On Sun, Jun 07, 2020 at 10:12:33PM +0200, SZEDER Gábor wrote:
> On Wed, Jun 03, 2020 at 01:26:04PM +0200, Patrick Steinhardt wrote:
> > On Tue, Jun 02, 2020 at 10:47:55AM -0700, Junio C Hamano wrote:
> > > Patrick Steinhardt <ps@xxxxxx> writes:
> > >
> > > > The above scenario is the motivation for a set of three new hooks that
> > > > reach directly into Git's reference transaction. Each of the following
> > > > new hooks (currently) doesn't accept any parameters and receives the set
> > > > of queued reference updates via stdin:
> > >
> > > Do we have something (e.g. performance measurement) to convince
> > > ourselves that this won't incur unacceptable levels of overhead in
> > > null cases where there is no hook installed in the repository?
> >
> > Not yet, but I'll try to come up with a benchmark in the next iteration.
> > I guess the best way to test is to directly exercise git-update-refs, as
> > it's nearly a direct wrapper around reference transactions.
> >
> > > > + proc.in = -1;
> > > > + proc.stdout_to_stderr = 1;
> > > > + proc.trace2_hook_name = hook_name;
> > > > +
> > > > + code = start_command(&proc);
> > > > + if (code)
> > > > + return code;
> > > > +
> > > > + sigchain_push(SIGPIPE, SIG_IGN);
> > > > +
> > > > + for (i = 0; i < transaction->nr; i++) {
> > > > + struct ref_update *update = transaction->updates[i];
> > > > +
> > > > + strbuf_reset(&buf);
> > > > + strbuf_addf(&buf, "%s %s %s\n",
> > > > + oid_to_hex(&update->old_oid),
> > > > + oid_to_hex(&update->new_oid),
> > > > + update->refname);
> > > > +
> > > > + if (write_in_full(proc.in, buf.buf, buf.len) < 0)
> > > > + break;
> > >
> > > We leave the loop early when we detect a write failure here...
> > >
> > > > + }
> > > > +
> > > > + close(proc.in);
> > > > + sigchain_pop(SIGPIPE);
> > > > +
> > > > + strbuf_release(&buf);
> > > > + return finish_command(&proc);
> > >
> > > ... but the caller does not get notified. Intended?
> >
> > This is semi-intended. In case the hook doesn't fully consume stdin and
> > exits early, writing to its stdin would fail as we ignore SIGPIPE. We
> > don't want to force the hook to care about consuming all of stdin,
> > though.
>
> Why? How could the prepared hook properly initialize the voting
> mechanism for the transaction without reading all the refs to be
> updated?
Because the hook might not want to implement a voting mechanism after
all but something entirely different which we're currently not
foreseeing as a valid usecase. We don't enforce this anywhere else
either, like e.g. for the pre-receive hook. If that one exits early
without consuming its stdin then that's totally fine.
> > We could improve error handling here by ignoring EPIPE, but making every
> > other write error fatal. If there's any other abnormal error condition
> > then we certainly don't want the hook to act on incomplete data and
> > pretend everything's fine.
>
> As I read v2 of this patch, a prepared hook can exit(0) early without
> reading all the refs to be updated, cause EPIPE in the git process
> invoking the hook, and that process would interpret that as success.
> I haven't though it through how such a voting mechanism would work,
> but I have a gut feeling that this can't be good.
As said, I lean towards allowing more flexibility for the hook
implementation to also cater for other usecases. But I agree that in a
voting implementation, not reading all of stdin is a bad thing and may
point to a buggy hook implementation. Aborting the transaction if the
hook didn't read all of stdin would be a nice safeguard in that case.
With the current implementation of using a single hook for "prepared",
"committed" and "aborted", it'd also force the hook implementation to do
something in cases it doesn't care about. E.g.
#!/bin/sh
case "$1" in
prepared)
VOTE=$(sha1sum <&0)
cast $VOTE
;;
aborted|committed)
cat <&0 >/dev/null
;;
esac
That being said, I'm not opposed to enforce this and not treat EPIPE
differently.
Patrick
Attachment:
signature.asc
Description: PGP signature
