From 3f2e2297b9c88a6ab5fc4bff02cf2a07ce057589 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Fri, 1 Jul 2016 01:58:58 -0400 Subject: add an extra level of indirection to main() There are certain startup tasks that we expect every git process to do. In some cases this is just to improve the quality of the program (e.g., setting up gettext()). In others it is a requirement for using certain functions in libgit.a (e.g., system_path() expects that you have called git_extract_argv0_path()). Most commands are builtins and are covered by the git.c version of main(). However, there are still a few external commands that use their own main(). Each of these has to remember to include the correct startup sequence, and we are not always consistent. Rather than just fix the inconsistencies, let's make this harder to get wrong by providing a common main() that can run this standard startup. We basically have two options to do this: - the compat/mingw.h file already does something like this by adding a #define that replaces the definition of main with a wrapper that calls mingw_startup(). The upside is that the code in each program doesn't need to be changed at all; it's rewritten on the fly by the preprocessor. The downside is that it may make debugging of the startup sequence a bit more confusing, as the preprocessor is quietly inserting new code. - the builtin functions are all of the form cmd_foo(), and git.c's main() calls them. This is much more explicit, which may make things more obvious to somebody reading the code. It's also more flexible (because of course we have to figure out _which_ cmd_foo() to call). The downside is that each of the builtins must define cmd_foo(), instead of just main(). This patch chooses the latter option, preferring the more explicit approach, even though it is more invasive. We introduce a new file common-main.c, with the "real" main. It expects to call cmd_main() from whatever other objects it is linked against. We link common-main.o against anything that links against libgit.a, since we know that such programs will need to do this setup. Note that common-main.o can't actually go inside libgit.a, as the linker would not pick up its main() function automatically (it has no callers). The rest of the patch is just adjusting all of the various external programs (mostly in t/helper) to use cmd_main(). I've provided a global declaration for cmd_main(), which means that all of the programs also need to match its signature. In particular, many functions need to switch to "const char **" instead of "char **" for argv. This effect ripples out to a few other variables and functions, as well. This makes the patch even more invasive, but the end result is much better. We should be treating argv strings as const anyway, and now all programs conform to the same signature (which also matches the way builtins are defined). Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- common-main.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 common-main.c (limited to 'common-main.c') diff --git a/common-main.c b/common-main.c new file mode 100644 index 0000000000..2b96bbf436 --- /dev/null +++ b/common-main.c @@ -0,0 +1,12 @@ +#include "git-compat-util.h" + +int main(int argc, char **av) +{ + /* + * This const trickery is explained in + * 84d32bf7678259c08406571cd6ce4b7a6724dcba + */ + const char **argv = (const char **)av; + + return cmd_main(argc, argv); +} -- cgit v1.2.1 From 650c449250d7279dcbfe2f7cc23624955d53d339 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Fri, 1 Jul 2016 02:04:04 -0400 Subject: common-main: call git_extract_argv0_path() Every program which links against libgit.a must call this function, or risk hitting an assert() in system_path() that checks whether we have configured argv0_path (though only when RUNTIME_PREFIX is defined, so essentially only on Windows). Looking at the diff, you can see that putting it into the common main() saves us having to do it individually in each of the external commands. But what you can't see are the cases where we _should_ have been doing so, but weren't (e.g., git-credential-store, and all of the t/helper test programs). This has been an accident-waiting-to-happen for a long time, but wasn't triggered until recently because it involves one of those programs actually calling system_path(). That happened with git-credential-store in v2.8.0 with ae5f677 (lazily load core.sharedrepository, 2016-03-11). The program: - takes a lock file, which... - opens a tempfile, which... - calls adjust_shared_perm to fix permissions, which... - lazy-loads the config (as of ae5f677), which... - calls system_path() to find the location of /etc/gitconfig On systems with RUNTIME_PREFIX, this means credential-store reliably hits that assert() and cannot be used. We never noticed in the test suite, because we set GIT_CONFIG_NOSYSTEM there, which skips the system_path() lookup entirely. But if we were to tweak git_config() to find /etc/gitconfig even when we aren't going to open it, then the test suite shows multiple failures (for credential-store, and for some other test helpers). I didn't include that tweak here because it's way too specific to this particular call to be worth carrying around what is essentially dead code. The implementation is fairly straightforward, with one exception: there is exactly one caller (git.c) that actually cares about the result of the function, and not the side-effect of setting up argv0_path. We can accommodate that by simply replacing the value of argv[0] in the array we hand down to cmd_main(). Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- common-main.