Merge pull request libgit2#4536 from libgit2/ethomson/index_dirty

Add a "dirty" state to the index when it has unsaved changes

Author: ethomson

docs/changelog.md

@@ -16,6 +16,18 @@ v0.27 + 1
 * You can now swap out memory allocators via the
   `GIT_OPT_SET_ALLOCATOR` option with `git_libgit2_opts()`.
 
+* You can now ensure that functions do not discard unwritten changes to the
+  index via the `GIT_OPT_ENABLE_UNSAVED_INDEX_SAFETY` option to
+  `git_libgit2_opts()`.  This will cause functions that implicitly re-read
+  the index (eg, `git_checkout`) to fail if you have staged changes to the
+  index but you have not written the index to disk.  (Unless the checkout
+  has the FORCE flag specified.)
+
+  At present, this defaults to off, but we intend to enable this more
+  broadly in the future, as a warning or error.  We encourage you to
+  examine your code to ensure that you are not relying on the current
+  behavior that implicitly removes staged changes.
+
 ### API removals
 
 ### Breaking API changes

include/git2/common.h

@@ -194,7 +194,8 @@ typedef enum {
 	GIT_OPT_GET_WINDOWS_SHAREMODE,
 	GIT_OPT_SET_WINDOWS_SHAREMODE,
 	GIT_OPT_ENABLE_STRICT_HASH_VERIFICATION,
-	GIT_OPT_SET_ALLOCATOR
+	GIT_OPT_SET_ALLOCATOR,
+	GIT_OPT_ENABLE_UNSAVED_INDEX_SAFETY
 } git_libgit2_opt_t;
 
 /**
@@ -363,6 +364,14 @@ typedef enum {
  *		> allocator will then be used to make all memory allocations for
  *		> libgit2 operations.
  *
+ *	 opts(GIT_OPT_ENABLE_UNSAVED_INDEX_SAFETY, int enabled)
+ *
+ *		> Ensure that there are no unsaved changes in the index before
+ *		> beginning any operation that reloads the index from disk (eg,
+ *		> checkout).  If there are unsaved changes, the instruction will
+ *		> fail.  (Using the FORCE flag to checkout will still overwrite
+ *		> these changes.)
+ *
  * @param option Option key
  * @param ... value to set the option
  * @return 0 on success, <0 on failure

include/git2/errors.h

@@ -55,6 +55,7 @@ typedef enum {
 	GIT_ITEROVER        = -31,	/**< Signals end of iteration with iterator */
 	GIT_RETRY           = -32,	/**< Internal only */
 	GIT_EMISMATCH       = -33,	/**< Hashsum mismatch in object */
+	GIT_EINDEXDIRTY     = -34,	/**< Unsaved changes in the index would be overwritten */
 } git_error_code;
 
 /**

src/checkout.c

@@ -2397,31 +2397,40 @@ static int checkout_data_init(
 				GIT_DIR_MODE, GIT_MKDIR_VERIFY_DIR)) < 0)
 		goto cleanup;
 
+	if ((error = git_repository_index(&data->index, data->repo)) < 0)
+		goto cleanup;
+
 	/* refresh config and index content unless NO_REFRESH is given */
 	if ((data->opts.checkout_strategy & GIT_CHECKOUT_NO_REFRESH) == 0) {
 		git_config *cfg;
 
 		if ((error = git_repository_config__weakptr(&cfg, repo)) < 0)
 			goto cleanup;
 
-		/* Get the repository index and reload it (unless we're checking
-		 * out the index; then it has the changes we're trying to check
-		 * out and those should not be overwritten.)
+		/* Reload the repository index (unless we're checking out the
+		 * index; then it has the changes we're trying to check out
+		 * and those should not be overwritten.)
 		 */
-		if ((error = git_repository_index(&data->index, data->repo)) < 0)
-			goto cleanup;
-
 		if (data->index != git_iterator_index(target)) {
-			if ((error = git_index_read(data->index, true)) < 0)
-				goto cleanup;
-
-			/* cannot checkout if unresolved conflicts exist */
-			if ((data->opts.checkout_strategy & GIT_CHECKOUT_FORCE) == 0 &&
-				git_index_has_conflicts(data->index)) {
-				error = GIT_ECONFLICT;
-				giterr_set(GITERR_CHECKOUT,
-					"unresolved conflicts exist in the index");
-				goto cleanup;
+			if (data->opts.checkout_strategy & GIT_CHECKOUT_FORCE) {
+				/* When forcing, we can blindly re-read the index */
+				if ((error = git_index_read(data->index, false)) < 0)
+					goto cleanup;
+			} else {
+				/*
+				 * When not being forced, we need to check for unresolved
+				 * conflicts and unsaved changes in the index before
+				 * proceeding.
+				 */
+				if (git_index_has_conflicts(data->index)) {
+					error = GIT_ECONFLICT;
+					giterr_set(GITERR_CHECKOUT,
+						"unresolved conflicts exist in the index");
+					goto cleanup;
+				}
+
+				if ((error = git_index_read_safely(data->index)) < 0)
+					goto cleanup;
 			}
 
