dirstate: add small asserts for double security We don't need this, but it does not hurt.

dirstate: simplify the invalidation management on context exit Since the `invalidate` call will directly reset the `_invalidated_context` attribut, we can simplify the code. In the same go, we move most of the logic out of the `finally` clause. It seems cleaner and safer. If we are handling an exception, we don't need the `write` code anyway.

dirstate: use the new `check_invalidated` decorator for `_changing` WeeeEEeee, less code.

dirstate: introduce a check_invalidated decorator This is a common need, so let us consolidate it to simplify the code.

dirstate: warn if dirty when starting an edition The dirstate should be clean before we start changing it. Otherwise we might write unrelated changes. Having a dirty dirstate laying around is also suspicious. This is similar to what we do when opening a new transaction, but this time this affect dirstate changes outside of a transaction.

large-files: make sure we write newly initialized standin file early Any changing context will have to initialized it before anything else. Not flushing the default (pre-change) content mean we would enter the changing context with a dirty dirstate, which is odd.

dirstate: mark `clear` and `rebuild` as `require_changing_parents` Yeah, more scoping!

dirstate: add a comment about the semantic of `dirstate.clear` This method is weird, lets flag it as such.

debugrebuildstate: wrap the operation in a `changing_parents` context This ismaybe a "changing_files" case? However this would be the only usage of `rebuild` outside a `changing_parents` context and this is a debug command, so lets not make the code base more complex because of that one command.

strip: use a `changing_parents` context for --keep update These are now properly scoped. note: it would be neat to reuse this in `hg rollback`.

mq: wrap the dirstate's rebuild in a `changing_parents` context This code is dealing with `qreshesh` failure. In that case the working copy will be left on the parent of the refreshed patch, so the parents are changing and `changing_parents` make sens.

lfconvert: use a `changing_parents` context to clear the dirstate Not sure if this is the right context, but it works and it is consistent with the other usages of `dirstate.clear`.

dirstate: mark the `copy` method as requiring a `changing_any` context This is used both when changing parents (e.g. merging with rename) and changing files (e.g. running `hg rename`).

dirstate: add a `require_changing_any` decorator We will need it for a couple of usecase (e.g `dirstate.copy`).

rebase: scope parent change into a changing_parents context If we are actually altering the working copy (i.e. we are not in memory), we should properly scope the working copy update.

dirstate: requires being in a `changing_parents` `context to set_parents` Enforcing proper operation scoping on all methods that mutate the dirstate will tighten correctness and reduce the risk of bugs. The context to use for this method is obvious, and all code was already compliant ☺

dirstate: invalidate on all exceptions Previously, we would miss SystemExit, KeyboardInterrupt etc. This "fix" on the bug tested in "test-largefiles-update.t" by preventing the precisely tested situation to happens at all. However this reveal a similar bug with a different timing. I have not been able to deal with that pre-existing bug so far. So I updated the test to point that out.

large-files: prepare a test for more changes The behavior around this test is about to change. We update the test to make it more robust and the changes clearer.

large-files: larger "changing_parents" context in mergeupdate override This since we are updating the lfdirstate early, it seems reasonable to include the full function in that scope.

large-files: use `hacky_extension_update_file` one more time This override is about merging and can be used in a `changing_parents` context. So lets use the method dedicated to hacky stuff when doing hacky stuff.

typing: disable `signature-mismatch` warnings on a few bytestr functions Recent versions of pytype complain about this, but it seems like expected behavior.

rust: upgrade minimum `rayon` dependency The 1.6.0 and 1.6.1 releases fixes a soundness issue and a performance issue that are both important to us, since both correctness and performance are paramount in the Rust extensions.

branching: merge with stable

test-chg: use a different log to avoid flakyness The test was deleting the log file to start anew. However a trailing working process might still be alive at this time, and recreate the very same log on exit. We see the trace of such worker in the expected content of server.log (see the trace modified by this patch). This is flaky because we don't know *when* the worker will write to the file and there is a race with the `hg init cached` command. A much simpler and reliable way to start anew without having such race is… to write to a different log file. No reuse → no conflict, no conflict → no race, no race → no flakiness.

dirstate-v2: complain early on docket name collision The alternative is that the dirstate gets deleted so the corruption persists and is hard to investigate. This happened to me in tests, where the dirstate names are taken from file, since the file got reverted. I expect this can also happen in prod with non-trivial probability (1/4 billion).

rhg: fix a bug in path_encode This makes rhg able to access long paths at the root of the tree just fine.

rhg: demonstrate a bug in path_encode The bug means that long filenames at the root of the tree are encoded incorrectly by rhg, so rhg crashes when trying to access them.

rhg: nicer error message

setup: further improve the error path for version retrieval This is a new take at the problem that 8d390a13474d tried to tackle. There was two issues after that previous improvement: - the 0.0+ version could survive a bit too long and reaching the installer version and staying there. - multiple use case where still failing. So the new code is better at: - always succeeding when running `make local` so that we can bootstrap a local version - no using that fallback outside of `make local` to avoid distribution of version with the buggy version number. The setup.py is a gigantic pile of spaghetti code, to the point where pastafarian pilgrim started knocking at its core. However I refrained from cleaning that up since the more to a `setup.cfg` means this code should be deleted soon™.

