[BUG] git-check-ignore: Segmentation fault

[BUG] git-check-ignore: Segmentation fault

[Zoltan Klinger]

Hi there,

The new git-check-ignore command seg faults when
    (1) it is called with single dot path name at $GIT_DIR level  _AND_
    (2) and .gitignore has at least one directory pattern.

Git version: 1.8.2.rc0.16.g20a599e

Reproduce the bug:
    $ git --version
    git version 1.8.2.rc0.16.g20a599e
    $ mkdir test
    $ cd test
    $ git init
    $ git check-ignore .  # All good, no errors here
    $ echo "dirpattern/" > .gitignore
    $ git check-ignore .
    Segmentation fault (core dumped)

The segmentation fault is actually caused by hash_name(const char
*name, int namelen) function in name-hash.c when the 'name' argument
is an empty stringi and namelen is 0.

The empty string comes from a call to the prefix_path(prefix, len,
path) function in setup.c. In this instance arguments 'prefix' is
NULL, 'len' is 0 and 'path' is "." .

Cheers,
Zoltan

Re: [BUG] git-check-ignore: Segmentation fault

[Adam Spiers]

On Tue, Feb 19, 2013 at 5:24 AM, Zoltan Klinger
<zoltan.klinger@gmail.com> wrote:
> Hi there,
>
> The new git-check-ignore command seg faults when
>     (1) it is called with single dot path name at $GIT_DIR level  _AND_
>     (2) and .gitignore has at least one directory pattern.
>
> Git version: 1.8.2.rc0.16.g20a599e
>
> Reproduce the bug:
>     $ git --version
>     git version 1.8.2.rc0.16.g20a599e
>     $ mkdir test
>     $ cd test
>     $ git init
>     $ git check-ignore .  # All good, no errors here
>     $ echo "dirpattern/" > .gitignore
>     $ git check-ignore .
>     Segmentation fault (core dumped)
>
> The segmentation fault is actually caused by hash_name(const char
> *name, int namelen) function in name-hash.c when the 'name' argument
> is an empty stringi and namelen is 0.
>
> The empty string comes from a call to the prefix_path(prefix, len,
> path) function in setup.c. In this instance arguments 'prefix' is
> NULL, 'len' is 0 and 'path' is "." .

Good catch!  Thanks for the very helpful bug report.  I can reproduce
this, and have a fix - see follow-up mail to follow shortly.

[PATCH 1/2] t0008: document test_expect_success_multi

[Adam Spiers]

test_expect_success_multi() helper function warrants some explanation,
since at first sight it may seem like generic test framework plumbing,
but is in fact specific to testing check-ignore, and allows more
thorough testing of the various output formats without significantly
increase the size of t0008.

Signed-off-by: Adam Spiers <git@adamspiers.org>
---
 t/t0008-ignores.sh | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/t/t0008-ignores.sh b/t/t0008-ignores.sh
index d7df719..ebe7c70 100755
--- a/t/t0008-ignores.sh
+++ b/t/t0008-ignores.sh
@@ -75,6 +75,16 @@ test_check_ignore () {
 	stderr_empty_on_success "$expect_code"
 }
 
+# Runs the same code with 3 different levels of output verbosity,
+# expecting success each time.  Takes advantage of the fact that
+# check-ignore --verbose output is the same as normal output except
+# for the extra first column.
+#
+# Arguments:
+#   - (optional) prereqs for this test, e.g. 'SYMLINKS'
+#   - test name
+#   - output to expect from -v / --verbose mode
+#   - code to run (should invoke test_check_ignore)
 test_expect_success_multi () {
 	prereq=
 	if test $# -eq 4
-- 
1.8.1.291.g0730ed6

[PATCH 2/2] check-ignore.c: fix segfault with '.' argument from repo root

[Adam Spiers]

Fix a corner case where check-ignore would segfault when run with the
'.' argument from the top level of a repository, due to prefix_path()
converting '.' into the empty string.  It doesn't make much sense to
call check-ignore from the top level with '.' as a parameter, since
the top-level directory would never typically be ignored, but of
course it should not segfault in this case.

Signed-off-by: Adam Spiers <git@adamspiers.org>
---
 builtin/check-ignore.c | 2 +-
 t/t0008-ignores.sh     | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/builtin/check-ignore.c b/builtin/check-ignore.c
index 709535c..b0dd7c2 100644
--- a/builtin/check-ignore.c
+++ b/builtin/check-ignore.c
@@ -89,7 +89,7 @@ static int check_ignore(const char *prefix, const char **pathspec)
 					? strlen(prefix) : 0, path);
 		full_path = check_path_for_gitlink(full_path);
 		die_if_path_beyond_symlink(full_path, prefix);
-		if (!seen[i] && path[0]) {
+		if (!seen[i] && full_path[0]) {
 			exclude = last_exclude_matching_path(&check, full_path,
 							     -1, &dtype);
 			if (exclude) {
diff --git a/t/t0008-ignores.sh b/t/t0008-ignores.sh
index ebe7c70..9c1bde1 100755
--- a/t/t0008-ignores.sh
+++ b/t/t0008-ignores.sh
@@ -138,6 +138,7 @@ test_expect_success 'setup' '
 	cat <<-\EOF >.gitignore &&
 		one
 		ignored-*
+		top-level-dir/
 	EOF
 	for dir in . a
 	do
@@ -177,6 +178,10 @@ test_expect_success 'setup' '
 #
 # test invalid inputs
 
+test_expect_success_multi '. corner-case' '' '
+	test_check_ignore . 1
+'
+
 test_expect_success_multi 'empty command line' '' '
 	test_check_ignore "" 128 &&
 	stderr_contains "fatal: no path specified"
-- 
1.8.1.291.g0730ed6

Re: [PATCH 1/2] t0008: document test_expect_success_multi

[Junio C Hamano]

Adam Spiers <git@adamspiers.org> writes:

> test_expect_success_multi() helper function warrants some explanation,
> since at first sight it may seem like generic test framework plumbing,
> but is in fact specific to testing check-ignore, and allows more
> thorough testing of the various output formats without significantly
> increase the size of t0008.
>
> Signed-off-by: Adam Spiers <git@adamspiers.org>
> ---

Good.  I vaguely recall saying why I hate these mini-frameworks
invented in individual tests, but with comments like this, they
become much more palatable.

Thanks.

>  t/t0008-ignores.sh | 10 ++++++++++
>  1 file changed, 10 insertions(+)
>
> diff --git a/t/t0008-ignores.sh b/t/t0008-ignores.sh
> index d7df719..ebe7c70 100755
> --- a/t/t0008-ignores.sh
> +++ b/t/t0008-ignores.sh
> @@ -75,6 +75,16 @@ test_check_ignore () {
>  	stderr_empty_on_success "$expect_code"
>  }
>  
> +# Runs the same code with 3 different levels of output verbosity,
> +# expecting success each time.  Takes advantage of the fact that
> +# check-ignore --verbose output is the same as normal output except
> +# for the extra first column.
> +#
> +# Arguments:
> +#   - (optional) prereqs for this test, e.g. 'SYMLINKS'
> +#   - test name
> +#   - output to expect from -v / --verbose mode
> +#   - code to run (should invoke test_check_ignore)
>  test_expect_success_multi () {
>  	prereq=
>  	if test $# -eq 4

Re: [PATCH 2/2] check-ignore.c: fix segfault with '.' argument from repo root

[Junio C Hamano]

Adam Spiers <git@adamspiers.org> writes:

> Fix a corner case where check-ignore would segfault when run with the
> '.' argument from the top level of a repository, due to prefix_path()
> converting '.' into the empty string.  It doesn't make much sense to
> call check-ignore from the top level with '.' as a parameter, since
> the top-level directory would never typically be ignored, but of
> course it should not segfault in this case.
>
> Signed-off-by: Adam Spiers <git@adamspiers.org>
> ---

Please step back a bit and explain why the original had check for
path[0] in the first place?

If the answer is "the code wanted to special case the question 'is
the top-level excluded?', but used a wrong variable to implement the
check, and this patch is a fix to that", then the proposed commit
log message looks incomplete.  The cause of the segv is not that
prefix_path() returns an empty string, but because the function
called inside the "if" block was written without expecting to be fed
the path that refers to the top-level of the working tree, no?

While this change certainly will prevent the "check the top-level"
request to last-exclude-matching-path, I have to wonder if it is a
good idea to force the caller of the l-e-m-p function to even care.

In other words, would it be a cleaner approach to fix the l-e-m-p
function so that the caller can ask "check the top-level" and give a
sensible answer (perhaps the answer may be "nothing matches"), and
remove the "&& path[0]" (or "&& full_path[0]") special case from
this call site?

