Skip to content

fix(git-remote): drive multi-round fetch as a v0 stateless-RPC client loop (#117)#192

Open
beardthelion wants to merge 6 commits into
mainfrom
fix/issue-117-multiround-fetch-deadlock
Open

fix(git-remote): drive multi-round fetch as a v0 stateless-RPC client loop (#117)#192
beardthelion wants to merge 6 commits into
mainfrom
fix/issue-117-multiround-fetch-deadlock

Conversation

@beardthelion

@beardthelion beardthelion commented Jul 12, 2026

Copy link
Copy Markdown
Collaborator

Fixes #117.

git-remote-gitlawb advertised the connect capability, so git spoke the stateful native protocol, but handle_connect collapsed the exchange into a single GET + single POST. A multi-round fetch (more than ~32 commits of overlapping history, the common "pull into an existing clone") deadlocked: git sent a flush-terminated have batch and blocked for an ACK/NAK the helper never sent, while the helper blocked reading for a done git never sent.

Phase 2 for git-upload-pack is now a per-round v0 smart-HTTP stateless-RPC client loop, the role git's own remote-curl plays. read_upload_pack_round returns one negotiation round at a time (at a flush, done, or EOF) instead of buffering past flushes; negotiate_upload_pack captures the wants once and POSTs a self-contained request per flush-terminated batch (wants + one flush + every have accumulated so far + exactly one terminator), streams each ACK/NAK back to git, and stops on the done round. The node's git upload-pack --stateless-rpc keeps no state between POSTs, so wants and all prior haves are re-sent every round and no intermediate flush survives into a body.

Signing is preserved per round: every POST carries the Phase-1 decision (signed after the 404 escalation for a private repo, anonymous for a public one), and a mid-negotiation denial surfaces through the sanitized error path rather than reading as an empty or successful fetch. The git-receive-pack (push) path is unchanged, and no node code is touched.

Verification

  • Unit + mock coverage: the deadlock repro (blocking reader, was RED at the 2s timeout), multi-round accumulation asserted byte-for-byte on the wire, per-round signing for private and public fetches (including the must-not cases), mid-negotiation denial surfacing, single-round non-regression, and the branch-coverage edges. Load-bearing checks confirmed by mutation.
  • A committed real-git integration test (tests/real_git_fetch.rs) drives a real git fetch (forced to >=2 rounds) through the built helper against a real git upload-pack --stateless-rpc, so the stateful-to-stateless bridging is executed, not reasoned.
  • Verified against a running node: an incremental fetch with a real two-round negotiation exits 0 with the correct object graph (the exact case that hung before), and a private repo fetched anonymously surfaces the sanitized 404 promptly with no hang and no leak.

Follow-up

The one case this does not make work is an incremental fetch of a repo with a path-scoped withheld subtree: the node's upload_pack_excluding sends its pack on the first POST, which real git rejects mid-negotiation. The helper forwards and terminates cleanly, so it is a node-side issue, filed as #191. A committed test here (real_git_withheld_shaped_first_post) records that rejection so a node-side fix can verify against it.

STRATEGY track: stabilize.

Summary by CodeRabbit

  • Bug Fixes
    • Improved compatibility for multi-round git-upload-pack --stateless-rpc by correctly handling per-round termination, streaming responses, and accumulating negotiation state.
    • Fixed potential hangs/incorrect escalation during negotiation, including EOF and malformed-stream edge cases.
    • Added validation for multi-round signature behavior and correct access-denied handling mid-negotiation.
  • Tests
    • Added real end-to-end git fetch integration tests using an in-process smart-HTTP shim, including multi-round boundaries, withheld first-post, and FETCH_HEAD/fsck verification.
    • Added regression coverage for timeouts, process cleanup on unwind, and avoiding deadlocks from large stdout/stderr.
  • Chores
    • Updated development dependencies for the new Unix-specific test support.

t added 4 commits July 11, 2026 19:40
… loop (#117)

git-remote-gitlawb advertised `connect`, so git spoke the stateful native
protocol, but handle_connect collapsed the exchange into one GET plus one POST.
A multi-round fetch (more than ~32 overlapping commits) deadlocked: git sent a
flush-terminated have-batch and blocked for an ACK/NAK the helper never sent,
while the helper blocked reading for a `done` git never sent.

