Merge branch 'jk/check-corrupt-objects-carefully'

Have the streaming interface and other codepaths more carefully
examine for corrupt objects.

* jk/check-corrupt-objects-carefully:
  clone: leave repo in place after checkout errors
  clone: run check_everything_connected
  clone: die on errors from unpack_trees
  add tests for cloning corrupted repositories
  streaming_write_entry: propagate streaming errors
  add test for streaming corrupt blobs
  avoid infinite loop in read_istream_loose
  read_istream_filtered: propagate read error from upstream
  check_sha1_signature: check return value from read_istream
  stream_blob_to_fd: detect errors reading from stream
This commit is contained in:
Junio C Hamano 2013-04-03 09:34:28 -07:00
commit b9c78e9723
6 changed files with 174 additions and 18 deletions

View File

@ -23,6 +23,7 @@
#include "branch.h"
#include "remote.h"
#include "run-command.h"
#include "connected.h"
/*
* Overall FIXMEs:
@ -376,10 +377,32 @@ static void clone_local(const char *src_repo, const char *dest_repo)
static const char *junk_work_tree;
static const char *junk_git_dir;
static pid_t junk_pid;
enum {
JUNK_LEAVE_NONE,
JUNK_LEAVE_REPO,
JUNK_LEAVE_ALL
} junk_mode = JUNK_LEAVE_NONE;
static const char junk_leave_repo_msg[] =
N_("Clone succeeded, but checkout failed.\n"
"You can inspect what was checked out with 'git status'\n"
"and retry the checkout with 'git checkout -f HEAD'\n");
static void remove_junk(void)
{
struct strbuf sb = STRBUF_INIT;
switch (junk_mode) {
case JUNK_LEAVE_REPO:
warning("%s", _(junk_leave_repo_msg));
/* fall-through */
case JUNK_LEAVE_ALL:
return;
default:
/* proceed to removal */
break;
}
if (getpid() != junk_pid)
return;
if (junk_git_dir) {
@ -485,12 +508,37 @@ static void write_followtags(const struct ref *refs, const char *msg)
}
}
static int iterate_ref_map(void *cb_data, unsigned char sha1[20])
{
struct ref **rm = cb_data;
struct ref *ref = *rm;
/*
* Skip anything missing a peer_ref, which we are not
* actually going to write a ref for.
*/
while (ref && !ref->peer_ref)
ref = ref->next;
/* Returning -1 notes "end of list" to the caller. */
if (!ref)
return -1;
hashcpy(sha1, ref->old_sha1);
*rm = ref->next;
return 0;
}
static void update_remote_refs(const struct ref *refs,
const struct ref *mapped_refs,
const struct ref *remote_head_points_at,
const char *branch_top,
const char *msg)
{
const struct ref *rm = mapped_refs;
if (check_everything_connected(iterate_ref_map, 0, &rm))
die(_("remote did not send all necessary objects"));
if (refs) {
write_remote_refs(mapped_refs);
if (option_single_branch)
@ -579,7 +627,8 @@ static int checkout(void)
tree = parse_tree_indirect(sha1);
parse_tree(tree);
init_tree_desc(&t, tree->buffer, tree->size);
unpack_trees(1, &t, &opts);
if (unpack_trees(1, &t, &opts) < 0)
die(_("unable to checkout working tree"));
if (write_cache(fd, active_cache, active_nr) ||
commit_locked_index(lock_file))
@ -898,12 +947,13 @@ int cmd_clone(int argc, const char **argv, const char *prefix)
transport_unlock_pack(transport);
transport_disconnect(transport);
junk_mode = JUNK_LEAVE_REPO;
err = checkout();
strbuf_release(&reflog_msg);
strbuf_release(&branch_top);
strbuf_release(&key);
strbuf_release(&value);
junk_pid = 0;
junk_mode = JUNK_LEAVE_ALL;
return err;
}

16
entry.c
View File

@ -120,16 +120,18 @@ static int streaming_write_entry(struct cache_entry *ce, char *path,
const struct checkout *state, int to_tempfile,
int *fstat_done, struct stat *statbuf)
{
int result = -1;
int result = 0;
int fd;
fd = open_output_fd(path, ce, to_tempfile);
if (0 <= fd) {
result = stream_blob_to_fd(fd, ce->sha1, filter, 1);
*fstat_done = fstat_output(fd, state, statbuf);
result = close(fd);
}
if (result && 0 <= fd)
if (fd < 0)
return -1;
result |= stream_blob_to_fd(fd, ce->sha1, filter, 1);
*fstat_done = fstat_output(fd, state, statbuf);
result |= close(fd);
if (result)
unlink(path);
return result;
}