The last sentence "It doesn't make much sense..." in the proposed
log message would become a good justification for such a special
case at the beginning of l-e-m-p function, I would think.

>  builtin/check-ignore.c | 2 +-
>  t/t0008-ignores.sh     | 5 +++++
>  2 files changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/builtin/check-ignore.c b/builtin/check-ignore.c
> index 709535c..b0dd7c2 100644
> --- a/builtin/check-ignore.c
> +++ b/builtin/check-ignore.c
> @@ -89,7 +89,7 @@ static int check_ignore(const char *prefix, const char **pathspec)
>  					? strlen(prefix) : 0, path);
>  		full_path = check_path_for_gitlink(full_path);
>  		die_if_path_beyond_symlink(full_path, prefix);
> -		if (!seen[i] && path[0]) {
> +		if (!seen[i] && full_path[0]) {
>  			exclude = last_exclude_matching_path(&check, full_path,
>  							     -1, &dtype);
>  			if (exclude) {
> diff --git a/t/t0008-ignores.sh b/t/t0008-ignores.sh
> index ebe7c70..9c1bde1 100755
> --- a/t/t0008-ignores.sh
> +++ b/t/t0008-ignores.sh
> @@ -138,6 +138,7 @@ test_expect_success 'setup' '
>  	cat <<-\EOF >.gitignore &&
>  		one
>  		ignored-*
> +		top-level-dir/
>  	EOF
>  	for dir in . a
>  	do
> @@ -177,6 +178,10 @@ test_expect_success 'setup' '
>  #
>  # test invalid inputs
>  
> +test_expect_success_multi '. corner-case' '' '
> +	test_check_ignore . 1
> +'
> +
>  test_expect_success_multi 'empty command line' '' '
>  	test_check_ignore "" 128 &&
>  	stderr_contains "fatal: no path specified"

Re: [PATCH 2/2] check-ignore.c: fix segfault with '.' argument from repo root

[Adam Spiers]

On Tue, Feb 19, 2013 at 5:54 PM, Junio C Hamano <gitster@pobox.com> wrote:
> Adam Spiers <git@adamspiers.org> writes:
>
>> Fix a corner case where check-ignore would segfault when run with the
>> '.' argument from the top level of a repository, due to prefix_path()
>> converting '.' into the empty string.  It doesn't make much sense to
>> call check-ignore from the top level with '.' as a parameter, since
>> the top-level directory would never typically be ignored, but of
>> course it should not segfault in this case.
>>
>> Signed-off-by: Adam Spiers <git@adamspiers.org>
>> ---
>
> Please step back a bit and explain why the original had check for
> path[0] in the first place?

I can't remember to be honest.

> If the answer is "the code wanted to special case the question 'is
> the top-level excluded?',

Yes, I think that's the most likely explanation.  Maybe it got missed
in a variable renaming refactoring.

> but used a wrong variable to implement the
> check, and this patch is a fix to that", then the proposed commit
> log message looks incomplete.  The cause of the segv is not that
> prefix_path() returns an empty string, but because the function
> called inside the "if" block was written without expecting to be fed
> the path that refers to the top-level of the working tree, no?
>
> While this change certainly will prevent the "check the top-level"
> request to last-exclude-matching-path, I have to wonder if it is a
> good idea to force the caller of the l-e-m-p function to even care.
>
> In other words, would it be a cleaner approach to fix the l-e-m-p
> function so that the caller can ask "check the top-level" and give a
> sensible answer (perhaps the answer may be "nothing matches"), and
> remove the "&& path[0]" (or "&& full_path[0]") special case from
> this call site?

Yes, that did cross my mind.  I also wondered whether hash_name()
should do stricter input validation, but I guess that could have an
impact on performance.

> The last sentence "It doesn't make much sense..." in the proposed
> log message would become a good justification for such a special
> case at the beginning of l-e-m-p function, I would think.

Fair enough.  I'll reply to this with a new version.[0]

[0] I wish there was a clean way to include the new version inline,
    but as I've noted before, there doesn't seem to be:

    http://article.gmane.org/gmane.comp.version-control.git/146110

[PATCH v2 2/2] check-ignore.c, dir.c: fix segfault with '.' argument from repo root

[Adam Spiers]

Fix a corner case where check-ignore would segfault when run with the
'.' argument from the top level of a repository, due to prefix_path()
converting '.' into the empty string.  It doesn't make much sense to
call check-ignore from the top level with '.' as a parameter, since
the top-level directory would never typically be ignored, but of
course it should not segfault in this case.  The existing code
attempted to check for this case but failed due to using the wrong
variable.  Instead we move the check to last_exclude_matching_path(),
in case other callers present or future have a similar issue.

Signed-off-by: Adam Spiers <git@adamspiers.org>
---
 builtin/check-ignore.c | 2 +-
 dir.c                  | 8 ++++++++
 t/t0008-ignores.sh     | 5 +++++
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/builtin/check-ignore.c b/builtin/check-ignore.c
index 709535c..0240f99 100644
--- a/builtin/check-ignore.c
+++ b/builtin/check-ignore.c
@@ -89,7 +89,7 @@ static int check_ignore(const char *prefix, const char **pathspec)
 					? strlen(prefix) : 0, path);
 		full_path = check_path_for_gitlink(full_path);
 		die_if_path_beyond_symlink(full_path, prefix);
-		if (!seen[i] && path[0]) {
+		if (!seen[i]) {
 			exclude = last_exclude_matching_path(&check, full_path,
 							     -1, &dtype);
 			if (exclude) {
diff --git a/dir.c b/dir.c
index 57394e4..1ae0b90 100644
--- a/dir.c
+++ b/dir.c
@@ -828,6 +828,14 @@ struct exclude *last_exclude_matching_path(struct path_exclude_check *check,
 	struct exclude *exclude;
 
 	/*
+	 * name could be the empty string, e.g. if check-ignore was
+	 * invoked from the top level with '.', prefix_path() will
+	 * convert it into "".
+	 */
+	if (!*name)
+		return NULL;
+
+	/*
 	 * we allow the caller to pass namelen as an optimization; it
 	 * must match the length of the name, as we eventually call
 	 * is_excluded() on the whole name string.
diff --git a/t/t0008-ignores.sh b/t/t0008-ignores.sh
index ebe7c70..9c1bde1 100755
--- a/t/t0008-ignores.sh
+++ b/t/t0008-ignores.sh
@@ -138,6 +138,7 @@ test_expect_success 'setup' '
 	cat <<-\EOF >.gitignore &&
 		one
 		ignored-*
+		top-level-dir/
 	EOF
 	for dir in . a
 	do
@@ -177,6 +178,10 @@ test_expect_success 'setup' '
 #
 # test invalid inputs
 
+test_expect_success_multi '. corner-case' '' '
+	test_check_ignore . 1
+'
+
 test_expect_success_multi 'empty command line' '' '
 	test_check_ignore "" 128 &&
 	stderr_contains "fatal: no path specified"
-- 
1.8.2.rc0.18.g543d1e4

Re* [PATCH 2/2] check-ignore.c: fix segfault with '.' argument from repo root

[Junio C Hamano]

Adam Spiers <git@adamspiers.org> writes:

> Fair enough.  I'll reply to this with a new version.[0]
>
> [0] I wish there was a clean way to include the new version inline,
>     but as I've noted before, there doesn't seem to be:
>
>     http://article.gmane.org/gmane.comp.version-control.git/146110

I find it easier to later find the patch if you made it a separate
follow-up like you did, but you can do it this way if you really
want to, using a scissors line, like so.  Please do not try to be
creative and change the shape of scissors just for the sake of
chaning it.

-- >8 --
Subject: name-hash: allow hashing an empty string

Usually we do not pass an empty string to the function hash_name()
because we almost always ask for hash values for a path that is a
candidate to be added to the index. However, check-ignore (and most
likely check-attr, but I didn't check) apparently has a callchain
to ask the hash value for an empty path when it was given a "." from
the top-level directory to ask "Is the path . excluded by default?"

Make sure that hash_name() does not overrun the end of the given
pathname even when it is empty.

Also remove a sweep-the-issue-under-the-rug conditional in
check-ignore that avoided to pass an empty string to the callchain.

