repoview: discard filtered changelog if index isn't shared with unfiltered
Before this patch, revisions rollbacked at failure of previous
transaction might be visible at subsequent operations unintentionally,
if repoview object is reused even after failure of transaction:
e.g. command server and HTTP server are typical cases.
'repoview' uses the tuple of values below of unfiltered changelog as
"the key" to examine validity of filtered changelog cache.
- length
- tip node
- filtered revisions (as hashed value)
- '_delayed' field
'repoview' compares between "the key" of unfiltered changelog at
previous caching and now, and reuses filtered changelog cache if no
change is detected.
But this comparison indicates only that there is no change between
unfiltered 'repo.changelog' at last caching and now, but not that
filtered changelog cache is valid for current unfiltered one.
'repoview' uses "shallow copy" of unfiltered changelog to create
filtered changelog cache. In this case, 'index' buffer of unfiltered
changelog is also referred by filtered changelog.
At failure of transaction, unfiltered changelog itself is invalidated
(= un-referred) on the 'repo' side (see
0a7610758c42 also). But
'index' of it still contains revisions to be rollbacked at this
failure, and is referred by filtered changelog.
Therefore, even if there is no change between unfiltered
'repo.changelog' at last caching and now, steps below makes rollbacked
revisions visible via filtered changelog unintentionally.
1. instantiate unfiltered changelog as 'repo.changelog'
(call it CL1)
2. make filtered (= shallow copy of) CL1
(call it FCL1)
3. cache FCL1 with "the key" of CL1
4. revisions are appended to 'index', which is shared by CL1 and FCL1
5. invalidate 'repo.changelog' (= CL1) at failure of transaction
6. instantiate 'repo.changelog' again at next operation
(call it CL2)
CL2 doesn't have revisions added at (4), because it is
instantiated from '00changelog.i', which isn't changed while
failed transaction.
7. compare between "the key" of CL1 and CL2
8. FCL1 cached at (3) is reused, because comparison at (7) doesn't
detect change between CL1 at (1) and CL2
9. revisions rollbacked at (5) are visible via FCL1 unintentionally,
because FCL1 still refers 'index' changed at (4)
The root cause of this issue is that there is no examination about
validity of filtered changelog cache against current unfiltered one.
This patch discards filtered changelog cache, if its 'index' object
isn't shared with unfiltered one.
BTW, at the time of this patch, redundant truncation of
'00changelog.i' at failure of transaction (see
0a7610758c42 for
detail) often prevents "hg serve" from making already rollbacked
revisions visible, because updating timestamps of '00changelog.i' by
truncation makes "hg serve" discard old repoview object with invalid
filtered changelog cache.
This is reason why this issue is overlooked before this patch, even
though test-bundle2-exchange.t has tests in similar situation: failure
of "hg push" via HTTP by pretxnclose hook on server side doesn't
prevent subsequent commands from looking up outgoing revisions
correctly.
But timestamp on the filesystem doesn't have enough resolution for
recent computation power, and it can't be assumed that this avoidance
always works as expected.
Therefore, without this patch, this issue might appear occasionally.
# same user, same group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# same user, different group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# different user, same group
not trusting file .hg/hgrc from untrusted user abc, group bar
trusted
global = /some/path
untrusted
. . global = /some/path
. . local = /another/path
# different user, same group, but we trust the group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# different user, different group
not trusting file .hg/hgrc from untrusted user abc, group def
trusted
global = /some/path
untrusted
. . global = /some/path
. . local = /another/path
# different user, different group, but we trust the user
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# different user, different group, but we trust the group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# different user, different group, but we trust the user and the group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# we trust all users
# different user, different group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# we trust all groups
# different user, different group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# we trust all users and groups
# different user, different group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# we don't get confused by users and groups with the same name
# different user, different group
not trusting file .hg/hgrc from untrusted user abc, group def
trusted
global = /some/path
untrusted
. . global = /some/path
. . local = /another/path
# list of user names
# different user, different group, but we trust the user
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# list of group names
# different user, different group, but we trust the group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# Can't figure out the name of the user running this process
# different user, different group
not trusting file .hg/hgrc from untrusted user abc, group def
trusted
global = /some/path
untrusted
. . global = /some/path
. . local = /another/path
# prints debug warnings
# different user, different group
not trusting file .hg/hgrc from untrusted user abc, group def
trusted
ignoring untrusted configuration option paths.local = /another/path
global = /some/path
untrusted
. . global = /some/path
.ignoring untrusted configuration option paths.local = /another/path
. local = /another/path
# report_untrusted enabled without debug hides warnings
# different user, different group
trusted
global = /some/path
untrusted
. . global = /some/path
. . local = /another/path
# report_untrusted enabled with debug shows warnings
# different user, different group
not trusting file .hg/hgrc from untrusted user abc, group def
trusted
ignoring untrusted configuration option paths.local = /another/path
global = /some/path
untrusted
. . global = /some/path
.ignoring untrusted configuration option paths.local = /another/path
. local = /another/path
# ui.readconfig sections
quux
# read trusted, untrusted, new ui, trusted
not trusting file foobar from untrusted user abc, group def
trusted:
ignoring untrusted configuration option foobar.baz = quux
None
untrusted:
quux
# error handling
# file doesn't exist
# same user, same group
# different user, different group
# parse error
# different user, different group
not trusting file .hg/hgrc from untrusted user abc, group def
('foo', '.hg/hgrc:1')
# same user, same group
('foo', '.hg/hgrc:1')