Turn Phase 2 into a per-round stateless-RPC client loop. read_upload_pack_round
returns one round at a time (at a flush, done, or EOF) instead of buffering past
flushes waiting for `done`; negotiate_upload_pack captures the wants once and
POSTs a self-contained request per flush-terminated batch: wants, one flush,
every have accumulated so far, and exactly one terminator. Each ACK/NAK is
streamed back to git so it advances, until the done round returns the pack. The
node's `git upload-pack --stateless-rpc` keeps no state between POSTs, so wants
and all prior haves are re-sent every round and no intermediate flush survives
into a body (which would truncate the negotiation server-side).

Signing is preserved per round: every POST carries the Phase-1 decision (signed
after the 404 escalation for a private repo, anonymous for a public one), and a
mid-negotiation denial surfaces through the sanitized error path rather than
reading as an empty or successful fetch. The receive-pack path is unchanged.

Covers the deadlock repro, multi-round accumulation on the wire, per-round
signing for private and public fetches, mid-negotiation denial surfacing, the
withheld-shaped forwarding path, and single-round non-regression.
… loop (#117)

A committed integration test drives a real `git fetch` through the built helper
against a real `git upload-pack --stateless-rpc`, so the stateful-to-stateless
ACK bridging is proven by execution rather than reasoned. The main.rs mock tests
cannot falsify it: a pre-scripted Cursor never reacts to the server's ACKs. An
in-test shim replicates the node's v0 serving; the fetch is forced to at least
two negotiation rounds (a fixture that resolved in one round fails the test) and
the resulting object graph is verified.

The second scenario drives the withheld-blob shape (a full pack on the first
POST, as upload_pack_excluding does) through real git and records the outcome:
real git rejects a pack where it expected an ACK continuation ("expected
ACK/NAK, got ..."), so a multi-round fetch of a withheld repo does not complete.
The helper forwards and terminates cleanly rather than hanging, so this is a
node-side concern, not a helper defect, left as a follow-up per the plan's
Withheld-Path Decision. The test guards the helper's non-hang behavior and
surfaces the break if the assumption ever changes.
A code-review pass found the negotiation loop would POST once per bare `0000`
flush that carried no haves, so a malformed `wants + N*0000 + EOF` stream
amplified into N signed POSTs. Real git never sends a content-free mid-negotiation
flush and the peer is upstream of the local git process, so this was not
reachable in practice, but it left the loop unbounded per input. Skip a round
that carries no new haves (an empty flush) and only POST rounds with have content
or a terminator, which also makes the loop provably bounded by git's finite have
set. The fresh-clone done-with-no-haves round still POSTs.
Adds executed coverage for the negotiation branches the first pass left
unrun: an invalid pkt-line length (rejected, not underflowed), a non-EOF
read error (propagated, not swallowed as end-of-stream), an immediately
empty upload-pack request (skips the POST), a nonempty have-batch
terminated by EOF (POSTed as a final done round), and an empty
receive-pack body (skips the POST). Each was mutation-checked to fail
without its guard, so the coverage is load-bearing rather than vacuous.
@coderabbitai

coderabbitai Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b279ab1d-716a-4bbd-a083-5c0bb2847dbe

📥 Commits

Reviewing files that changed from the base of the PR and between e3c322c and 4a3f59c.

⛔ Files ignored due to path filters (1)
  • Cargo.lock is excluded by !**/*.lock
📒 Files selected for processing (2)
  • crates/git-remote-gitlawb/Cargo.toml
  • crates/git-remote-gitlawb/tests/real_git_fetch.rs
🚧 Files skipped from review as they are similar to previous changes (1)
  • crates/git-remote-gitlawb/Cargo.toml

📝 Walkthrough

Walkthrough

The helper now supports multi-round git-upload-pack negotiation through stateless RPC, separates git-receive-pack handling, preserves per-round signing behavior, and adds unit and real-Git integration coverage for incremental fetches.

Changes

Upload-pack negotiation

Layer / File(s) Summary
Round parsing and stateless POST flow
crates/git-remote-gitlawb/src/main.rs
Upload-pack requests are split at flush, done, and EOF boundaries, with one stateless-RPC POST per round; receive-pack requests remain single complete bodies.
Signing and negotiation validation
crates/git-remote-gitlawb/src/main.rs
Tests cover accumulated request signing, round segmentation, public/private fetch behavior, denial handling, EOF shaping, and receive-pack edge cases.
End-to-end real Git fetch validation
crates/git-remote-gitlawb/tests/real_git_fetch.rs, crates/git-remote-gitlawb/Cargo.toml
A smart-HTTP shim and real Git subprocess tests exercise multi-round fetches, withheld first posts, timeouts, FETCH_HEAD, and repository integrity.

