Fork of git SCM with my patches. http://git.kilabit.info/git/atom?h=v2.42.3 2023-08-21T23:16:23Z 2023-08-21T23:16:23Z Taylor Blau me@ttaylorr.com 2023-08-21T21:34:42Z urn:sha1:db6044d76261a996c03ce8f1e08240f326a42e15 When validating that a commit-graph has either all zero, or all non-zero generation numbers, we emit a warning on both the rising and falling edge of transitioning between the two. So if we are unfortunate enough to see a commit-graph which has a repeating sequence of zero, then non-zero generation numbers, we'll generate many warnings that contain more or less the same information. Avoid this by keeping track of a single example for a commit with zero- and non-zero generation, and emit a single warning at the end of verification if both are non-NULL. Co-authored-by: Jeff King <peff@peff.net> Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Taylor Blau <me@ttaylorr.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2023-08-21T23:07:33Z Jeff King peff@peff.net 2023-08-21T21:34:37Z urn:sha1:cc9c9a00a50dc479ef59c7d2d03d1e3fcc8752a3 In verify_one_commit_graph(), we have code that complains when a commit is found with a generation number of zero, and then later with a non-zero number. It works like this: 1. When we see an entry with generation zero, we set the generation_zero flag to GENERATION_ZERO_EXISTS. 2. When we later see an entry with a non-zero generation, we complain if the flag is GENERATION_ZERO_EXISTS. There's a matching GENERATION_NUMBER_EXISTS value, which in theory would be used to find the case that we see the entries in the opposite order: 1. When we see an entry with a non-zero generation, we set the generation_zero flag to GENERATION_NUMBER_EXISTS. 2. When we later see an entry with a zero generation, we complain if the flag is GENERATION_NUMBER_EXISTS. But that doesn't work; step 2 is implemented, but there is no step 1. We never use NUMBER_EXISTS at all, and Coverity rightly complains that step 2 is dead code. We can fix that by implementing that step 1. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Taylor Blau <me@ttaylorr.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2023-08-21T23:07:33Z Taylor Blau me@ttaylorr.com 2023-08-21T21:34:34Z urn:sha1:868c991155b3392e0b1a6aab8daab89bb93400f4 In 2ee11f7261 (commit-graph: return generation from memory, 2023-03-20), the `commit_graph_generation()` function stopped returning zeros when asked to locate the generation number of a given commit. This was done at the time to prepare for a later change which set generation values in memory, meaning that we could no longer rely on `graph_pos` alone to tell us whether or not to trust the generation number returned by this function. In 2ee11f7261, it was noted that this change only impacted very old commit-graphs, which were written with all commits having generation number 0. Indeed, zero is not a valid generation number, so we should never expect to see that value outside of the aforementioned case. The test fallout in 2ee11f7261 indicated that we were no longer able to fsck a specific old case of commit-graph corruption, where we see a non-zero generation number after having seen a generation number of 0 earlier. Introduce a variant of `commit_graph_generation()` which behaves like that function did prior to 2ee11f7261, known as `commit_graph_generation_from_graph()`. Then use this function in the context of `verify_one_commit_graph()`, where we only want to trust the values from the graph. Signed-off-by: Taylor Blau <me@ttaylorr.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2023-07-25T19:05:23Z Junio C Hamano gitster@pobox.com 2023-07-25T19:05:23Z urn:sha1:4488bb3bed8cc80aee1642d0cdc331c9ea6be8fb Various offset computation in the code that accesses the packfiles and other data in the object layer has been hardened against arithmetic overflow, especially on 32-bit systems. * tb/object-access-overflow-protection: commit-graph.c: prevent overflow in `verify_commit_graph()` commit-graph.c: prevent overflow in `write_commit_graph()` commit-graph.c: prevent overflow in `merge_commit_graph()` commit-graph.c: prevent overflow in `split_graph_merge_strategy()` commit-graph.c: prevent overflow in `load_tree_for_commit()` commit-graph.c: prevent overflow in `fill_commit_in_graph()` commit-graph.c: prevent overflow in `fill_commit_graph_info()` commit-graph.c: prevent overflow in `load_oid_from_graph()` commit-graph.c: prevent overflow in add_graph_to_chain() commit-graph.c: prevent overflow in `write_commit_graph_file()` pack-bitmap.c: ensure that eindex lookups don't overflow midx.c: prevent overflow in `fill_included_packs_batch()` midx.c: prevent overflow in `write_midx_internal()` midx.c: store `nr`, `alloc` variables as `size_t`'s midx.c: prevent overflow in `nth_midxed_offset()` midx.c: prevent overflow in `nth_midxed_object_oid()` midx.c: use `size_t`'s for fanout nr and alloc packfile.c: use checked arithmetic in `nth_packed_object_offset()` packfile.c: prevent overflow in `load_idx()` packfile.c: prevent overflow in `nth_packed_object_id()` 2023-07-18T14:28:53Z Junio C Hamano gitster@pobox.com 2023-07-18T14:28:52Z urn:sha1:6016ee0a7130d3ad656def12d724d1525d39af9b "git fsck --no-progress" still spewed noise from the commit-graph subsystem, which has been corrected. * tb/fsck-no-progress: commit-graph.c: avoid duplicated progress output during `verify` commit-graph.c: pass progress to `verify_one_commit_graph()` commit-graph.c: iteratively verify commit-graph chains commit-graph.c: extract `verify_one_commit_graph()` fsck: suppress MIDX output with `--no-progress` fsck: suppress commit-graph output with `--no-progress` 2023-07-14T16:32:03Z Taylor Blau me@ttaylorr.com 2023-07-12T23:38:19Z urn:sha1:9a25cad7e0228bfd16f2c41b34e9d71a4217085c In a similar spirit as previous commits, ensure that we don't overflow when trying to read an OID out of an existing commit-graph during verification. Signed-off-by: Taylor Blau <me@ttaylorr.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2023-07-14T16:32:03Z Taylor Blau me@ttaylorr.com 2023-07-12T23:38:16Z urn:sha1:588af1bfd3c810e02df1d8adc37e9c43a7f97920 In a similar spirit as previous commits, ensure that we don't overflow when trying to read an existing OID while writing a new commit-graph. Signed-off-by: Taylor Blau <me@ttaylorr.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2023-07-14T16:32:03Z Taylor Blau me@ttaylorr.com 2023-07-12T23:38:13Z urn:sha1:d76e0a744d3a8c1713f0e913325cab7da92f01ef When merging two commit graphs, ensure that we don't attempt to merge two graphs which, when combined, have more total commits than the 32-bit unsigned maximum. Signed-off-by: Taylor Blau <me@ttaylorr.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2023-07-14T16:32:03Z Taylor Blau me@ttaylorr.com 2023-07-12T23:38:11Z urn:sha1:19565d093d248ba4c2330d96314a547feed41112 In a similar spirit as previous commits, ensure that we don't overflow when choosing how to split and merge different layers of the commit-graph. In particular, avoid a potential overflow between `size_mult` and `num_commits`, as well as a potential overflow between the number of commits currently in the merged graph, and the number of commits in the graph about to be merged. Signed-off-by: Taylor Blau <me@ttaylorr.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2023-07-14T16:32:03Z Taylor Blau me@ttaylorr.com 2023-07-12T23:38:08Z urn:sha1:51c31a6408c1eae3ad6c2f78ec136c1b415cad72 In a similar spirit as previous commits, ensure that we don't overflow when computing an offset into the commit_data chunk when the (relative) graph position exceeds 2^32-1/GRAPH_DATA_WIDTH. Signed-off-by: Taylor Blau <me@ttaylorr.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>