Signed-off-by: Adam Spiers <git@adamspiers.org>
---
 builtin/check-ignore.c | 2 +-
 name-hash.c            | 4 ++--
 t/t0008-ignores.sh     | 5 +++++
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/builtin/check-ignore.c b/builtin/check-ignore.c
index 709535c..0240f99 100644
--- a/builtin/check-ignore.c
+++ b/builtin/check-ignore.c
@@ -89,7 +89,7 @@ static int check_ignore(const char *prefix, const char **pathspec)
 					? strlen(prefix) : 0, path);
 		full_path = check_path_for_gitlink(full_path);
 		die_if_path_beyond_symlink(full_path, prefix);
-		if (!seen[i] && path[0]) {
+		if (!seen[i]) {
 			exclude = last_exclude_matching_path(&check, full_path,
 							     -1, &dtype);
 			if (exclude) {
diff --git a/name-hash.c b/name-hash.c
index d8d25c2..942c459 100644
--- a/name-hash.c
+++ b/name-hash.c
@@ -24,11 +24,11 @@ static unsigned int hash_name(const char *name, int namelen)
 {
 	unsigned int hash = 0x123;
 
-	do {
+	while (namelen--) {
 		unsigned char c = *name++;
 		c = icase_hash(c);
 		hash = hash*101 + c;
-	} while (--namelen);
+	}
 	return hash;
 }
 
diff --git a/t/t0008-ignores.sh b/t/t0008-ignores.sh
index ebe7c70..9c1bde1 100755
--- a/t/t0008-ignores.sh
+++ b/t/t0008-ignores.sh
@@ -138,6 +138,7 @@ test_expect_success 'setup' '
 	cat <<-\EOF >.gitignore &&
 		one
 		ignored-*
+		top-level-dir/
 	EOF
 	for dir in . a
 	do
@@ -177,6 +178,10 @@ test_expect_success 'setup' '
 #
 # test invalid inputs
 
+test_expect_success_multi '. corner-case' '' '
+	test_check_ignore . 1
+'
+
 test_expect_success_multi 'empty command line' '' '
 	test_check_ignore "" 128 &&
 	stderr_contains "fatal: no path specified"

Re: [PATCH v2 2/2] check-ignore.c, dir.c: fix segfault with '.' argument from repo root

[Junio C Hamano]

Adam Spiers <git@adamspiers.org> writes:

> Fix a corner case where check-ignore would segfault when run with the
> '.' argument from the top level of a repository, due to prefix_path()
> converting '.' into the empty string.

The description does not match what I understand is happening from
the original report, though.  The above is more like this, no?

    When check-ignore is run with the '.' argument from the top level of
    a repository, it fed an empty string to hash_name() in name-hash.c
    and caused a segfault, as the function kept reading forever past the
    end of the string.

A point to note is that it is not cleaer why it is a corner case to
ask about a pathspec ".".  It is a valid question "Is the whole tree
ignored by default?", isn't it?

> It doesn't make much sense to
> call check-ignore from the top level with '.' as a parameter, since
> the top-level directory would never typically be ignored,

And this sounds like a really bad excuse.  If it were "it does not
make *any* sense ... because the top level is *never* ignored", then
the patch is a perfectly fine optimization that happens to work
around the problem, but the use of "much" and "typically" is a sure
sign that the design of the fix is iffy.  It also shows that the
patch is not a fix, but is sweeping the problem under the rug, if
there were a valid use case to set the top level to be ignored.

I wonder what would happen if we removed that "&& path[0]" check
from the caller, not add the "assume the top is never ignored"
workaround, and do something like this to the location that causes
segv, so that it can give an answer when asked to hash an empty
string?

Does the callchain that goes down to this function have other places
that assume they will never see an empty string, like this function
does, which I _think_ is the real issue?

 name-hash.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/name-hash.c b/name-hash.c
index d8d25c2..942c459 100644
--- a/name-hash.c
+++ b/name-hash.c
@@ -24,11 +24,11 @@ static unsigned int hash_name(const char *name, int namelen)
 {
 	unsigned int hash = 0x123;
 
-	do {
+	while (namelen--) {
 		unsigned char c = *name++;
 		c = icase_hash(c);
 		hash = hash*101 + c;
-	} while (--namelen);
+	}
 	return hash;
 }
 

Re: [PATCH v2 2/2] check-ignore.c, dir.c: fix segfault with '.' argument from repo root

[Junio C Hamano]

Junio C Hamano <gitster@pobox.com> writes:

> And this sounds like a really bad excuse.  If it were "it does not
> make *any* sense ... because the top level is *never* ignored", then
> the patch is a perfectly fine optimization that happens to work
> around the problem, but the use of "much" and "typically" is a sure
> sign that the design of the fix is iffy.  It also shows that the
> patch is not a fix, but is sweeping the problem under the rug, if
> there were a valid use case to set the top level to be ignored.
>
> I wonder what would happen if we removed that "&& path[0]" check
> from the caller, not add the "assume the top is never ignored"
> workaround, and do something like this to the location that causes
> segv, so that it can give an answer when asked to hash an empty
> string?
>
> Does the callchain that goes down to this function have other places
> that assume they will never see an empty string, like this function
> does, which I _think_ is the real issue?

I started to suspect that may be the right approach.  Why not do this?

-- >8 --
From: Junio C Hamano <gitster@pobox.com>
Date: Tue, 19 Feb 2013 11:56:44 -0800
Subject: [PATCH] name-hash: allow hashing an empty string

Usually we do not pass an empty string to the function hash_name()
because we almost always ask for hash values for a path that is a
candidate to be added to the index. However, check-ignore (and most
likely check-attr, but I didn't check) apparently has a callchain
to ask the hash value for an empty path when it was given a "." from
the top-level directory to ask "Is the path . excluded by default?"

Make sure that hash_name() does not overrun the end of the given
pathname even when it is empty.

Remove a sweep-the-issue-under-the-rug conditional in check-ignore
that avoided to pass an empty string to the callchain while at it.
It is a valid question to ask for check-ignore if the top-level is
set to be ignored by default, even though the answer is most likely
no, if only because there is currently no way to specify such an
entry in the .gitignore file. But it is an unusual thing to ask and
it is not worth optimizing for it by special casing at the top level
of the call chain.

Signed-off-by: Adam Spiers <git@adamspiers.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 builtin/check-ignore.c | 2 +-
 name-hash.c            | 4 ++--
 t/t0008-ignores.sh     | 5 +++++
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/builtin/check-ignore.c b/builtin/check-ignore.c
index 709535c..0240f99 100644
--- a/builtin/check-ignore.c
+++ b/builtin/check-ignore.c
@@ -89,7 +89,7 @@ static int check_ignore(const char *prefix, const char **pathspec)
 					? strlen(prefix) : 0, path);
 		full_path = check_path_for_gitlink(full_path);
 		die_if_path_beyond_symlink(full_path, prefix);
-		if (!seen[i] && path[0]) {
+		if (!seen[i]) {
 			exclude = last_exclude_matching_path(&check, full_path,
 							     -1, &dtype);
 			if (exclude) {
diff --git a/name-hash.c b/name-hash.c
index d8d25c2..942c459 100644
--- a/name-hash.c
+++ b/name-hash.c
@@ -24,11 +24,11 @@ static unsigned int hash_name(const char *name, int namelen)
 {
 	unsigned int hash = 0x123;
 
-	do {
+	while (namelen--) {
 		unsigned char c = *name++;
 		c = icase_hash(c);
 		hash = hash*101 + c;
-	} while (--namelen);
+	}
 	return hash;
 }
 
diff --git a/t/t0008-ignores.sh b/t/t0008-ignores.sh
index ebe7c70..9c1bde1 100755
--- a/t/t0008-ignores.sh
+++ b/t/t0008-ignores.sh
@@ -138,6 +138,7 @@ test_expect_success 'setup' '
 	cat <<-\EOF >.gitignore &&
 		one
 		ignored-*
+		top-level-dir/
 	EOF
 	for dir in . a
 	do
@@ -177,6 +178,10 @@ test_expect_success 'setup' '
 #
 # test invalid inputs
 
+test_expect_success_multi '. corner-case' '' '
+	test_check_ignore . 1
+'
+
 test_expect_success_multi 'empty command line' '' '
 	test_check_ignore "" 128 &&
 	stderr_contains "fatal: no path specified"
-- 
1.8.2.rc0.89.g6e4b41d

Re: [PATCH v2 2/2] check-ignore.c, dir.c: fix segfault with '.' argument from repo root

[Adam Spiers]

On Tue, Feb 19, 2013 at 7:59 PM, Junio C Hamano <gitster@pobox.com> wrote:
> Adam Spiers <git@adamspiers.org> writes:
>
>> Fix a corner case where check-ignore would segfault when run with the
>> '.' argument from the top level of a repository, due to prefix_path()
>> converting '.' into the empty string.
>
> The description does not match what I understand is happening from
> the original report, though.

