repoview: discard filtered changelog if index isn't shared with unfiltered
Before this patch, revisions rollbacked at failure of previous
transaction might be visible at subsequent operations unintentionally,
if repoview object is reused even after failure of transaction:
e.g. command server and HTTP server are typical cases.
'repoview' uses the tuple of values below of unfiltered changelog as
"the key" to examine validity of filtered changelog cache.
- length
- tip node
- filtered revisions (as hashed value)
- '_delayed' field
'repoview' compares between "the key" of unfiltered changelog at
previous caching and now, and reuses filtered changelog cache if no
change is detected.
But this comparison indicates only that there is no change between
unfiltered 'repo.changelog' at last caching and now, but not that
filtered changelog cache is valid for current unfiltered one.
'repoview' uses "shallow copy" of unfiltered changelog to create
filtered changelog cache. In this case, 'index' buffer of unfiltered
changelog is also referred by filtered changelog.
At failure of transaction, unfiltered changelog itself is invalidated
(= un-referred) on the 'repo' side (see
0a7610758c42 also). But
'index' of it still contains revisions to be rollbacked at this
failure, and is referred by filtered changelog.
Therefore, even if there is no change between unfiltered
'repo.changelog' at last caching and now, steps below makes rollbacked
revisions visible via filtered changelog unintentionally.
1. instantiate unfiltered changelog as 'repo.changelog'
(call it CL1)
2. make filtered (= shallow copy of) CL1
(call it FCL1)
3. cache FCL1 with "the key" of CL1
4. revisions are appended to 'index', which is shared by CL1 and FCL1
5. invalidate 'repo.changelog' (= CL1) at failure of transaction
6. instantiate 'repo.changelog' again at next operation
(call it CL2)
CL2 doesn't have revisions added at (4), because it is
instantiated from '00changelog.i', which isn't changed while
failed transaction.
7. compare between "the key" of CL1 and CL2
8. FCL1 cached at (3) is reused, because comparison at (7) doesn't
detect change between CL1 at (1) and CL2
9. revisions rollbacked at (5) are visible via FCL1 unintentionally,
because FCL1 still refers 'index' changed at (4)
The root cause of this issue is that there is no examination about
validity of filtered changelog cache against current unfiltered one.
This patch discards filtered changelog cache, if its 'index' object
isn't shared with unfiltered one.
BTW, at the time of this patch, redundant truncation of
'00changelog.i' at failure of transaction (see
0a7610758c42 for
detail) often prevents "hg serve" from making already rollbacked
revisions visible, because updating timestamps of '00changelog.i' by
truncation makes "hg serve" discard old repoview object with invalid
filtered changelog cache.
This is reason why this issue is overlooked before this patch, even
though test-bundle2-exchange.t has tests in similar situation: failure
of "hg push" via HTTP by pretxnclose hook on server side doesn't
prevent subsequent commands from looking up outgoing revisions
correctly.
But timestamp on the filesystem doesn't have enough resolution for
recent computation power, and it can't be assumed that this avoidance
always works as expected.
Therefore, without this patch, this issue might appear occasionally.
#require unix-permissions
test that new files created in .hg inherit the permissions from .hg/store
$ mkdir dir
just in case somebody has a strange $TMPDIR
$ chmod g-s dir
$ cd dir
$ cat >printmodes.py <<EOF
> import os, sys
>
> allnames = []
> isdir = {}
> for root, dirs, files in os.walk(sys.argv[1]):
> for d in dirs:
> name = os.path.join(root, d)
> isdir[name] = 1
> allnames.append(name)
> for f in files:
> name = os.path.join(root, f)
> allnames.append(name)
> allnames.sort()
> for name in allnames:
> suffix = name in isdir and '/' or ''
> print '%05o %s%s' % (os.lstat(name).st_mode & 07777, name, suffix)
> EOF
$ cat >mode.py <<EOF
> import sys
> import os
> print '%05o' % os.lstat(sys.argv[1]).st_mode
> EOF
$ umask 077
$ hg init repo
$ cd repo
$ chmod 0770 .hg/store
before commit
store can be written by the group, other files cannot
store is setgid
$ python ../printmodes.py .
