk);
|
2014-10-01 14:28:40 +04:00
|
|
|
errno = save_errno;
|
2008-04-18 03:32:26 +04:00
|
|
|
return -1;
|
2014-08-26 19:23:24 +04:00
|
|
|
} else {
|
|
|
|
close(orig_fd);
|
2008-04-18 03:32:26 +04:00
|
|
|
}
|
|
|
|
return fd;
|
|
|
|
}
|
|
|
|
|
2014-10-01 15:14:47 +04:00
|
|
|
FILE *fdopen_lock_file(struct lock_file *lk, const char *mode)
|
|
|
|
{
|
|
|
|
if (!lk->active)
|
|
|
|
die("BUG: fdopen_lock_file() called for unlocked object");
|
|
|
|
if (lk->fp)
|
|
|
|
die("BUG: fdopen_lock_file() called twice for file '%s'", lk->filename.buf);
|
|
|
|
|
|
|
|
lk->fp = fdopen(lk->fd, mode);
|
|
|
|
return lk->fp;
|
|
|
|
}
|
|
|
|
|
2014-10-01 14:28:39 +04:00
|
|
|
char *get_locked_file_path(struct lock_file *lk)
|
|
|
|
{
|
|
|
|
if (!lk->active)
|
|
|
|
die("BUG: get_locked_file_path() called for unlocked object");
|
|
|
|
if (lk->filename.len <= LOCK_SUFFIX_LEN)
|
|
|
|
die("BUG: get_locked_file_path() called for malformed lock object");
|
|
|
|
return xmemdupz(lk->filename.buf, lk->filename.len - LOCK_SUFFIX_LEN);
|
|
|
|
}
|
|
|
|
|
2008-01-16 22:05:32 +03:00
|
|
|
int close_lock_file(struct lock_file *lk)
|
|
|
|
{
|
|
|
|
int fd = lk->fd;
|
2014-10-01 15:14:47 +04:00
|
|
|
FILE *fp = lk->fp;
|
|
|
|
int err;
|
2014-10-01 14:28:07 +04:00
|
|
|
|
|
|
|
if (fd < 0)
|
|
|
|
return 0;
|
|
|
|
|
2008-01-16 22:05:32 +03:00
|
|
|
lk->fd = -1;
|
2014-10-01 15:14:47 +04:00
|
|
|
if (fp) {
|
|
|
|
lk->fp = NULL;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Note: no short-circuiting here; we want to fclose()
|
|
|
|
* in any case!
|
|
|
|
*/
|
|
|
|
err = ferror(fp) | fclose(fp);
|
|
|
|
} else {
|
|
|
|
err = close(fd);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (err) {
|
2014-10-01 14:28:22 +04:00
|
|
|
int save_errno = errno;
|
|
|
|
rollback_lock_file(lk);
|
|
|
|
errno = save_errno;
|
|
|
|
return -1;
|
|
|
|
}
|
2014-10-01 15:14:47 +04:00
|
|
|
|
2014-10-01 14:28:22 +04:00
|
|
|
return 0;
|
2008-01-16 22:05:32 +03:00
|
|
|
}
|
|
|
|
|
2014-07-14 21:29:58 +04:00
|
|
|
int reopen_lock_file(struct lock_file *lk)
|
|
|
|
{
|
|
|
|
if (0 <= lk->fd)
|
|
|
|
die(_("BUG: reopen a lockfile that is still open"));
|
lockfile: avoid transitory invalid states
Because remove_lock_file() can be called any time by the signal
handler, it is important that any lock_file objects that are in the
lock_file_list are always in a valid state. And since lock_file
objects are often reused (but are never removed from lock_file_list),
that means we have to be careful whenever mutating a lock_file object
to always keep it in a well-defined state.