Why not?

> The above is more like this, no?
>
>     When check-ignore is run with the '.' argument from the top level of
>     a repository, it fed an empty string to hash_name() in name-hash.c
>     and caused a segfault, as the function kept reading forever past the
>     end of the string.

The only difference I can see between the two is that yours has
changed the phrase order and gives a bit more information.  I don't
see any disagreement between them though.

> A point to note is that it is not cleaer why it is a corner case to
> ask about a pathspec ".".  It is a valid question "Is the whole tree
> ignored by default?", isn't it?

It's probably valid, but I'm not the best judge of that.  It doesn't
make much sense to me why anyone would do that, and it seems very
unlikely it would be a common use case, therefore it's a corner case.
The next sentence then qualifies that:

>> It doesn't make much sense to
>> call check-ignore from the top level with '.' as a parameter, since
>> the top-level directory would never typically be ignored,
>
> And this sounds like a really bad excuse.

An excuse for what?  The final part of that sentence which you trimmed
made it clear that it was not an excuse for the segfault.  Your choice
of wording here sounds more like a personal attack than a technical
discussion - presumably unintentional, so I'll choose not to take
offense.

> If it were "it does not
> make *any* sense ... because the top level is *never* ignored", then
> the patch is a perfectly fine optimization that happens to work
> around the problem, but the use of "much" and "typically" is a sure
> sign that the design of the fix is iffy.  It also shows that the
> patch is not a fix, but is sweeping the problem under the rug, if
> there were a valid use case to set the top level to be ignored.

There *may* be a valid use case to set the top level to be ignored.
*I* can't think of one personally, therefore it doesn't make sense to
me to do so, but my intention was to avoid imposing my own personal
judgement on everyone else by preventing people from doing that.
However, in that case I now realise that check-ignore should report a
match, and my proposed patches do not do that.  Perhaps that is what
you meant by "sweeping the problem under the rug"?

> I wonder what would happen if we removed that "&& path[0]" check
> from the caller, not add the "assume the top is never ignored"
> workaround, and do something like this to the location that causes
> segv, so that it can give an answer when asked to hash an empty
> string?
>
>  name-hash.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/name-hash.c b/name-hash.c
> index d8d25c2..942c459 100644
> --- a/name-hash.c
> +++ b/name-hash.c
> @@ -24,11 +24,11 @@ static unsigned int hash_name(const char *name, int namelen)
>  {
>         unsigned int hash = 0x123;
>
> -       do {
> +       while (namelen--) {
>                 unsigned char c = *name++;
>                 c = icase_hash(c);
>                 hash = hash*101 + c;
> -       } while (--namelen);
> +       }
>         return hash;
>  }

Yep, that makes sense - that's what I meant when I said I was
wondering "whether hash_name() should do stricter input validation".

> Does the callchain that goes down to this function have other places
> that assume they will never see an empty string, like this function
> does, which I _think_ is the real issue?

Good question.  In the absence of a proper audit for similar issues,
it definitely makes sense to defensively program hash_name() (and any
other low-level functions which accept path strings).

Re: [PATCH v2 2/2] check-ignore.c, dir.c: fix segfault with '.' argument from repo root

[Adam Spiers]

On Tue, Feb 19, 2013 at 02:03:01PM -0800, Junio C Hamano wrote:
> I started to suspect that may be the right approach.  Why not do this?
> 
> -- >8 --
> From: Junio C Hamano <gitster@pobox.com>
> Date: Tue, 19 Feb 2013 11:56:44 -0800
> Subject: [PATCH] name-hash: allow hashing an empty string
> 
> Usually we do not pass an empty string to the function hash_name()
> because we almost always ask for hash values for a path that is a
> candidate to be added to the index. However, check-ignore (and most
> likely check-attr, but I didn't check) apparently has a callchain
> to ask the hash value for an empty path when it was given a "." from
> the top-level directory to ask "Is the path . excluded by default?"

According to a single gdb run, 'git check-attr -a .' does not hit
hash_name() for me.  However that naive experiment doesn't rule out
the possibility of it happening if the right attributes are set, but I
don't know enough about that code to comment.

> Make sure that hash_name() does not overrun the end of the given
> pathname even when it is empty.
> 
> Remove a sweep-the-issue-under-the-rug conditional in check-ignore
> that avoided to pass an empty string to the callchain while at it.
> It is a valid question to ask for check-ignore if the top-level is
> set to be ignored by default, even though the answer is most likely

Hmm, I see very little difference between the use of "most likely" and
the use of the words "much" and "typically" which you previously
considered "a sure sign that the design of the fix is iffy".

> no, if only because there is currently no way to specify such an
> entry in the .gitignore file. But it is an unusual thing to ask and
> it is not worth optimizing for it by special casing at the top level
> of the call chain.

Although I agree with your proposed patch's sentiment of avoiding
sweeping this corner case under the rug, 'check-ignore .' still
wouldn't match anything if for example './' was a supported mechanism
for ignoring the top level.  So, modulo the obvious advantages that
defensive coding in hash_name() bring, I'm struggling to see a
significant difference between any of the three patches proposed so
far.  All of them fix the segfault, and all would require the same
amount of extra work in order to support matching against './'.

But I don't have any strong objections either, so you have my approval
for whichever patch you prefer to take.  Thanks.

Re: Re* [PATCH 2/2] check-ignore.c: fix segfault with '.' argument from repo root

[Adam Spiers]

On Tue, Feb 19, 2013 at 11:56:44AM -0800, Junio C Hamano wrote:
> Adam Spiers <git@adamspiers.org> writes:
> 
> > Fair enough.  I'll reply to this with a new version.[0]
> >
> > [0] I wish there was a clean way to include the new version inline,
> >     but as I've noted before, there doesn't seem to be:
> >
> >     http://article.gmane.org/gmane.comp.version-control.git/146110
> 
> I find it easier to later find the patch if you made it a separate
> follow-up like you did, but you can do it this way if you really
> want to, using a scissors line, like so.  Please do not try to be
> creative and change the shape of scissors just for the sake of
> chaning it.

[snipped]

OK, thanks for the information.  IMHO it would be nice if 'git
format-patch' and 'git am' supported this style of inline patch
inclusion, but maybe there are good reasons to discourage it?

Re: [PATCH v2 2/2] check-ignore.c, dir.c: fix segfault with '.' argument from repo root

[Junio C Hamano]

Adam Spiers <git@adamspiers.org> writes:

>> Remove a sweep-the-issue-under-the-rug conditional in check-ignore
>> that avoided to pass an empty string to the callchain while at it.
>> It is a valid question to ask for check-ignore if the top-level is
>> set to be ignored by default, even though the answer is most likely
>> no, if only because there is currently no way to specify such an
>
> Hmm, I see very little difference between the use of "most likely" and
> the use of the words "much" and "typically" which you previously
> considered "a sure sign that the design of the fix is iffy".

Your patch were "The reason why feeding empty string upsets
hash_name() were not investigated; by punting the '.' as input, and
ignoring the possibility that such a question might make sense, I
can work around the segfault. I do not even question if hash_name()
that misbehaves on an empty string is a bug. Just make sure we do
not tickle the function with a problematic input".

The patch you are responding to declares that hash_name() should
work sensibly on an empty string, and that is the _only_ necessary
change for the fix.  We could keep "&& path[0]", but even without
it, by fixing the hash_name(), we will no longer segfault.

My "most likely" is about "the special case '&& path[0]' produces
correct result, and it is likely to stay so in the near future until
we update .gitignore format to allow users to say 'ignore the top by
default', which is not likely to happen soon".  It is not about the
nature of the fix at all.

Still do not see the difference?

The removal of the "&& path[0]" is about allowing such a question
whose likeliness may be remote.  In the current .gitignore format,
you may not be able to say "ignore the whole thing by default", so
in that sense, the answer to the question this part of the code is
asking when given "." may always be "no".  Keeping the "&& path[0]"
will optimize for that case.

And "unusual thing to ask" below is to judge if answering such a
question is worth optimizing for (the verdict is "no, it is not a
common thing to do").

>> entry in the .gitignore file. But it is an unusual thing to ask and
>> it is not worth optimizing for it by special casing at the top level
>> of the call chain.
>
> Although I agree with your proposed patch's sentiment of avoiding
> sweeping this corner case under the rug, 'check-ignore .' still
> wouldn't match anything if for example './' was a supported mechanism
> for ignoring the top level.