Estimated code review effort: 5 (Critical) | ~120 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Git
  participant Helper
  participant HTTPShim
  participant UploadPack
  Git->>Helper: Send upload-pack negotiation round
  Helper->>HTTPShim: POST signed round
  HTTPShim->>UploadPack: Forward stateless request
  UploadPack-->>HTTPShim: ACK, NAK, or pack response
  HTTPShim-->>Helper: HTTP response
  Helper-->>Git: Stream negotiation response
  Git->>Helper: Send next round or done
Loading

Possibly related issues

Possibly related PRs

  • Gitlawb/node#80 — Both modify Phase-2 pack request construction and sending in main.rs.
  • Gitlawb/node#119 — Both modify Phase-2 upload-pack POST construction and signing behavior.
  • Gitlawb/node#137 — Both modify upload-pack connection handling and HTTP error propagation.

Suggested labels: kind:test

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly states the primary change: fixing multi-round fetch via a stateless-RPC client loop.
Description check ✅ Passed The description explains the bug, the stateless-RPC fix, verification, and follow-up, which covers the required template content.
Linked Issues check ✅ Passed The changes implement multi-round stateless-RPC negotiation with accumulated haves and ACK/NAK streaming, matching #117.
Out of Scope Changes check ✅ Passed The extra test harness and dev-dependency changes support the fetch fix and related regressions, with no unrelated scope visible.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/issue-117-multiround-fetch-deadlock

Comment @coderabbitai help to get the list of available commands.

@beardthelion beardthelion added crate:git-remote git-remote-gitlawb — the git remote helper kind:bug Defect fix — wrong or unsafe behavior labels Jul 12, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
crates/git-remote-gitlawb/src/main.rs (1)

301-336: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Duplicates post_pack_round's POST/status-check/forward logic.

Lines 313-334 re-implement almost exactly what post_pack_round (lines 502-533) does: build the signed POST, send, check status via http_error_message, read the response body, and forward it to stdout. Since post_pack_round already takes (client, post_url, service, signing_key, body, stdout) matching this call site's variables, the receive-pack path can just call it directly instead of duplicating the block.

♻️ Suggested refactor
     let mut request_body = Vec::new();
     stdin
         .read_to_end(&mut request_body)
         .context("reading receive-pack request")?;
     tracing::debug!("pack request: {} bytes from git", request_body.len());

     if request_body.is_empty() {
         // e.g., already up-to-date — nothing to send
         tracing::debug!("empty request body — skipping POST");
         return Ok(());
     }

-    tracing::debug!("POST {post_url} ({} bytes)", request_body.len());
-    let req = build_pack_post_request(&client, &post_url, service, &request_body, signing_key);
-
-    // Attach the body after signing so the pack bytes are moved, not cloned —
-    // packs can be large and the clone doubled peak memory on push.
-    let pack_resp = req
-        .body(request_body)
-        .send()
-        .with_context(|| format!("POST {post_url}"))?;
-
-    if !pack_resp.status().is_success() {
-        let status = pack_resp.status();
-        let body = read_error_body(pack_resp);
-        let path = format!("/{service}");
-        bail!("{}", http_error_message("POST", &path, status, &body, None));
-    }
-
-    let pack_bytes = pack_resp.bytes().context("reading pack response")?;
-    tracing::debug!("pack response: {} bytes from node", pack_bytes.len());
-
-    stdout.write_all(&pack_bytes)?;
-    stdout.flush()?;
-
-    Ok(())
+    post_pack_round(&client, &post_url, service, signing_key, request_body, &mut stdout)
 }

This keeps behavior identical (same log lines, same error path) while removing a divergence risk between the two copies.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@crates/git-remote-gitlawb/src/main.rs` around lines 301 - 336, Replace the
duplicated POST, status-check, response-reading, and stdout-forwarding block
after the empty-body guard with a direct call to post_pack_round, passing
client, post_url, service, signing_key, request_body, and stdout. Preserve the
existing request-body logging and empty-body early return while reusing
post_pack_round for the shared behavior.
crates/git-remote-gitlawb/tests/real_git_fetch.rs (1)

354-436: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Temp repos leak on assertion failure.

cleanup(&[server, clone]) (lines 387, 429) only runs if every prior assert!/assert_eq! in the test succeeds. A failed assertion (e.g. completed, fsck, or the FETCH_HEAD equality checks) panics before cleanup, leaking the unique_dir()-created server/clone repos (each with a real object DB) under the OS temp dir. Shim already avoids this class of leak for its own thread/listener via Drop (lines 111-126); the repo directories don't get the same RAII treatment.