View File

@ -1271,6 +1271,10 @@ int check_sha1_signature(const unsigned char *sha1, void *map,
char buf[1024 * 16];
ssize_t readlen = read_istream(st, buf, sizeof(buf));
if (readlen < 0) {
close_istream(st);
return -1;
}
if (!readlen)
break;
git_SHA1_Update(&c, buf, readlen);

View File

@ -237,7 +237,7 @@ static read_method_decl(filtered)
if (!fs->input_finished) {
fs->i_end = read_istream(fs->upstream, fs->ibuf, FILTER_BUFFER);
if (fs->i_end < 0)
break;
return -1;
if (fs->i_end)
continue;
}
@ -309,7 +309,7 @@ static read_method_decl(loose)
st->z_state = z_done;
break;
}
if (status != Z_OK && status != Z_BUF_ERROR) {
if (status != Z_OK && (status != Z_BUF_ERROR || total_read < sz)) {
git_inflate_end(&st->z);
st->z_state = z_error;
return -1;
@ -514,6 +514,8 @@ int stream_blob_to_fd(int fd, unsigned const char *sha1, struct stream_filter *f
ssize_t wrote, holeto;
ssize_t readlen = read_istream(st, buf, sizeof(buf));
if (readlen < 0)
goto close_and_exit;
if (!readlen)
break;
if (can_seek && sizeof(buf) == readlen) {

104
t/t1060-object-corruption.sh Executable file
View File

@ -0,0 +1,104 @@
#!/bin/sh
test_description='see how we handle various forms of corruption'
. ./test-lib.sh
# convert "1234abcd" to ".git/objects/12/34abcd"
obj_to_file() {
echo "$(git rev-parse --git-dir)/objects/$(git rev-parse "$1" | sed 's,..,&/,')"
}
# Convert byte at offset "$2" of object "$1" into '\0'
corrupt_byte() {
obj_file=$(obj_to_file "$1") &&
chmod +w "$obj_file" &&
printf '\0' | dd of="$obj_file" bs=1 seek="$2" conv=notrunc
}
test_expect_success 'setup corrupt repo' '
git init bit-error &&
(
cd bit-error &&
test_commit content &&
corrupt_byte HEAD:content.t 10
)
'
test_expect_success 'setup repo with missing object' '
git init missing &&
(
cd missing &&
test_commit content &&
rm -f "$(obj_to_file HEAD:content.t)"
)
'
test_expect_success 'setup repo with misnamed object' '
git init misnamed &&
(
cd misnamed &&
test_commit content &&
good=$(obj_to_file HEAD:content.t) &&
blob=$(echo corrupt | git hash-object -w --stdin) &&
bad=$(obj_to_file $blob) &&
rm -f "$good" &&
mv "$bad" "$good"
)
'
test_expect_success 'streaming a corrupt blob fails' '
(
cd bit-error &&
test_must_fail git cat-file blob HEAD:content.t
)
'
test_expect_success 'read-tree -u detects bit-errors in blobs' '
(
cd bit-error &&
rm -f content.t &&
test_must_fail git read-tree --reset -u HEAD
)
'
test_expect_success 'read-tree -u detects missing objects' '
(
cd missing &&
rm -f content.t &&
test_must_fail git read-tree --reset -u HEAD
)
'
# We use --bare to make sure that the transport detects it, not the checkout
# phase.
test_expect_success 'clone --no-local --bare detects corruption' '
test_must_fail git clone --no-local --bare bit-error corrupt-transport
'
test_expect_success 'clone --no-local --bare detects missing object' '
test_must_fail git clone --no-local --bare missing missing-transport
'
test_expect_success 'clone --no-local --bare detects misnamed object' '
test_must_fail git clone --no-local --bare misnamed misnamed-transport
'
# We do not expect --local to detect corruption at the transport layer,
# so we are really checking the checkout() code path.
test_expect_success 'clone --local detects corruption' '
test_must_fail git clone --local bit-error corrupt-checkout
'
test_expect_success 'error detected during checkout leaves repo intact' '
test_path_is_dir corrupt-checkout/.git
'
test_expect_success 'clone --local detects missing objects' '
test_must_fail git clone --local missing missing-checkout
'
test_expect_failure 'clone --local detects misnamed objects' '
test_must_fail git clone --local misnamed misnamed-checkout
'
test_done

View File

@ -58,13 +58,7 @@ test_expect_success 'creating too deep nesting' \
git clone -l -s D E &&
git clone -l -s E F &&
git clone -l -s F G &&
git clone -l -s G H'
test_expect_success 'invalidity of deepest repository' \
'cd H && {
test_valid_repo
test $? -ne 0
}'
test_must_fail git clone --bare -l -s G H'
cd "$base_dir"