It indicates that there may be more bugs (that may not result in
segv) somewhere in check-ignore codepath, if (1)

	echo ./ >.gitignore
        
were to say "ignore everything in the tree by default.", and (2) the
real ignore check does work that way, but (3)

	git check-ignore .

says "we do not ignore that one".  Such a bug may come from some
code that is not prepared to see an empty pathname that refers to
the top-level in the codepath, which was why I originally asked 

    Does the callchain that goes down to this function have other places
    that assume they will never see an empty string, like this function
    does, which I _think_ is the real issue?

in one of the previous messages.

But is 

	echo ./ >.gitignore

a way to say "ignore everything in the tree by default" in the first
place?  I think historically that has never been the case, I recall
that the list had discussions on that topic in the past (it may be
before you appeared here), and I do not recall we reached a concensus
that we should make it mean that nor applied a patch to do so.

Re: Re* [PATCH 2/2] check-ignore.c: fix segfault with '.' argument from repo root

[Junio C Hamano]

Adam Spiers <git@adamspiers.org> writes:

> OK, thanks for the information.  IMHO it would be nice if 'git
> format-patch' and 'git am' supported this style of inline patch
> inclusion, but maybe there are good reasons to discourage it?

"git am --scissors" is a way to process such e-mail where the patch
submitter continues discussion in the top part of a message,
concludes the message with:

	A patch to do so is attached.
	-- >8 --

and then tells the MUA to read in an output from format-patch into
the e-mail buffer.  You still need to strip out unneeded headers
like the "From ", "From: " and "Date: " lines when you add the
scissors anyway, and this is applicable only for a single-patch
series, so the "feature" does not fit well as a format-patch option.

Re: Re* [PATCH 2/2] check-ignore.c: fix segfault with '.' argument from repo root

[Adam Spiers]

On Tue, Feb 19, 2013 at 06:53:07PM -0800, Junio C Hamano wrote:
> Adam Spiers <git@adamspiers.org> writes:
> 
> > OK, thanks for the information.  IMHO it would be nice if 'git
> > format-patch' and 'git am' supported this style of inline patch
> > inclusion, but maybe there are good reasons to discourage it?
> 
> "git am --scissors" is a way to process such e-mail where the patch
> submitter continues discussion in the top part of a message,
> concludes the message with:
> 
> 	A patch to do so is attached.
> 	-- >8 --
> 
> and then tells the MUA to read in an output from format-patch into
> the e-mail buffer.

Ah, nice!  I didn't know about that.

>  You still need to strip out unneeded headers
> like the "From ", "From: " and "Date: " lines when you add the
> scissors anyway, and this is applicable only for a single-patch
> series, so the "feature" does not fit well as a format-patch option.

Rather than requiring the user to manually strip out unneeded headers,
wouldn't it be friendlier and less error-prone to add a new --inline
option to format-patch which omitted them in the first place?  It
should be easy to make it bail with an error when multiple revisions
are requested.

Re: [PATCH v2 2/2] check-ignore.c, dir.c: fix segfault with '.' argument from repo root

[Adam Spiers]

On Tue, Feb 19, 2013 at 06:47:23PM -0800, Junio C Hamano wrote:
> Adam Spiers <git@adamspiers.org> writes:
> >> Remove a sweep-the-issue-under-the-rug conditional in check-ignore
> >> that avoided to pass an empty string to the callchain while at it.
> >> It is a valid question to ask for check-ignore if the top-level is
> >> set to be ignored by default, even though the answer is most likely
> >> no, if only because there is currently no way to specify such an
> >
> > Hmm, I see very little difference between the use of "most likely" and
> > the use of the words "much" and "typically" which you previously
> > considered "a sure sign that the design of the fix is iffy".
> 
> Your patch were "The reason why feeding empty string upsets
       ^^^^^^^^^^
"patches were", or "patch was"?  It's not clear which patch(es) you're
referring to.

> hash_name() were not investigated; by punting the '.' as input, and
> ignoring the possibility that such a question might make sense, I
> can work around the segfault.

I don't see how explicitly referring to the possibility can be counted
as ignoring it.

> I do not even question if hash_name()
> that misbehaves on an empty string is a bug. Just make sure we do
> not tickle the function with a problematic input".

Presumably the "I" here refers to anthropomorphized commit message
rather than to me personally, since I did question hash_name()'s
behaviour several times already.

> The patch you are responding to declares that hash_name() should
> work sensibly on an empty string, and that is the _only_ necessary
> change for the fix.  We could keep "&& path[0]", but even without
> it, by fixing the hash_name(), we will no longer segfault.

Yes, and as already stated, I agree that is a good thing.

> My "most likely" is about "the special case '&& path[0]' produces
> correct result,

Sorry, I can't understand this.  You are paraphrasing something and
placing it inside "" quotes, but I can't find the corresponding
source.  I presumed it refers to this extract of your proposed patch's
commit message:

   "Remove a sweep-the-issue-under-the-rug conditional in check-ignore
    that avoided to pass an empty string to the callchain while at it.
    It is a valid question to ask for check-ignore if the top-level is
    set to be ignored by default, even though the answer is most
    likely no"

but I can't reconcile this extract with the paraphrase "the special
case '&& path[0]' produces correct result".

> and it is likely to stay so in the near future until
> we update .gitignore format to allow users to say 'ignore the top by
> default', which is not likely to happen soon".  It is not about the
> nature of the fix at all.
>
> Still do not see the difference?

I think I *might* be beginning to see you were getting at, although my
understanding is still clouded by the ambiguities detailed above.  Is
your point that the use of words like 'much' and 'typically' are a
"sure sign" of "iffy design" _when_used_to_talk_about_fixes_ but not
necessarily in other contexts?  If so then it makes a bit more sense
to me, even though I tend to disagree with such broadly sweeping
generalizations, especially when the qualifying context is missing.

That aside, your idea of looking out for "bad smells" not only in code
but also in the spoken language contained by commit messages and
design discussions is an interesting one.  I will try to bear that
technique in mind more consciously in the future, and see how well it
serves me.

> The removal of the "&& path[0]" is about allowing such a question
> whose likeliness may be remote.  In the current .gitignore format,
> you may not be able to say "ignore the whole thing by default", so
> in that sense, the answer to the question this part of the code is
> asking when given "." may always be "no".  Keeping the "&& path[0]"
> will optimize for that case.
> 
> And "unusual thing to ask" below is to judge if answering such a
> question is worth optimizing for (the verdict is "no, it is not a
> common thing to do").

Yes, I understand and agree with these paragraphs.

> >> entry in the .gitignore file. But it is an unusual thing to ask and
> >> it is not worth optimizing for it by special casing at the top level
> >> of the call chain.
> >
> > Although I agree with your proposed patch's sentiment of avoiding
> > sweeping this corner case under the rug, 'check-ignore .' still
> > wouldn't match anything if for example './' was a supported mechanism
> > for ignoring the top level.
> 
> It indicates that there may be more bugs (that may not result in
> segv) somewhere in check-ignore codepath, if (1)
> 
> 	echo ./ >.gitignore
>
> were to say "ignore everything in the tree by default.", and (2) the
> real ignore check does work that way, but (3)
> 
> 	git check-ignore .
> 
> says "we do not ignore that one".

Yes, I think we are saying exactly the same thing here, although if
"It indicates that [...]" refers to your proposed patch's commit
message then I don't think it indicates the possibility of these bugs
in the most obvious or explicit way.

> Such a bug may come from some
> code that is not prepared to see an empty pathname that refers to
> the top-level in the codepath, which was why I originally asked 
> 
>     Does the callchain that goes down to this function have other places
>     that assume they will never see an empty string, like this function
>     does, which I _think_ is the real issue?
> 
> in one of the previous messages.

Agreed.

> But is 
> 
> 	echo ./ >.gitignore
> 
> a way to say "ignore everything in the tree by default" in the first
> place?  I think historically that has never been the case, I recall
> that the list had discussions on that topic in the past (it may be
> before you appeared here), and I do not recall we reached a concensus
> that we should make it mean that nor applied a patch to do so.

