git/gpg-interface.c, branch v2.46.2

global: convert intentionally-leaking config strings to consts

2024-06-07T17:30:48Z

There are multiple cases where we intentionally leak config strings: - `struct gpg_format` is used to track programs that can be used for signing commits, either via gpg(1), gpgsm(1) or ssh-keygen(1). The user can override the commands via several config variables. As the array is populated once, only, and the struct memers are never written to or free'd. - `struct ll_merge_driver` is used to track merge drivers. Same as with the GPG format, these drivers are populated once and then reused. Its data is never written to or free'd, either. - `struct userdiff_funcname` and `struct userdiff_driver` can be configured via `diff..*` to add additional drivers. Again, these have a global lifetime and are never written to or free'd. All of these are intentionally kept alive and are never written to. Furthermore, all of these are being assigned both string constants in some places, and allocated strings in other places. This will cause warnings once we enable `-Wwrite-strings`, so let's mark the respective fields as `const char *` and cast away the constness when assigning those values. Signed-off-by: Patrick Steinhardt Signed-off-by: Junio C Hamano

global: improve const correctness when assigning string constants

2024-06-07T17:30:48Z

We're about to enable `-Wwrite-strings`, which changes the type of string constants to `const char[]`. Fix various sites where we assign such constants to non-const variables. Signed-off-by: Patrick Steinhardt Signed-off-by: Junio C Hamano

config: clarify memory ownership in `git_config_string()`

2024-05-27T18:20:00Z

The out parameter of `git_config_string()` is a `const char **` even though we transfer ownership of memory to the caller. This is quite misleading and has led to many memory leaks all over the place. Adapt the parameter to instead be `char **`. Signed-off-by: Patrick Steinhardt Signed-off-by: Junio C Hamano

config: clarify memory ownership in `git_config_pathname()`

2024-05-27T18:19:59Z

The out parameter of `git_config_pathname()` is a `const char **` even though we transfer ownership of memory to the caller. This is quite misleading and has led to many memory leaks all over the place. Adapt the parameter to instead be `char **`. Signed-off-by: Patrick Steinhardt Signed-off-by: Junio C Hamano

Merge branch 'rs/date-mode-pass-by-value'

2024-04-16T21:50:29Z

The codepaths that reach date_mode_from_type() have been updated to pass "struct date_mode" by value to make them thread safe. * rs/date-mode-pass-by-value: date: make DATE_MODE thread-safe

date: make DATE_MODE thread-safe

2024-04-05T22:21:14Z

date_mode_from_type() modifies a static variable and returns a pointer to it. This is not thread-safe. Most callers of date_mode_from_type() use it via the macro DATE_MODE and pass its result on to functions like show_date(), which take a const pointer and don't modify the struct. Avoid the static storage by putting the variable on the stack and returning the whole struct date_mode. Change functions that take a constant pointer to expect the whole struct instead. Reduce the cost of passing struct date_mode around on 64-bit systems by reordering its members to close the hole between the 32-bit wide .type and the 64-bit aligned .strftime_fmt as well as the alignment hole at the end. sizeof reports 24 before and 16 with this change on x64. Keep .type at the top to still allow initialization without designator -- though that's only done in a single location, in builtin/blame.c. Signed-off-by: René Scharfe Acked-by: Jeff King Signed-off-by: Junio C Hamano

strbuf: accept a comment string for strbuf_stripspace()

2024-03-12T20:28:10Z

As part of our transition to multi-byte comment characters, let's take a NUL-terminated string pointer for strbuf_stripspace(), rather than a single character. We can continue to support its feature of ignoring comments by accepting a NULL pointer (as opposed to the current behavior of a NUL byte). All of the callers have to be adjusted, but they can all just pass comment_line_str (or NULL). Inside the function we detect comments by comparing the first byte of a line to the comment character. We'll adjust that to use starts_with(), which will match multiple bytes (though for now, of course, we still only allow a single byte, so it's academic). Signed-off-by: Jeff King Signed-off-by: Junio C Hamano

Merge branch 'jc/sign-buffer-failure-propagation-fix'

2024-02-12T21:16:11Z

A failed "git tag -s" did not necessarily result in an error depending on the crypto backend, which has been corrected. * jc/sign-buffer-failure-propagation-fix: ssh signing: signal an error with a negative return value tag: fix sign_buffer() call to create a signed tag

ssh signing: signal an error with a negative return value

2024-02-08T05:31:42Z

The other backend for the sign_buffer() function followed our usual "an error is signalled with a negative return" convention, but the SSH signer did not. Even though we already fixed the caller that assumed only a negative return value is an error, tighten the callee to signal an error with a negative return as well. This way, the callees will be strict on what they produce, while the callers will be lenient in what they accept. Signed-off-by: Junio C Hamano

Merge branch 'en/header-cleanup'

2024-01-08T22:05:15Z

Remove unused header "#include". * en/header-cleanup: treewide: remove unnecessary includes in source files treewide: add direct includes currently only pulled in transitively trace2/tr2_tls.h: remove unnecessary include submodule-config.h: remove unnecessary include pkt-line.h: remove unnecessary include line-log.h: remove unnecessary include http.h: remove unnecessary include fsmonitor--daemon.h: remove unnecessary includes blame.h: remove unnecessary includes archive.h: remove unnecessary include treewide: remove unnecessary includes in source files treewide: remove unnecessary includes from header files