♻️ Wrap temp dirs in an RAII guard so they're removed even on panic
struct TempDir(PathBuf);

impl std::ops::Deref for TempDir {
    type Target = Path;
    fn deref(&self) -> &Path {
        &self.0
    }
}

impl Drop for TempDir {
    fn drop(&mut self) {
        let _ = std::fs::remove_dir_all(&self.0);
    }
}

Then have unique_dir/build_divergent_repos return TempDir and drop the explicit cleanup(...) calls at the end of each test.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@crates/git-remote-gitlawb/tests/real_git_fetch.rs` around lines 354 - 436,
Introduce an RAII temporary-directory guard for paths created by unique_dir and
returned through build_divergent_repos, implementing path access and Drop to
remove each directory. Update both real_git_multi_round_fetch_completes and
real_git_withheld_shaped_first_post to use the guarded values and remove the
explicit cleanup calls, ensuring directories are deleted during assertion panics
as well as normal completion.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@crates/git-remote-gitlawb/tests/real_git_fetch.rs`:
- Around line 244-284: Update fetch_with_helper so the child’s stdout and stderr
are drained concurrently while the parent polls for completion, preventing
pipe-buffer backpressure from blocking git fetch. Preserve the existing
30-second timeout, kill-and-collect behavior, and boolean result semantics.

---

Nitpick comments:
In `@crates/git-remote-gitlawb/src/main.rs`:
- Around line 301-336: Replace the duplicated POST, status-check,
response-reading, and stdout-forwarding block after the empty-body guard with a
direct call to post_pack_round, passing client, post_url, service, signing_key,
request_body, and stdout. Preserve the existing request-body logging and
empty-body early return while reusing post_pack_round for the shared behavior.

In `@crates/git-remote-gitlawb/tests/real_git_fetch.rs`:
- Around line 354-436: Introduce an RAII temporary-directory guard for paths
created by unique_dir and returned through build_divergent_repos, implementing
path access and Drop to remove each directory. Update both
real_git_multi_round_fetch_completes and real_git_withheld_shaped_first_post to
use the guarded values and remove the explicit cleanup calls, ensuring
directories are deleted during assertion panics as well as normal completion.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 38d3b6d3-d10b-460c-b569-9017a993168a

📥 Commits

Reviewing files that changed from the base of the PR and between ad7c2b2 and 00e3f83.

📒 Files selected for processing (2)
  • crates/git-remote-gitlawb/src/main.rs
  • crates/git-remote-gitlawb/tests/real_git_fetch.rs

Comment thread crates/git-remote-gitlawb/tests/real_git_fetch.rs

@jatmn jatmn left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found issues that need to be addressed before this is ready.

Findings

  • [P2] Do not convert an aborted negotiation into a done request
    crates/git-remote-gitlawb/src/main.rs:610
    A nonempty EOF is explicitly documented here as the case where Git aborted mid-negotiation, but it is combined with RoundEnd::Done, receives a synthetic 0009done\n, and is sent to the node. Cancelling a fetch after writing a partial have batch therefore still issues an authorized (and, for a private fetch, signed) upload-pack request, making the node generate and stream a pack to a client that has gone away. EOF should terminate the helper without a POST; only the actual done pkt should finalize the stateless request. The new nonempty_eof_batch_posts_as_final_round test currently locks in the incorrect behavior.

  • [P2] Drain the real Git child output while waiting for it
    crates/git-remote-gitlawb/tests/real_git_fetch.rs:266
    fetch_with_helper pipes both stdout and stderr, then only polls try_wait until the process exits. A fetch that emits more progress or error output than an OS pipe can hold blocks in Git before it exits, so this harness reaches its 30-second timeout and reports the protocol deadlock even when the helper is making progress. Drain both streams concurrently while enforcing the deadline (or do not pipe them) so the new load-bearing integration test can distinguish a real negotiation hang from pipe backpressure.