Good question.  './' and '/' both seem like reasonable values here,
but if noone screamed loud enough for a decision and implementation
yet, it reinforces my description of it as a corner case, and suggests
that we probably shouldn't spend much more time on this thread of
diminishing returns ;-)

Re: Re* [PATCH 2/2] check-ignore.c: fix segfault with '.' argument from repo root

[Junio C Hamano]

Adam Spiers <git@adamspiers.org> writes:

> On Tue, Feb 19, 2013 at 06:53:07PM -0800, Junio C Hamano wrote:
>> Adam Spiers <git@adamspiers.org> writes:
>> 
>> > OK, thanks for the information.  IMHO it would be nice if 'git
>> > format-patch' and 'git am' supported this style of inline patch
>> > inclusion, but maybe there are good reasons to discourage it?
>> 
>> "git am --scissors" is a way to process such e-mail where the patch
>> submitter continues discussion in the top part of a message,
>> concludes the message with:
>> 
>> 	A patch to do so is attached.
>> 	-- >8 --
>> 
>> and then tells the MUA to read in an output from format-patch into
>> the e-mail buffer.
>
> Ah, nice!  I didn't know about that.
>
>>  You still need to strip out unneeded headers
>> like the "From ", "From: " and "Date: " lines when you add the
>> scissors anyway, and this is applicable only for a single-patch
>> series, so the "feature" does not fit well as a format-patch option.
>
> Rather than requiring the user to manually strip out unneeded headers,
> wouldn't it be friendlier and less error-prone to add a new --inline
> option to format-patch which omitted them in the first place?  It
> should be easy to make it bail with an error when multiple revisions
> are requested.

Perhaps.

[PATCH 1/2] format-patch: rename "no_inline" field

[Junio C Hamano]

The name of the fields invites a misunderstanding that setting it to
false, saying "No, I will not to tell you not to inline", make the
patch inlined in the body of the message, but that is not what it
does.  The result is still a MIME attachment as long as
mime_boundary is set.  This field only controls if the content
disposition of a MIME attachment is set to "attachment" or "inline".

Rename it to clarify what it is used for.  Besides, a toggle whose
name is "no_frotz" is asking for a double-negation.  Calling it
"disposition-attachment" allows us to naturally read setting the
field to true as "Yes, I want to set content-disposition to
'attachment'".

Signed-off-by: Junio C Hamano <gitster@pobox.com>
---

 * This is a general "clean-up" patch that does not add any feature
   nor fixes any bug.

 builtin/log.c | 6 +++---
 log-tree.c    | 2 +-
 revision.h    | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/builtin/log.c b/builtin/log.c
index 8f0b2e8..30265d8 100644
--- a/builtin/log.c
+++ b/builtin/log.c
@@ -983,7 +983,7 @@ static int attach_callback(const struct option *opt, const char *arg, int unset)
 		rev->mime_boundary = arg;
 	else
 		rev->mime_boundary = git_version_string;
-	rev->no_inline = unset ? 0 : 1;
+	rev->disposition_attachment = unset ? 0 : 1;
 	return 0;
 }
 
@@ -996,7 +996,7 @@ static int inline_callback(const struct option *opt, const char *arg, int unset)
 		rev->mime_boundary = arg;
 	else
 		rev->mime_boundary = git_version_string;
-	rev->no_inline = 0;
+	rev->disposition_attachment = 0;
 	return 0;
 }
 
@@ -1172,7 +1172,7 @@ int cmd_format_patch(int argc, const char **argv, const char *prefix)
 
 	if (default_attach) {
 		rev.mime_boundary = default_attach;
-		rev.no_inline = 1;
+		rev.disposition_attachment = 1;
 	}
 
 	/*
diff --git a/log-tree.c b/log-tree.c
index 5dc45c4..34ec20d 100644
--- a/log-tree.c
+++ b/log-tree.c
@@ -408,7 +408,7 @@ void log_write_email_headers(struct rev_info *opt, struct commit *commit,
 			 " filename=\"%s\"\n\n",
 			 mime_boundary_leader, opt->mime_boundary,
 			 filename.buf,
-			 opt->no_inline ? "attachment" : "inline",
+			 opt->disposition_attachment ? "attachment" : "inline",
 			 filename.buf);
 		opt->diffopt.stat_sep = buffer;
 		strbuf_release(&filename);
diff --git a/revision.h b/revision.h
index 5da09ee..90813dd 100644
--- a/revision.h
+++ b/revision.h
@@ -142,7 +142,7 @@ struct rev_info {
 	const char	*extra_headers;
 	const char	*log_reencode;
 	const char	*subject_prefix;
-	int		no_inline;
+	int		disposition_attachment;
 	int		show_log_size;
 	struct string_list *mailmap;
 
-- 
1.8.2.rc0.129.gcce6fe7

[PATCH 2/2] format-patch: --inline-single

[Junio C Hamano]

Some people may find it convenient to append a simple patch at the
bottom of a discussion e-mail separated by a "scissors" mark, ready
to be applied with "git am -c".  Introduce "--inline-single" option
to format-patch to do so.  A typical usage example might be to start
'F'ollow-up to a discussion, write your message, conclude with "a
patch to do so may look like this.", and 

    \C-u M-! git format-patch --inline-single -1 HEAD <ENTER>

if you are an Emacs user.  Users of other MUA's may want to consult
their manuals to find equivalent command to append output from an
external command to the message being composed.

It does not make any sense to use this mode when formatting multiple
patches, or to combine this with options such as --attach, --inline,
and --cover-letter, so some of such uses are forbidden.  There may
be more insane combination the check in this patch may not even
bother to reject.  Caveat emptor.

Signed-off-by: Junio C Hamano <gitster@pobox.com>
---

 * I did this as a lunch-time hack, but I'll leave it to interested
   readers as an exercise to find corner case "bugs", e.g. some
   insane combinations of options may not be diagnosed as usage
   errors, and to update the tests and documentation.

   Personally, "git format-patch --stdout -1 HEAD" with manual
   editing is more flexible, so I am not interested in spending
   cycles to polish this further myself.

   The preliminary patch 1/2 I sent earlier is worth doing, though.

 builtin/log.c | 32 ++++++++++++++++++++++++++++++++
 commit.h      |  1 +
 log-tree.c    |  7 ++++++-
 pretty.c      | 27 ++++++++++++++++++++++++++-
 revision.h    |  1 +
 5 files changed, 66 insertions(+), 2 deletions(-)

diff --git a/builtin/log.c b/builtin/log.c
index 30265d8..5ad0837 100644
--- a/builtin/log.c
+++ b/builtin/log.c
@@ -1000,6 +1000,19 @@ static int inline_callback(const struct option *opt, const char *arg, int unset)
 	return 0;
 }
 
+static int inline_single_callback(const struct option *opt, const char *arg, int unset)
+{
+	struct rev_info *rev = (struct rev_info *)opt->value;
+	rev->mime_boundary = NULL;
+	rev->inline_single = 1;
+
+	/* defeat configured format.attach, format.thread, etc. */
+	free(default_attach);
+	default_attach = NULL;
+	thread = 0;
+	return 0;
+}
+
 static int header_callback(const struct option *opt, const char *arg, int unset)
 {
 	if (unset) {
@@ -1149,6 +1162,10 @@ int cmd_format_patch(int argc, const char **argv, const char *prefix)
 			    PARSE_OPT_OPTARG, thread_callback },
 		OPT_STRING(0, "signature", &signature, N_("signature"),
 			    N_("add a signature")),
+		{ OPTION_CALLBACK, 0, "inline-single", &rev, NULL,
+		  N_("single patch appendable to the end of an e-mail body"),
+		  PARSE_OPT_NOARG | PARSE_OPT_NONEG,
+		  inline_single_callback },
 		OPT_BOOLEAN(0, "quiet", &quiet,
 			    N_("don't print the patch filenames")),
 		OPT_END()
@@ -1185,6 +1202,17 @@ int cmd_format_patch(int argc, const char **argv, const char *prefix)
 			     PARSE_OPT_KEEP_ARGV0 | PARSE_OPT_KEEP_UNKNOWN |
 			     PARSE_OPT_KEEP_DASHDASH);
 
+	/* Set defaults and check incompatible options */
+	if (rev.inline_single) {
+		use_stdout = 1;
+		if (cover_letter)
+			die(_("inline-single and cover-letter are incompatible."));
+		if (thread)
+			die(_("inline-single and thread are incompatible."));
+		if (output_directory)
+			die(_("inline-single and output-directory are incompatible."));
+	}
+
 	if (0 < reroll_count) {
 		struct strbuf sprefix = STRBUF_INIT;
 		strbuf_addf(&sprefix, "%s v%d",
@@ -1373,6 +1401,10 @@ int cmd_format_patch(int argc, const char **argv, const char *prefix)
 		list[nr - 1] = commit;
 	}
 	total = nr;
+
+	if (rev.inline_single && total != 1)
+		die(_("inline-single is only for a single commit"));
+
 	if (!keep_subject && auto_number && total > 1)
 		numbered = 1;
 	if (numbered)
diff --git a/commit.h b/commit.h
index 4138bb4..f3d9959 100644
--- a/commit.h
+++ b/commit.h
@@ -85,6 +85,7 @@ struct pretty_print_context {
 	int preserve_subject;
 	enum date_mode date_mode;
 	unsigned date_mode_explicit:1;
+	unsigned inline_single:1;
 	int need_8bit_cte;
 	char *notes_message;
 	struct reflog_walk_info *reflog_info;
diff --git a/log-tree.c b/log-tree.c
index 34ec20d..15c9749 100644
--- a/log-tree.c
+++ b/log-tree.c
@@ -358,7 +358,11 @@ void log_write_email_headers(struct rev_info *opt, struct commit *commit,
 		subject = "Subject: ";
 	}
 