This was formerly not the case, because part of the state was encoded
by setting lk->filename to the empty string vs. a valid filename. It
is wrong to assume that this string can be updated atomically; for
example, even
strcpy(lk->filename, value)
is unsafe. But the old code was even more reckless; for example,
strcpy(lk->filename, path);
if (!(flags & LOCK_NODEREF))
resolve_symlink(lk->filename, max_path_len);
strcat(lk->filename, ".lock");
During the call to resolve_symlink(), lk->filename contained the name
of the file that was being locked, not the name of the lockfile. If a
signal were raised during that interval, then the signal handler would
have deleted the valuable file!
We could probably continue to use the filename field to encode the
state by being careful to write characters 1..N-1 of the filename
first, and then overwrite the NUL at filename[0] with the first
character of the filename, but that would be awkward and error-prone.
So, instead of using the filename field to determine whether the
lock_file object is active, add a new field "lock_file::active" for
this purpose. Be careful to set this field only when filename really
contains the name of a file that should be deleted on cleanup.
Helped-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-10-01 14:28:27 +04:00
|
|
|
if (!lk->active)
|
2014-07-14 21:29:58 +04:00
|
|
|
die(_("BUG: reopen a lockfile that has been committed"));
|
2014-10-01 14:28:32 +04:00
|
|
|
lk->fd = open(lk->filename.buf, O_WRONLY);
|
2014-07-14 21:29:58 +04:00
|
|
|
return lk->fd;
|
|
|
|
}
|
|
|
|
|
2014-10-01 14:28:36 +04:00
|
|
|
int commit_lock_file_to(struct lock_file *lk, const char *path)
|
2006-06-06 23:51:49 +04:00
|
|
|
{
|
lockfile: avoid transitory invalid states
Because remove_lock_file() can be called any time by the signal
handler, it is important that any lock_file objects that are in the
lock_file_list are always in a valid state. And since lock_file
objects are often reused (but are never removed from lock_file_list),
that means we have to be careful whenever mutating a lock_file object
to always keep it in a well-defined state.
This was formerly not the case, because part of the state was encoded
by setting lk->filename to the empty string vs. a valid filename. It
is wrong to assume that this string can be updated atomically; for
example, even
strcpy(lk->filename, value)
is unsafe. But the old code was even more reckless; for example,
strcpy(lk->filename, path);
if (!(flags & LOCK_NODEREF))
resolve_symlink(lk->filename, max_path_len);
strcat(lk->filename, ".lock");
During the call to resolve_symlink(), lk->filename contained the name
of the file that was being locked, not the name of the lockfile. If a
signal were raised during that interval, then the signal handler would
have deleted the valuable file!
We could probably continue to use the filename field to encode the
state by being careful to write characters 1..N-1 of the filename
first, and then overwrite the NUL at filename[0] with the first
character of the filename, but that would be awkward and error-prone.
So, instead of using the filename field to determine whether the
lock_file object is active, add a new field "lock_file::active" for
this purpose. Be careful to set this field only when filename really
contains the name of a file that should be deleted on cleanup.
Helped-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-10-01 14:28:27 +04:00
|
|
|
if (!lk->active)
|
2014-10-01 14:28:36 +04:00
|
|
|
die("BUG: attempt to commit unlocked object to \"%s\"", path);
|
2014-10-01 14:28:21 +04:00
|
|
|
|
2014-10-01 14:28:07 +04:00
|
|
|
if (close_lock_file(lk))
|
2008-01-16 22:05:32 +03:00
|
|
|
return -1;
|
2014-10-01 14:28:20 +04:00
|
|
|
|
2014-10-01 14:28:36 +04:00
|
|
|
if (rename(lk->filename.buf, path)) {
|
2014-10-01 14:28:23 +04:00
|
|
|
int save_errno = errno;
|
|
|
|
rollback_lock_file(lk);
|
|
|
|
errno = save_errno;
|
2008-01-16 22:05:32 +03:00
|
|
|
return -1;
|
2014-10-01 14:28:23 +04:00
|
|
|
}
|
|
|
|
|
lockfile: avoid transitory invalid states
Because remove_lock_file() can be called any time by the signal
handler, it is important that any lock_file objects that are in the
lock_file_list are always in a valid state. And since lock_file
objects are often reused (but are never removed from lock_file_list),
that means we have to be careful whenever mutating a lock_file object
to always keep it in a well-defined state.