 			/* clean conflict data in the current index */

src/index.c

@@ -135,6 +135,8 @@ struct reuc_entry_internal {
 	char path[GIT_FLEX_ARRAY];
 };
 
+bool git_index__enforce_unsaved_safety = false;
+
 /* local declarations */
 static size_t read_extension(git_index *index, const char *buffer, size_t buffer_size);
 static int read_header(struct index_header *dest, const void *buffer);
@@ -516,6 +518,8 @@ static int index_remove_entry(git_index *index, size_t pos)
 		} else {
 			index_entry_free(entry);
 		}
+
+		index->dirty = 1;
 	}
 
 	return error;
@@ -527,6 +531,7 @@ int git_index_clear(git_index *index)
 
 	assert(index);
 
+	index->dirty = 1;
 	index->tree = NULL;
 	git_pool_clear(&index->tree_pool);
 
@@ -637,8 +642,10 @@ int git_index_read(git_index *index, int force)
 	index->on_disk = git_path_exists(index->index_file_path);
 
 	if (!index->on_disk) {
-		if (force)
-			return git_index_clear(index);
+		if (force && (error = git_index_clear(index)) < 0)
+			return error;
+
+		index->dirty = 0;
 		return 0;
 	}
 
@@ -650,6 +657,7 @@ int git_index_read(git_index *index, int force)
 			index->index_file_path);
 		return updated;
 	}
+
 	if (!updated && !force)
 		return 0;
 
@@ -665,13 +673,26 @@ int git_index_read(git_index *index, int force)
 	if (!error)
 		error = parse_index(index, buffer.ptr, buffer.size);
 
-	if (!error)
+	if (!error) {
 		git_futils_filestamp_set(&index->stamp, &stamp);
+		index->dirty = 0;
+	}
 
 	git_buf_dispose(&buffer);
 	return error;
 }
 
+int git_index_read_safely(git_index *index)
+{
+	if (git_index__enforce_unsaved_safety && index->dirty) {
+		giterr_set(GITERR_INDEX,
+			"the index has unsaved changes that would be overwritten by this operation");
+		return GIT_EINDEXDIRTY;
+	}
+
+	return git_index_read(index, false);
+}
+
 int git_index__changed_relative_to(
 	git_index *index, const git_oid *checksum)
 {
@@ -735,8 +756,10 @@ static int truncate_racily_clean(git_index *index)
 		/* Ensure that we have a stage 0 for this file (ie, it's not a
 		 * conflict), otherwise smudging it is quite pointless.
 		 */
-		if (entry)
+		if (entry) {
 			entry->file_size = 0;
+			index->dirty = 1;
+		}
 	}
 
 done:
@@ -774,8 +797,9 @@ int git_index_write(git_index *index)
 
 	truncate_racily_clean(index);
 
-	if ((error = git_indexwriter_init(&writer, index)) == 0)
-		error = git_indexwriter_commit(&writer);
+	if ((error = git_indexwriter_init(&writer, index)) == 0 &&
+		(error = git_indexwriter_commit(&writer)) == 0)
+		index->dirty = 0;
 
 	git_indexwriter_cleanup(&writer);
 
@@ -1389,6 +1413,8 @@ static int index_insert(
 	if (error < 0) {
 		index_entry_free(*entry_ptr);
 		*entry_ptr = NULL;
+	} else {
+		index->dirty = 1;
 	}
 
 	return error;
@@ -1616,6 +1642,8 @@ int git_index__fill(git_index *index, const git_vector *source_entries)
 		INSERT_IN_MAP(index, entry, &ret);
 		if (ret < 0)
 			break;
+
+		index->dirty = 1;
 	}
 
 	if (!ret)
@@ -2053,6 +2081,7 @@ int git_index_name_add(git_index *index,
 		return -1;
 	}
 