-	printf("From %s Mon Sep 17 00:00:00 2001\n", name);
+	if (opt->inline_single)
+		printf("-- >8 --\n");
+	else
+		printf("From %s Mon Sep 17 00:00:00 2001\n", name);
+
 	graph_show_oneline(opt->graph);
 	if (opt->message_id) {
 		printf("Message-Id: <%s>\n", opt->message_id);
@@ -683,6 +687,7 @@ void show_log(struct rev_info *opt)
 	ctx.fmt = opt->commit_format;
 	ctx.mailmap = opt->mailmap;
 	ctx.color = opt->diffopt.use_color;
+	ctx.inline_single = opt->inline_single;
 	pretty_print_commit(&ctx, commit, &msgbuf);
 
 	if (opt->add_signoff)
diff --git a/pretty.c b/pretty.c
index eae57ad..363b3d9 100644
--- a/pretty.c
+++ b/pretty.c
@@ -383,6 +383,29 @@ static void add_rfc2047(struct strbuf *sb, const char *line, int len,
 	strbuf_addstr(sb, "?=");
 }
 
+static int is_current_user(const struct pretty_print_context *pp,
+			   const char *email, size_t emaillen,
+			   const char *name, size_t namelen)
+{
+	const char *me = git_committer_info(0);
+	const char *myname, *mymail;
+	size_t mynamelen, mymaillen;
+	struct ident_split ident;
+
+	if (split_ident_line(&ident, me, strlen(me)))
+		return 0; /* play safe, as we do not know */
+	mymail = ident.mail_begin;
+	mymaillen = ident.mail_end - ident.mail_begin;
+	myname = ident.name_begin;
+	mynamelen = ident.name_end - ident.name_begin;
+	if (pp->mailmap)
+		map_user(pp->mailmap, &mymail, &mymaillen, &myname, &mynamelen);
+	return (mymaillen == emaillen &&
+		mynamelen == namelen &&
+		!memcmp(mymail, email, emaillen) &&
+		!memcmp(myname, name, namelen));
+}
+
 void pp_user_info(const struct pretty_print_context *pp,
 		  const char *what, struct strbuf *sb,
 		  const char *line, const char *encoding)
@@ -412,7 +435,6 @@ void pp_user_info(const struct pretty_print_context *pp,
 	if (split_ident_line(&ident, line, linelen))
 		return;
 
-
 	mailbuf = ident.mail_begin;
 	maillen = ident.mail_end - ident.mail_begin;
 	namebuf = ident.name_begin;
@@ -421,6 +443,9 @@ void pp_user_info(const struct pretty_print_context *pp,
 	if (pp->mailmap)
 		map_user(pp->mailmap, &mailbuf, &maillen, &namebuf, &namelen);
 
+	if (pp->inline_single && is_current_user(pp, mailbuf, maillen, namebuf, namelen))
+		return;
+
 	strbuf_init(&mail, 0);
 	strbuf_init(&name, 0);
 
diff --git a/revision.h b/revision.h
index 90813dd..0c6d955 100644
--- a/revision.h
+++ b/revision.h
@@ -143,6 +143,7 @@ struct rev_info {
 	const char	*log_reencode;
 	const char	*subject_prefix;
 	int		disposition_attachment;
+	int		inline_single;
 	int		show_log_size;
 	struct string_list *mailmap;
 
-- 
1.8.2.rc0.129.gcce6fe7

Re: [PATCH 2/2] format-patch: --inline-single

[Jeff King]

On Thu, Feb 21, 2013 at 12:26:22PM -0800, Junio C Hamano wrote:

> Some people may find it convenient to append a simple patch at the
> bottom of a discussion e-mail separated by a "scissors" mark, ready
> to be applied with "git am -c".  Introduce "--inline-single" option
> to format-patch to do so.  A typical usage example might be to start
> 'F'ollow-up to a discussion, write your message, conclude with "a
> patch to do so may look like this.", and
> 
>     \C-u M-! git format-patch --inline-single -1 HEAD <ENTER>
> 
> if you are an Emacs user.  Users of other MUA's may want to consult
> their manuals to find equivalent command to append output from an
> external command to the message being composed.

Interesting. I usually just do this by hand, but this could save a few
keystrokes in my workflow.

> +static int is_current_user(const struct pretty_print_context *pp,
> +			   const char *email, size_t emaillen,
> +			   const char *name, size_t namelen)
> +{
> +	const char *me = git_committer_info(0);
> +	const char *myname, *mymail;
> +	size_t mynamelen, mymaillen;
> +	struct ident_split ident;
> +
> +	if (split_ident_line(&ident, me, strlen(me)))
> +		return 0; /* play safe, as we do not know */
> +	mymail = ident.mail_begin;
> +	mymaillen = ident.mail_end - ident.mail_begin;
> +	myname = ident.name_begin;
> +	mynamelen = ident.name_end - ident.name_begin;
> +	if (pp->mailmap)
> +		map_user(pp->mailmap, &mymail, &mymaillen, &myname, &mynamelen);
> +	return (mymaillen == emaillen &&
> +		mynamelen == namelen &&
> +		!memcmp(mymail, email, emaillen) &&
> +		!memcmp(myname, name, namelen));
> +}

Nice, I'm glad you handled this case properly. I've wondered if we
should have an option to do a similar test when writing out the "real"
message format. I.e., to put the extra "From" line in the body of the
message when !is_current_user(). Traditionally we have just said "that
is the responsibility of the MUA you use", and let send-email handle it.
But it means people who do not use send-email have to reimplement the
feature themselves.

> @@ -421,6 +443,9 @@ void pp_user_info(const struct pretty_print_context *pp,
>  	if (pp->mailmap)
>  		map_user(pp->mailmap, &mailbuf, &maillen, &namebuf, &namelen);
>  
> +	if (pp->inline_single && is_current_user(pp, mailbuf, maillen, namebuf, namelen))
> +		return;
> +
>  	strbuf_init(&mail, 0);
>  	strbuf_init(&name, 0);

This makes sense to suppress the user line when it is not necessary. But
we should probably always be suppressing the Date line, as it is almost
always useless.

I also wonder if we should suppress the subject-prefix in such a case,
as it is not adding anything (it is not the subject of the email, so it
does not need to grab attention there, and it will not make it into the
final commit). On the other hand, having tried it, the "Subject:" looks
a little lonely without it. Perhaps the [PATCH] is still necessary to
grab attention after the scissors line. I dunno.

Patch for both below if you want to pick up either suggestion.

diff --git a/log-tree.c b/log-tree.c
index 15c9749..8994354 100644
--- a/log-tree.c
+++ b/log-tree.c
@@ -348,7 +348,8 @@ void log_write_email_headers(struct rev_info *opt, struct commit *commit,
 			 digits_in_number(opt->total),
 			 opt->nr, opt->total);
 		subject = buffer;
-	} else if (opt->total == 0 && opt->subject_prefix && *opt->subject_prefix) {
+	} else if (opt->total == 0 && !opt->inline_single &&
+		   opt->subject_prefix && *opt->subject_prefix) {
 		static char buffer[256];
 		snprintf(buffer, sizeof(buffer),
 			 "Subject: [%s] ",
diff --git a/pretty.c b/pretty.c
index 363b3d9..1a7352c 100644
--- a/pretty.c
+++ b/pretty.c
@@ -490,7 +490,8 @@ void pp_user_info(const struct pretty_print_context *pp,
 		strbuf_addf(sb, "Date:   %s\n", show_date(time, tz, pp->date_mode));
 		break;
 	case CMIT_FMT_EMAIL:
-		strbuf_addf(sb, "Date: %s\n", show_date(time, tz, DATE_RFC2822));
+		if (!pp->inline_single)
+			strbuf_addf(sb, "Date: %s\n", show_date(time, tz, DATE_RFC2822));
 		break;
 	case CMIT_FMT_FULLER:
 		strbuf_addf(sb, "%sDate: %s\n", what, show_date(time, tz, pp->date_mode));

Re: [PATCH 2/2] format-patch: --inline-single

[Junio C Hamano]

Jeff King <peff@peff.net> writes:

>> @@ -421,6 +443,9 @@ void pp_user_info(const struct pretty_print_context *pp,
>>  	if (pp->mailmap)
>>  		map_user(pp->mailmap, &mailbuf, &maillen, &namebuf, &namelen);
>>  
>> +	if (pp->inline_single && is_current_user(pp, mailbuf, maillen, namebuf, namelen))
>> +		return;
>> +
>>  	strbuf_init(&mail, 0);
>>  	strbuf_init(&name, 0);
>
> This makes sense to suppress the user line when it is not necessary. But
> we should probably always be suppressing the Date line, as it is almost
> always useless.

