Mercurial Mercurial > hg-stable / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mercurial/dummycert.pem
author Gregory Szorc <gregory.szorc@gmail.com>
Tue, 13 Nov 2018 12:32:05 -0800
changeset 40671 e9293c5f8bb9
parent 22575 d7f7f1860f00
permissions -rw-r--r--
revlog: automatically read from opened file handles The revlog reading code commonly opens a new file handle for reading on demand. There is support for passing a file handle to revlog.revision(). But it is marked as an internal argument. When revlogs are written, we write() data as it is available. But we don't flush() data until all revisions are written. Putting these two traits together, it is possible for an in-process revlog reader during active writes to trigger the opening of a new file handle on a file with unflushed writes. The reader won't have access to all "available" revlog data (as it hasn't been flushed). And with the introduction of the previous patch, this can lead to the revlog raising an error due to a partial read. I witnessed this behavior when applying changegroup data (via `hg pull`) before issue6006 was fixed via different means. Having this and the previous patch in play would have helped cause errors earlier rather than manifesting as hash verification failures. While this has been a long-standing issue, I believe the relatively new delta computation code has tickled it into being more common. This is because the new delta computation code will compute deltas in more scenarios. This can lead to revlog reading. While the delta computation code is probably supposed to reuse file handles, it appears it isn't doing so in all circumstances. But the issue runs deeper than that. Theoretically, any code can access revision data during revlog writes. It appears we were just getting lucky that it wasn't. (The "add revision callback" passed to addgroup() provides an avenue to do this.) If I changed the revlog's behavior to not cache the full revision text or to clear caches after revision insertion during addgroup(), I was able to produce crashes 100% of the time when writing changelog revisions. This is because changelog's add revision callback attempts to resolve the revision data to access the changed files list. And without the revision's fulltext being cached, we performed a revlog read, which required opening a new file handle. This attempted to read unflushed data, leading to a partial read and a crash. This commit teaches the revlog to store the file handles used for writing multiple revisions during addgroup(). It also teaches the code for resolving a file handle when reading to use these handles, if available. This ensures that *any* reads (regardless of their source) use the active writing file handles, if available. These file handles have access to the unflushed data because they wrote it. This allows reads to complete without issue. Differential Revision: https://phab.mercurial-scm.org/D5267

A dummy certificate that will make OS X 10.6+ Python use the system CA
certificate store:

-----BEGIN CERTIFICATE-----
MIIBIzCBzgIJANjmj39sb3FmMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNVBAMTDmhn
LmV4YW1wbGUuY29tMB4XDTE0MDgzMDA4NDU1OVoXDTE0MDgyOTA4NDU1OVowGTEX
MBUGA1UEAxMOaGcuZXhhbXBsZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA
mh/ZySGlcq0ALNLmA1gZqt61HruywPrRk6WyrLJRgt+X7OP9FFlEfl2tzHfzqvmK
CtSQoPINWOdAJMekBYFgKQIDAQABMA0GCSqGSIb3DQEBBQUAA0EAF9h49LkSqJ6a
IlpogZuUHtihXeKZBsiktVIDlDccYsNy0RSh9XxUfhk+XMLw8jBlYvcltSXdJ7We
aKdQRekuMQ==
-----END CERTIFICATE-----

This certificate was generated to be syntactically valid but never be usable;
it expired before it became valid.

Created as:

  $ cat > cn.conf << EOT
  > [req]
  > distinguished_name = req_distinguished_name
  > [req_distinguished_name]
  > commonName = Common Name
  > commonName_default = no.example.com
  > EOT
  $ openssl req -nodes -new -x509 -keyout /dev/null \
  >   -out dummycert.pem -days -1 -config cn.conf -subj '/CN=hg.example.com'

To verify the content of this certificate:

  $ openssl x509 -in dummycert.pem -noout -text
  Certificate:
      Data:
          Version: 1 (0x0)
          Serial Number: 15629337334278746470 (0xd8e68f7f6c6f7166)
      Signature Algorithm: sha1WithRSAEncryption
          Issuer: CN=hg.example.com
          Validity
              Not Before: Aug 30 08:45:59 2014 GMT
              Not After : Aug 29 08:45:59 2014 GMT
          Subject: CN=hg.example.com
          Subject Public Key Info:
              Public Key Algorithm: rsaEncryption
                  Public-Key: (512 bit)
                  Modulus:
                      00:9a:1f:d9:c9:21:a5:72:ad:00:2c:d2:e6:03:58:
                      19:aa:de:b5:1e:bb:b2:c0:fa:d1:93:a5:b2:ac:b2:
                      51:82:df:97:ec:e3:fd:14:59:44:7e:5d:ad:cc:77:
                      f3:aa:f9:8a:0a:d4:90:a0:f2:0d:58:e7:40:24:c7:
                      a4:05:81:60:29
                  Exponent: 65537 (0x10001)
      Signature Algorithm: sha1WithRSAEncryption
           17:d8:78:f4:b9:12:a8:9e:9a:22:5a:68:81:9b:94:1e:d8:a1:
           5d:e2:99:06:c8:a4:b5:52:03:94:37:1c:62:c3:72:d1:14:a1:
           f5:7c:54:7e:19:3e:5c:c2:f0:f2:30:65:62:f7:25:b5:25:dd:
           27:b5:9e:68:a7:50:45:e9:2e:31
hg-stable