  • [P3] Make the integration-test repositories cleanup-safe
    crates/git-remote-gitlawb/tests/real_git_fetch.rs:356
    The server and clone directories are deleted only after every assertion succeeds. Any timeout, failed fetch, fsck failure, or panic exits before cleanup, leaving real Git repositories in the shared temporary directory; the predictable pid/counter names can also poison a later run if a pid is reused. Return RAII-owned temporary directories (or use tempfile) so cleanup runs while unwinding as well.

…git test harness (#192)

F1: a nonempty have-batch terminated by EOF means git aborted mid-negotiation, but
the fetch loop folded RoundEnd::Eof into the Done arm, appended a synthetic
0009done, and POSTed it — so a cancelled private fetch still issued an authorized,
signed upload-pack request and made the node generate and stream a full pack to a
client that had gone away. Split the arm: only a real done pkt finalizes; a
nonempty EOF terminates without a POST. The nonempty_eof_batch_posts_as_final_round
test that locked in the wrong behavior is flipped to assert no POST.

F2: fetch_with_helper piped stdout+stderr but only polled try_wait, so a fetch
emitting more than an OS pipe buffer (~64 KiB) blocked git before it exited and the
harness reported a false 30s deadlock. Drain both streams on reader threads while
enforcing the deadline, so the deadline measures a real protocol hang only.

F3: the integration repos were removed only on the success path (predictable
pid/counter names), so a timeout/panic leaked real git repos and could poison a
later run. Root them in a RAII tempfile::TempDir that drops on unwind.

RED->GREEN: nonempty_eof_batch_aborts_without_posting (pre-fix POSTs a synthetic
done → the aborted-negotiation POST fails against the single-response server; fixed
makes one request, no POST). repos_are_cleaned_up_on_unwind (temp dir gone after a
panic unwinds past the guard). Full git-remote-gitlawb suite 42 unit + 3 integration
green, fmt + clippy clean.
@beardthelion

Copy link
Copy Markdown
Collaborator Author

All three addressed on e3c322c.

Aborted EOF no longer POSTs (F1). The fetch loop folded RoundEnd::Eof into the Done arm, so a nonempty have-batch ending in EOF (git aborted mid-negotiation) got a synthetic 0009done and was POSTed, making the node generate and stream a pack to a client that had gone away. Split the arm: only a real done pkt finalizes the stateless request; a nonempty EOF terminates without a POST (the accumulated haves are discarded, there is no one to serve). The nonempty_eof_batch_posts_as_final_round test that locked in the old behavior is flipped to assert no POST.

Concurrent drain (F2). Factored the spawn/deadline logic into run_bounded, which now drains stdout and stderr on reader threads while enforcing the deadline, so a fetch emitting more than an OS pipe buffer can no longer block git before it exits and trip the timeout as a false deadlock. Covered by a load-bearing test: a child writing ~140 KiB to both streams completes under the drained runner and deadlocks (deadline trips) under the old try_wait-only one.

RAII cleanup (F3). The server and clone now live under a single tempfile::TempDir that drops on unwind, so a timeout, failed fetch, fsck failure, or panic cleans up while unwinding instead of leaking real repos; the randomized root also removes the predictable pid/counter naming. A catch_unwind test asserts the tree is gone after a mid-test panic.

Each fix is RED->GREEN with the guard reverted to confirm it is load-bearing.

@beardthelion beardthelion requested a review from jatmn July 14, 2026 00:19

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@crates/git-remote-gitlawb/tests/real_git_fetch.rs`:
- Around line 272-325: Update run_bounded so a timeout terminates the spawned
git fetch process and all descendant remote-helper processes, using
process-group termination or an equivalent descendant-reaping mechanism before
joining out_reader and err_reader. Preserve the existing completed result and
output collection behavior while ensuring inherited pipe handles are closed and
reader threads cannot hang.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 58807c87-026a-40d6-9bcf-6e2e1dfc5edd

📥 Commits

Reviewing files that changed from the base of the PR and between 00e3f83 and e3c322c.

⛔ Files ignored due to path filters (1)
  • Cargo.lock is excluded by !**/*.lock
📒 Files selected for processing (3)
  • crates/git-remote-gitlawb/Cargo.toml
  • crates/git-remote-gitlawb/src/main.rs
  • crates/git-remote-gitlawb/tests/real_git_fetch.rs
🚧 Files skipped from review as they are similar to previous changes (1)
  • crates/git-remote-gitlawb/src/main.rs

Comment thread crates/git-remote-gitlawb/tests/real_git_fetch.rs

@jatmn jatmn left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found issues that need to be addressed before this is ready.