This was formerly not the case, because part of the state was encoded
by setting lk->filename to the empty string vs. a valid filename. It
is wrong to assume that this string can be updated atomically; for
example, even
strcpy(lk->filename, value)
is unsafe. But the old code was even more reckless; for example,
strcpy(lk->filename, path);
if (!(flags & LOCK_NODEREF))
resolve_symlink(lk->filename, max_path_len);
strcat(lk->filename, ".lock");
During the call to resolve_symlink(), lk->filename contained the name
of the file that was being locked, not the name of the lockfile. If a
signal were raised during that interval, then the signal handler would
have deleted the valuable file!
We could probably continue to use the filename field to encode the
state by being careful to write characters 1..N-1 of the filename
first, and then overwrite the NUL at filename[0] with the first
character of the filename, but that would be awkward and error-prone.
So, instead of using the filename field to determine whether the
lock_file object is active, add a new field "lock_file::active" for
this purpose. Be careful to set this field only when filename really
contains the name of a file that should be deleted on cleanup.
Helped-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-10-01 14:28:27 +04:00
|
|
|
lk->active = 0;
|
2014-10-01 14:28:32 +04:00
|
|
|
strbuf_reset(&lk->filename);
|
2008-01-16 22:05:32 +03:00
|
|
|
return 0;
|
2006-06-06 23:51:49 +04:00
|
|
|
}
|
|
|
|
|
2014-10-01 14:28:36 +04:00
|
|
|
int commit_lock_file(struct lock_file *lk)
|
_GIT_INDEX_OUTPUT: allow plumbing to output to an alternative index file.
When defined, this allows plumbing commands that update the
index (add, apply, checkout-index, merge-recursive, mv,
read-tree, rm, update-index, and write-tree) to write their
resulting index to an alternative index file while holding a
lock to the original index file. With this, git-commit that
jumps the index does not have to make an extra copy of the index
file, and more importantly, it can do the update while holding
the lock on the index.
However, I think the interface to let an environment variable
specify the output is a mistake, as shown in the documentation.
If a curious user has the environment variable set to something
other than the file GIT_INDEX_FILE points at, almost everything
will break. This should instead be a command line parameter to
tell these plumbing commands to write the result in the named
file, to prevent stupid mistakes.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-04-01 10:09:02 +04:00
|
|
|
{
|
2014-10-01 14:28:36 +04:00
|
|
|
static struct strbuf result_file = STRBUF_INIT;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
if (!lk->active)
|
|
|
|
die("BUG: attempt to commit unlocked object");
|
|
|
|
|
|
|
|
if (lk->filename.len <= LOCK_SUFFIX_LEN ||
|
|
|
|
strcmp(lk->filename.buf + lk->filename.len - LOCK_SUFFIX_LEN, LOCK_SUFFIX))
|
|
|
|
die("BUG: lockfile filename corrupt");
|
|
|
|
|
|
|
|
/* remove ".lock": */
|
|
|
|
strbuf_add(&result_file, lk->filename.buf,
|
|
|
|
lk->filename.len - LOCK_SUFFIX_LEN);
|
|
|
|
err = commit_lock_file_to(lk, result_file.buf);
|
|
|
|
strbuf_reset(&result_file);
|
|
|
|
return err;
|
_GIT_INDEX_OUTPUT: allow plumbing to output to an alternative index file.
When defined, this allows plumbing commands that update the
index (add, apply, checkout-index, merge-recursive, mv,
read-tree, rm, update-index, and write-tree) to write their
resulting index to an alternative index file while holding a
lock to the original index file. With this, git-commit that
jumps the index does not have to make an extra copy of the index
file, and more importantly, it can do the update while holding
the lock on the index.