00700 ./.hg/
00600 ./.hg/00changelog.i
00600 ./.hg/requires
00770 ./.hg/store/
$ mkdir dir
$ touch foo dir/bar
$ hg ci -qAm 'add files'
after commit
working dir files can only be written by the owner
files created in .hg can be written by the group
(in particular, store/**, dirstate, branch cache file, undo files)
new directories are setgid
$ python ../printmodes.py .
00700 ./.hg/
00600 ./.hg/00changelog.i
00770 ./.hg/cache/
00660 ./.hg/cache/branch2-served
00660 ./.hg/cache/rbc-names-v1
00660 ./.hg/cache/rbc-revs-v1
00660 ./.hg/dirstate
00660 ./.hg/last-message.txt
00600 ./.hg/requires
00770 ./.hg/store/
00660 ./.hg/store/00changelog.i
00660 ./.hg/store/00manifest.i
00770 ./.hg/store/data/
00770 ./.hg/store/data/dir/
00660 ./.hg/store/data/dir/bar.i
00660 ./.hg/store/data/foo.i
00660 ./.hg/store/fncache
00660 ./.hg/store/phaseroots
00660 ./.hg/store/undo
00660 ./.hg/store/undo.backupfiles
00660 ./.hg/store/undo.phaseroots
00660 ./.hg/undo.backup.dirstate
00660 ./.hg/undo.bookmarks
00660 ./.hg/undo.branch
00660 ./.hg/undo.desc
00660 ./.hg/undo.dirstate
00700 ./dir/
00600 ./dir/bar
00600 ./foo
$ umask 007
$ hg init ../push
before push
group can write everything
$ python ../printmodes.py ../push
00770 ../push/.hg/
00660 ../push/.hg/00changelog.i
00660 ../push/.hg/requires
00770 ../push/.hg/store/
$ umask 077
$ hg -q push ../push
after push
group can still write everything
$ python ../printmodes.py ../push
00770 ../push/.hg/
00660 ../push/.hg/00changelog.i
00770 ../push/.hg/cache/
00660 ../push/.hg/cache/branch2-base
00660 ../push/.hg/cache/rbc-names-v1
00660 ../push/.hg/cache/rbc-revs-v1
00660 ../push/.hg/requires
00770 ../push/.hg/store/
00660 ../push/.hg/store/00changelog.i
00660 ../push/.hg/store/00manifest.i
00770 ../push/.hg/store/data/
00770 ../push/.hg/store/data/dir/
00660 ../push/.hg/store/data/dir/bar.i
00660 ../push/.hg/store/data/foo.i
00660 ../push/.hg/store/fncache
00660 ../push/.hg/store/undo
00660 ../push/.hg/store/undo.backupfiles
00660 ../push/.hg/store/undo.phaseroots
00660 ../push/.hg/undo.bookmarks
00660 ../push/.hg/undo.branch
00660 ../push/.hg/undo.desc
00660 ../push/.hg/undo.dirstate
Test that we don't lose the setgid bit when we call chmod.
Not all systems support setgid directories (e.g. HFS+), so
just check that directories have the same mode.
$ cd ..
$ hg init setgid
$ cd setgid
$ chmod g+rwx .hg/store
$ chmod g+s .hg/store 2> /dev/null || true
$ mkdir dir
$ touch dir/file
$ hg ci -qAm 'add dir/file'
$ storemode=`python ../mode.py .hg/store`
$ dirmode=`python ../mode.py .hg/store/data/dir`
$ if [ "$storemode" != "$dirmode" ]; then
> echo "$storemode != $dirmode"
> fi
$ cd ..
$ cd .. # g-s dir