+	index->dirty = 1;
 	return 0;
 }
 
@@ -2067,6 +2096,8 @@ void git_index_name_clear(git_index *index)
 		index_name_entry_free(conflict_name);
 
 	git_vector_clear(&index->names);
+
+	index->dirty = 1;
 }
 
 size_t git_index_reuc_entrycount(git_index *index)
@@ -2092,6 +2123,8 @@ static int index_reuc_insert(
 	assert(git_vector_is_sorted(&index->reuc));
 
 	res = git_vector_insert_sorted(&index->reuc, reuc, &index_reuc_on_dup);
+	index->dirty = 1;
+
 	return res == GIT_EEXISTS ? 0 : res;
 }
 
@@ -2157,6 +2190,7 @@ int git_index_reuc_remove(git_index *index, size_t position)
 	if (!error)
 		index_entry_reuc_free(reuc);
 
+	index->dirty = 1;
 	return error;
 }
 
@@ -2170,6 +2204,8 @@ void git_index_reuc_clear(git_index *index)
 		index_entry_reuc_free(git__swap(index->reuc.contents[i], NULL));
 
 	git_vector_clear(&index->reuc);
+
+	index->dirty = 1;
 }
 
 static int index_error_invalid(const char *message)
@@ -2604,6 +2640,7 @@ static int parse_index(git_index *index, const char *buffer, size_t buffer_size)
 	git_vector_set_sorted(&index->entries, !index->ignore_case);
 	git_vector_sort(&index->entries);
 
+	index->dirty = 0;
 done:
 	return error;
 }
@@ -3070,6 +3107,8 @@ int git_index_read_tree(git_index *index, const git_tree *tree)
 		entries_map = git__swap(index->entries_map, entries_map);
 	}
 
+	index->dirty = 1;
+
 cleanup:
 	git_vector_free(&entries);
 	git_idxmap_free(entries_map);
@@ -3209,6 +3248,7 @@ static int git_index_read_iterator(
 
 	clear_uptodate(index);
 
+	index->dirty = 1;
 	error = 0;
 
 done:
@@ -3601,6 +3641,7 @@ int git_indexwriter_commit(git_indexwriter *writer)
 		return -1;
 	}
 
+	writer->index->dirty = 0;
 	writer->index->on_disk = 1;
 	git_oid_cpy(&writer->index->checksum, &checksum);
 

src/index.h

@@ -20,6 +20,8 @@
 #define GIT_INDEX_FILE "index"
 #define GIT_INDEX_FILE_MODE 0666
 
+extern bool git_index__enforce_unsaved_safety;
+
 struct git_index {
 	git_refcount rc;
 
@@ -37,6 +39,7 @@ struct git_index {
 	unsigned int ignore_case:1;
 	unsigned int distrust_filemode:1;
 	unsigned int no_symlinks:1;
+	unsigned int dirty:1;	/* whether we have unsaved changes */
 
 	git_tree_cache *tree;
 	git_pool tree_pool;
@@ -143,6 +146,13 @@ extern int git_index_snapshot_find(
 /* Replace an index with a new index */
 int git_index_read_index(git_index *index, const git_index *new_index);
 
+GIT_INLINE(int) git_index_is_dirty(git_index *index)
+{
+	return index->dirty;
+}
+
+extern int git_index_read_safely(git_index *index);
+
 typedef struct {
 	git_index *index;
 	git_filebuf file;

src/settings.c

@@ -23,6 +23,7 @@
 #include "object.h"
 #include "odb.h"
 #include "refs.h"
+#include "index.h"
 #include "transports/smart.h"
 #include "streams/openssl.h"
 #include "streams/mbedtls.h"
@@ -265,6 +266,10 @@ int git_libgit2_opts(int key, ...)
 		error = git_allocator_setup(va_arg(ap, git_allocator *));
 		break;
 
+	case GIT_OPT_ENABLE_UNSAVED_INDEX_SAFETY:
+		git_index__enforce_unsaved_safety = (va_arg(ap, int) != 0);
+		break;
+
 	default:
 		giterr_set(GITERR_INVALID, "invalid option key");
 		error = -1;