However, I think the interface to let an environment variable
specify the output is a mistake, as shown in the documentation.
If a curious user has the environment variable set to something
other than the file GIT_INDEX_FILE points at, almost everything
will break. This should instead be a command line parameter to
tell these plumbing commands to write the result in the named
file, to prevent stupid mistakes.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-04-01 10:09:02 +04:00
|
|
|
}
|
|
|
|
|
2006-06-06 23:51:49 +04:00
|
|
|
void rollback_lock_file(struct lock_file *lk)
|
|
|
|
{
|
lockfile: avoid transitory invalid states
Because remove_lock_file() can be called any time by the signal
handler, it is important that any lock_file objects that are in the
lock_file_list are always in a valid state. And since lock_file
objects are often reused (but are never removed from lock_file_list),
that means we have to be careful whenever mutating a lock_file object
to always keep it in a well-defined state.
This was formerly not the case, because part of the state was encoded
by setting lk->filename to the empty string vs. a valid filename. It
is wrong to assume that this string can be updated atomically; for
example, even
strcpy(lk->filename, value)
is unsafe. But the old code was even more reckless; for example,
strcpy(lk->filename, path);
if (!(flags & LOCK_NODEREF))
resolve_symlink(lk->filename, max_path_len);
strcat(lk->filename, ".lock");
During the call to resolve_symlink(), lk->filename contained the name
of the file that was being locked, not the name of the lockfile. If a
signal were raised during that interval, then the signal handler would
have deleted the valuable file!
We could probably continue to use the filename field to encode the
state by being careful to write characters 1..N-1 of the filename
first, and then overwrite the NUL at filename[0] with the first
character of the filename, but that would be awkward and error-prone.
So, instead of using the filename field to determine whether the
lock_file object is active, add a new field "lock_file::active" for
this purpose. Be careful to set this field only when filename really
contains the name of a file that should be deleted on cleanup.
Helped-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-10-01 14:28:27 +04:00
|
|
|
if (!lk->active)
|
2014-10-01 14:28:09 +04:00
|
|
|
return;
|
|
|
|
|
2014-10-01 14:28:22 +04:00
|
|
|
if (!close_lock_file(lk)) {
|
2014-10-01 14:28:32 +04:00
|
|
|
unlink_or_warn(lk->filename.buf);
|
lockfile: avoid transitory invalid states
Because remove_lock_file() can be called any time by the signal
handler, it is important that any lock_file objects that are in the
lock_file_list are always in a valid state. And since lock_file
objects are often reused (but are never removed from lock_file_list),
that means we have to be careful whenever mutating a lock_file object
to always keep it in a well-defined state.
This was formerly not the case, because part of the state was encoded
by setting lk->filename to the empty string vs. a valid filename. It
is wrong to assume that this string can be updated atomically; for
example, even
strcpy(lk->filename, value)
is unsafe. But the old code was even more reckless; for example,
strcpy(lk->filename, path);
if (!(flags & LOCK_NODEREF))
resolve_symlink(lk->filename, max_path_len);
strcat(lk->filename, ".lock");
During the call to resolve_symlink(), lk->filename contained the name
of the file that was being locked, not the name of the lockfile. If a
signal were raised during that interval, then the signal handler would
have deleted the valuable file!
We could probably continue to use the filename field to encode the
state by being careful to write characters 1..N-1 of the filename
first, and then overwrite the NUL at filename[0] with the first
character of the filename, but that would be awkward and error-prone.
So, instead of using the filename field to determine whether the
lock_file object is active, add a new field "lock_file::active" for
this purpose. Be careful to set this field only when filename really
contains the name of a file that should be deleted on cleanup.
Helped-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-10-01 14:28:27 +04:00
|
|
|
lk->active = 0;
|
2014-10-01 14:28:32 +04:00
|
|
|
strbuf_reset(&lk->filename);
|
2007-11-13 23:05:03 +03:00
|
|
|
}
|
2006-06-06 23:51:49 +04:00
|
|
|
}
|