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'common-main.c') diff --git a/common-main.c b/common-main.c index 2b96bbf436..57c912a78e 100644 --- a/common-main.c +++ b/common-main.c @@ -1,4 +1,5 @@ #include "git-compat-util.h" +#include "exec_cmd.h" int main(int argc, char **av) { @@ -8,5 +9,7 @@ int main(int argc, char **av) */ const char **argv = (const char **)av; + argv[0] = git_extract_argv0_path(argv[0]); + return cmd_main(argc, argv); } -- cgit v1.2.1 From 57f5d52a942e8bbfa82e2741faf050de0d6b3eb3 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Fri, 1 Jul 2016 02:06:02 -0400 Subject: common-main: call sanitize_stdfds() This is setup that should be done in every program for safety, but we never got around to adding it everywhere (so builtins benefited from the call in git.c, but any external commands did not). Putting it in the common main() gives us this safety everywhere. Note that the case in daemon.c is a little funny. We wait until we know whether we want to daemonize, and then either: - call daemonize(), which will close stdio and reopen it to /dev/null under the hood - sanitize_stdfds(), to fix up any odd cases But that is way too late; the point of sanitizing is to give us reliable descriptors on 0/1/2, and we will already have executed code, possibly called die(), etc. The sanitizing should be the very first thing that happens. With this patch, git-daemon will sanitize first, and can remove the call in the non-daemonize case. It does mean that daemonize() may just end up closing the descriptors we opened, but that's not a big deal (it's not wrong to do so, nor is it really less optimal than the case where our parent process redirected us from /dev/null ahead of time). Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- common-main.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'common-main.c') diff --git a/common-main.c b/common-main.c index 57c912a78e..353c6ea175 100644 --- a/common-main.c +++ b/common-main.c @@ -1,4 +1,4 @@ -#include "git-compat-util.h" +#include "cache.h" #include "exec_cmd.h" int main(int argc, char **av) @@ -9,6 +9,13 @@ int main(int argc, char **av) */ const char **argv = (const char **)av; + /* + * Always open file descriptors 0/1/2 to avoid clobbering files + * in die(). It also avoids messing up when the pipes are dup'ed + * onto stdin/stdout/stderr in the child processes we spawn. + */ + sanitize_stdfds(); + argv[0] = git_extract_argv0_path(argv[0]); return cmd_main(argc, argv); -- cgit v1.2.1 From 12e0437f237ad72df3a2f3f8b067cf8097d792f1 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Fri, 1 Jul 2016 02:06:35 -0400 Subject: common-main: call restore_sigpipe_to_default() This is another safety/sanity setup that should be in force everywhere, but which we only applied in git.c. This did catch most cases, since even external commands are typically run via "git ..." (and the restoration applies to sub-processes, too). But there were cases we missed, such as somebody calling git-upload-pack directly via ssh, or scripts which use dashed external commands directly. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- common-main.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) (limited to 'common-main.c') diff --git a/common-main.c b/common-main.c index 353c6ea175..20e55ef7d7 100644 --- a/common-main.c +++ b/common-main.c @@ -1,6 +1,27 @@ #include "cache.h" #include "exec_cmd.h" +/* + * Many parts of Git have subprograms communicate via pipe, expect the + * upstream of a pipe to die with SIGPIPE when the downstream of a + * pipe does not need to read all that is written. Some third-party + * programs that ignore or block SIGPIPE for their own reason forget + * to restore SIGPIPE handling to the default before spawning Git and + * break this carefully orchestrated machinery. + * + * Restore the way SIGPIPE is handled to default, which is what we + * expect. + */ +static void restore_sigpipe_to_default(void) +{ + sigset_t unblock; + + sigemptyset(&unblock); + sigaddset(&unblock, SIGPIPE); + sigprocmask(SIG_UNBLOCK, &unblock, NULL); + signal(SIGPIPE, SIG_DFL); +} + int main(int argc, char **av) { /* @@ -18,5 +39,7 @@ int main(int argc, char **av) argv[0] = git_extract_argv0_path(argv[0]); + restore_sigpipe_to_default(); + return cmd_main(argc, argv); } -- cgit v1.2.1 From 5ce5f5fa5ad3de3c36fdd00df2d5c045ad1d7f04 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Fri, 1 Jul 2016 02:07:01 -0400 Subject: common-main: call git_setup_gettext() This should be part of every program, as otherwise users do not get translated error messages. However, some external commands forgot to do so (e.g., git-credential-store). This fixes them, and eliminates the repeated code in programs that did remember to use it. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- common-main.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'common-main.c') diff --git a/common-main.c b/common-main.c index 20e55ef7d7..3be5ad18e1 100644 --- a/common-main.c +++ b/common-main.c @@ -37,6 +37,8 @@ int main(int argc, char **av) */ sanitize_stdfds(); + git_setup_gettext(); + argv[0] = git_extract_argv0_path(argv[0]); restore_sigpipe_to_default(); -- cgit v1.2.1 From 08aade7080ef7955eb356c6590187be3b55dcbcd Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Fri, 1 Jul 2016 15:01:28 +0200 Subject: mingw: declare main()'s argv as const In 84d32bf (sparse: Fix mingw_main() argument number/type errors, 2013-04-27), we addressed problems identified by the 'sparse' tool where argv was declared inconsistently. The way we addressed it was by casting from the non-const version to the const-version. This patch is long overdue, fixing compat/mingw.h's declaration to make the "argv" parameter const. This also allows us to lose the "const" trickery introduced earlier to common-main.c:main(). Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- common-main.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) (limited to 'common-main.c') diff --git a/common-main.c b/common-main.c index 3be5ad18e1..44a29e8b13 100644 --- a/common-main.c +++ b/common-main.c @@ -22,14 +22,8 @@ static void restore_sigpipe_to_default(void) signal(SIGPIPE, SIG_DFL); } -int main(int argc, char **av) +int main(int argc, const char **argv) { - /* - * This const trickery is explained in - * 84d32bf7678259c08406571cd6ce4b7a6724dcba - */ - const char **argv = (const char **)av; - /* * Always open file descriptors 0/1/2 to avoid clobbering files * in die(). It also avoids messing up when the pipes are dup'ed -- cgit v1.2.1