Findings

  • [P2] Kill the entire fetch process tree before joining the drainers
    crates/git-remote-gitlawb/tests/real_git_fetch.rs:305
    On the timeout path this kills only the top-level git fetch process and then joins the read_to_end threads. Its git-remote-gitlawb descendant inherits those stdout/stderr pipe FDs, so a helper stuck in its HTTP request keeps the pipes open after Git dies; the joins then wait for that helper's 300-second request timeout instead of returning the promised 30-second deadlock result. Start the fetch in a process group and terminate/reap that group (or otherwise reap descendants) before joining the readers. This is also the unresolved current-head CodeRabbit request.

  • [P2] Make the withheld-path integration test prove it reached the withheld response
    crates/git-remote-gitlawb/tests/real_git_fetch.rs:518
    The non-success branch accepts every prompt git fetch failure and only prints the observed POST count. A regression that fails before the helper sends the first request to the shim—for example a broken advertisement, helper lookup, or connection—therefore passes as the expected rejected filtered pack, so this new test no longer verifies the path it claims to record. Require at least one POST (and preferably assert the expected protocol failure when a failure remains acceptable) before accepting the nonzero exit.

…hheld guard load-bearing (#192)

Address jatmn's two P2 review findings on real_git_fetch.rs.

F1 (INV-22): run_bounded killed only the top-level `git fetch` on the
timeout path, so the git-remote-gitlawb helper descendant kept the
inherited stdout/stderr pipe write-ends open and the reader joins blocked
on the helper's ~300s HTTP timeout instead of the 30s deadline. Spawn the
child with process_group(0) and, on timeout, tear the whole group down
(SIGTERM, ESRCH poll, SIGKILL escalation, bounded cap, then reap) before
joining, mirroring gitlawb-node/src/git/smart_http.rs. libc is added as a
cfg(unix) dev-dep; non-unix keeps the child.kill() fallback so the
always-on test still compiles. New regression run_bounded_reaps_descendants_holding_the_pipe:
a backgrounded sleep inherits the pipe and outlives a 1s-deadline leader;
reverting to a leader-only kill turns it RED (elapsed ~10s).

F2 (INV-21): the non-success branch of real_git_withheld_shaped_first_post
accepted any `git fetch` failure and only printed the POST count, so a
failure before the first POST (broken advertisement, helper lookup,
connection) passed as the expected withheld rejection. Assert posts >= 1
before accepting the nonzero exit. Forcing a pre-POST failure (0 POSTs)
turns the assertion RED.
@beardthelion

Copy link
Copy Markdown
Collaborator Author

@jatmn both P2s addressed in 4a3f59c, each verified RED/GREEN by execution.

F1 (kill the whole process tree before joining): run_bounded now spawns with process_group(0) and, on the timeout branch, tears the whole group down (SIGTERM, ESRCH poll on kill(-pgid, 0), SIGKILL escalation after a grace, bounded cap, then reap) before joining the readers. That closes the git-remote-gitlawb descendant's inherited pipe write-ends too, so the joins return at the 30s deadline instead of the helper's ~300s HTTP timeout. Mirrors gitlawb-node/src/git/smart_http.rs; libc added as a cfg(unix) dev-dep, non-unix keeps the child.kill() fallback. New regression run_bounded_reaps_descendants_holding_the_pipe: reverting to the leader-only kill makes it RED (readers block ~10s on a backgrounded descendant holding the pipe), green with the group teardown.

F2 (prove the withheld test reached the withheld response): the non-success branch now asserts posts >= 1 before treating a nonzero exit as the withheld rejection, so a failure before the first POST (broken advertisement, helper lookup, connection) can no longer masquerade as the expected rejection. Forcing a pre-POST failure (fetch against a dead URL, 0 POSTs) makes the new assert fire; the real shim run stays green.

Full crate green (42 unit + 5 integration), fmt and workspace clippy clean.

@beardthelion beardthelion requested a review from jatmn July 15, 2026 13:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

crate:git-remote git-remote-gitlawb — the git remote helper kind:bug Defect fix — wrong or unsafe behavior

Projects

None yet

Development

Successfully merging this pull request may close these issues.

git-remote-gitlawb deadlocks on incremental (multi-round) fetch

2 participants