When I (figuratively) am sending my patch in a discussion, saying
"You could do it this way", on the other hand, I agree that the date
is uninteresting.

I however think I would prefer to keep the Date: line when I am
relaying somebody else's work during a discussion.  It is more like
"Yeah, Peff already did that with this commit; here it is for
reference". The fact that I have _your_ patch makes it more "done",
than the case I send out my own patch.

Besides, removing an extra line in the MUA editor is far easier than
having to type what the tool "helpfully" omitted, guided by an "it
is almost always useless" that is not backed by the user preference.
I'd rather err on the side of giving extra than omitting too much.

> I also wonder if we should suppress the subject-prefix in such a case,
> as it is not adding anything (it is not the subject of the email, so it
> does not need to grab attention there, and it will not make it into the
> final commit).

If the user does not want to waste too much space in the message,
not passing the --subject-prefix=foo from the command line, or
editing it out in the editor buffer if for some reason the user ran
the command with the option, are both easy things to do.  I do not
think extra lines to excise subject prefix is not worth it, and who
knows what the user's preferences are.

But there is something more important.

We should make sure that we disable MIMEy stuff (i.e. MIME-Version,
C-T-E: 8bit/quoted-printable, Content-type, etc.) when producing the
output to be appended to the body, which should be just a straight
8-bit text.  I do not think the posted patch tries to do anything to
that effect.

Re: [PATCH 2/2] format-patch: --inline-single

[Junio C Hamano]

Junio C Hamano <gitster@pobox.com> writes:

> Jeff King <peff@peff.net> writes:
>
>>> @@ -421,6 +443,9 @@ void pp_user_info(const struct pretty_print_context *pp,
>>>  	if (pp->mailmap)
>>>  		map_user(pp->mailmap, &mailbuf, &maillen, &namebuf, &namelen);
>>>  
>>> +	if (pp->inline_single && is_current_user(pp, mailbuf, maillen, namebuf, namelen))
>>> +		return;
>>> +
>>>  	strbuf_init(&mail, 0);
>>>  	strbuf_init(&name, 0);
>>
>> This makes sense to suppress the user line when it is not necessary. But
>> we should probably always be suppressing the Date line, as it is almost
>> always useless.
>
> When I (figuratively) am sending my patch in a discussion, saying
> "You could do it this way", on the other hand, I agree that the date
> is uninteresting.

Just in case somebody is wondering, please s/, on the other hand//;
above.  I swapped the paragraphs after I wrote them X-<.

Re: [PATCH 2/2] format-patch: --inline-single

[Adam Spiers]

On Thu, Feb 21, 2013 at 06:13:28PM -0500, Jeff King wrote:
> On Thu, Feb 21, 2013 at 12:26:22PM -0800, Junio C Hamano wrote:
> 
> > Some people may find it convenient to append a simple patch at the
> > bottom of a discussion e-mail separated by a "scissors" mark, ready
> > to be applied with "git am -c".  Introduce "--inline-single" option
> > to format-patch to do so.  A typical usage example might be to start
> > 'F'ollow-up to a discussion, write your message, conclude with "a
> > patch to do so may look like this.", and
> > 
> >     \C-u M-! git format-patch --inline-single -1 HEAD <ENTER>
> > 
> > if you are an Emacs user.  Users of other MUA's may want to consult
> > their manuals to find equivalent command to append output from an
> > external command to the message being composed.
> 
> Interesting. I usually just do this by hand, but this could save a few
> keystrokes in my workflow.

Same here.  This is great; thanks a lot both for working on it!

Re: [PATCH 2/2] format-patch: --inline-single

[Junio C Hamano]

Jeff King <peff@peff.net> writes:

>> ... <helper function to see if the user is the author> ...
>> +}
>
> Nice, I'm glad you handled this case properly. I've wondered if we
> should have an option to do a similar test when writing out the "real"
> message format. I.e., to put the extra "From" line in the body of the
> message when !is_current_user(). Traditionally we have just said "that
> is the responsibility of the MUA you use", and let send-email handle it.
> But it means people who do not use send-email have to reimplement the
> feature themselves.

I am not sure if I follow.  Do you mean that you have to remove
fewer lines if you omit Date/From when it is from you in the first
place?  People who do not use send-email (like me) slurp the output
0001-have-gostak-distim-doshes.patch into their MUA editor, tell the
MUA to use the contents on the Subject: line as the subject, and
remove what is redundant, including the Subject.  Because the output
cannot be used as-is anyway, I do not think it is such a big deal.

And those who have a custom mechanism to stuff our output in their
MUA's outbox, similar to what imap-send does, would already have to
have a trivial parser to read the first part of our output up to the
first blank line (i.e. parsing out the header part) and formatting
the information it finds into a form that is understood by their
MUA.  Omitting From: or Date: lines would not help those people who
already have established the procedure to handle the "Oh, this one
is from me" case, or to send the output always with the Sender: and
keeping the From: intact.  So,...

 

Re: [PATCH 2/2] format-patch: --inline-single

[Jeff King]

On Fri, Feb 22, 2013 at 08:47:39AM -0800, Junio C Hamano wrote:

> Jeff King <peff@peff.net> writes:
> 
> >> ... <helper function to see if the user is the author> ...
> >> +}
> >
> > Nice, I'm glad you handled this case properly. I've wondered if we
> > should have an option to do a similar test when writing out the "real"
> > message format. I.e., to put the extra "From" line in the body of the
> > message when !is_current_user(). Traditionally we have just said "that
> > is the responsibility of the MUA you use", and let send-email handle it.
> > But it means people who do not use send-email have to reimplement the
> > feature themselves.
> 
> I am not sure if I follow.  Do you mean that you have to remove
> fewer lines if you omit Date/From when it is from you in the first
> place?

Sorry, I think I confused you by going off on a tangent. The rest of my
email was about dropping unnecessary lines from the inline view.  But
here I was talking about another possible use of the "is user the
author" function. For the existing view, we show:

  From: A U Thor <author@example.com>
  Date: ...
  Subject: [PATCH] whatever

  body

and if committer != author, we expect the MUA to convert that to:

  From: C O Mitter <committer@example.com>
  Date: ...
  Subject: [PATCH] whatever

  From: A U Thor <author@example.com>

  body

That logic happens in git-send-email right now, but given that your
patch adds the "are we the author?" function, it would be trivial to add
a "--sender-is-committer" option to format-patch to have it do it
automatically. That saves the MUA from having to worry about it.

> People who do not use send-email (like me) slurp the output
> 0001-have-gostak-distim-doshes.patch into their MUA editor, tell the
> MUA to use the contents on the Subject: line as the subject, and
> remove what is redundant, including the Subject.  Because the output
> cannot be used as-is anyway, I do not think it is such a big deal.

That is one way to do it. Another way is to hand the output of
format-patch to your MUA as a template, making it a starting point for a
message we are about to send. No manual editing is necessary in that
case, unless the "From" header does not match the sender identity.

> And those who have a custom mechanism to stuff our output in their
> MUA's outbox, similar to what imap-send does, would already have to
> have a trivial parser to read the first part of our output up to the
> first blank line (i.e. parsing out the header part) and formatting
> the information it finds into a form that is understood by their
> MUA.

Not necessarily. The existing format is an rfc822 message, which mailers
understand already. It's perfectly cromulent to do:

  git format-patch --stdout "$@" >mbox &&
  mutt -f mbox

and use mutt's "resend-message" as a starting point for sending each
message. No editing is necessary except for adding recipients (which you
can also do on the command-line to format-patch).

> Omitting From: or Date: lines would not help those people who
> already have established the procedure to handle the "Oh, this one
> is from me" case, or to send the output always with the Sender: and
> keeping the From: intact.  So,...

Right, my point was to help people who _should_ have implemented the
"oh, this one is from me" case, but were too lazy to do so (and it's
actually a little tricky to get right, because you might have to adjust
the mime headers to account for encoded author names).

-Peff