typing: add type hints to argument checking functions in cmdutil These might be surprising, since they can take strings instead of bytes. The way `AnyStr` works is that it must be all bytes or all str for any given invocation. The wildcard here will be the `opts` that get passed in- if the type is unknown and defaults to `Any`, there's no enforcement that the dict key type matches the additional args. But a lot of uses should be using `**opts` from the command method, which has a str key. The uses of these methods in this module are now typed because their internals force a specific type, and it can't just be inferred from the caller.

tag: move the prohibition of tagging the `null` rev up to the `wdir()` check It makes sense to do these together, and avoid another revision lookup.

branching: merge with default the first part of the fix is there

dirstate: handle missing backup file on restoration This is the stable counter part to e358f6e0e50e. Since 6.4 will stop writing undo.dirstate in some case (actually… at all), a transaction created with 6.4 and recover/rolledback with 6.3 need to work to a certain degreee. This changeset add the necessary bits so that we don't get a traceback from 6..3 in this cases.

tests: remove unnecessary --traceback argument

tag: disallow tagging the working directory It's kinda silly, but a clear error message is better than a stacktrace about subscripting `None` when trying to generate the default commit message. I'm surprised that `.revsingle(..).node()` returns None instead of `nodemod.wdirid`, but now there's a test to catch if this changes.

dirstate: remove the dedicated backup logic When alone, the dirstate can now take care of its commit/rollback pattern itself. When in a transaction, the transaction deal with commit/rollback pattern quite fine. Why did you have a dedicated backup logic?

localrepo: stop doing special dirstate backup at transaction open Since the dirstate writes are already managed by the transaction, we already do a backup of the dirstate when necessary (and even trigger one to keep `hg rollback` happy). We needs some special code to deal with the initial empty checkout, but it is not too complicated. Managing variable filename (as dirstate-v2 uses) at the "journalfile" level, is complex and fragile (which is consistent with the fact these files are not journal…). If we no longer do it, our life is significantly simpler. In some sense, we apply the xkcd-1134¹ solution to our savebackup/restorebackup problem. [1] https://xkcd.com/1134/ (the change to test-hardlink are expect as decreasing the number of duplicated backup drive the hardlink count down)

localrepo: "blindly" do a dirstate backup at the end of the transaction Having the file backup mechanism dealing with file backup as benefit. So lets move closer to that. The fact `hg rollback` even needs this is sad. I hope to have the time to implement one of the alternative soon.

test-hardlink: stop explicitly listing `undo.dirstate` The files is on its way out.

localrepo: enforce a clean dirstate when the transaction open This is important to simplify the backup process. This also seems like a quite reasonable expectation. See inline documentation for details.

dirstate: explicitly backup the datafile Since the transaction does not know about this file, we need to explicitly mark it for backup before touching it.

mq: write the dirstate before stripping I am not certain why it is dirty (probably the `repo.setparent` call a right before. However I know we need it flushed before the repository starts to be stripped.

dirstate: simplify the shelve hack to not go through the disk We already have the data in memory, so why not simply keep the data in memory? This avoid abusing the `savebackup/restorebackup` logic and will make our life easier.

dirstate: detect potential fishy transaction patterns while changing If we rely on the transaction more, we should be more careful about the transaction. Adding extra security seems reasonable.

dirstate: generalize the dirstate's invalidation on transaction abort The previous code was too specific, we should add the invalidation at next to the `addfilegenerator` in the `write` call.

dirstate: simplify some methods' decorator Since `changing_parents` and `changing_files` are mutually exclusive, having both `@requires_changing_files` and `@requires_not_changing_parents` on a method is redundant.

dirstate: document the functions that need consolidation They are more functions that make the dirstate dirty but does not currently enforce a clean change scoping, we add comments in front of each of them so clarify this. There is no urgency to it, but the world will be a better place when all of them have proper scoping in place.

dirstate: make `restorebackup` more robust when it is a noop If there are no data_file, we might not be able to determine its filename. Which can be safely ignored. (all this code is on the way out anyway)

test: fix the flakyness in test-remotefilelog-local.t I now get about 80% of my `test-chg` CI run that fails on flakyness in this tests. It turns out this is only ambiguous status that end up doing file download. So… calling status early will do that potential download separately and the calls we scrutinize during that test will be just fine.

dirstate-guard: remove the feature The dirstate guard duplicated some of the logic already implemented in the transaction (and now the changing_* context). However the feature was incomplete, for example, living only in memory meant we could not recover from the hardest crash. In addition this duplicated with the transaction logic meant things could go out of sync or step on each other. Removing the feature now that we no longer needs it seems the safest.

rollback: remove the dirstateguard usage Thanks to the previous changeset, we no longer needs it. begone !

rollback: explicitly skip dirstate rollback when applicable instead of letting the transaction logic overwrite the dirstate and then overwrite that overwrite with a backup. We simply do not restore the dirstate related file during the _playback call. This open the way to removing the last dirstate guard usage.

rollback: detect "parentgone" case earlier Detecting this earlier will help us to affect the rollback process sooner, which will help the next changesets. To keep things simple, we degrade the behavior a bit when the `undo.desc` is missing. However since `hg rollback` is not supposed to be used and the `undo.desc` file have been introduced in mercurial 1.6 (2010). I think this is an acceptable evil.

rollback: avoid a `hg commit --addremove` at a critical point The rollback behavior around `hg commit --addremove` has changed slightly. It does not really matters here but keeping that variant out of the way cannot hurt.

rollback: display some graphlog before/after a test piece This make the situation clearer.

rollback: show that the safety works in a associated test That test section is checking that --force is overcoming the safety check, however we did not check that the safety properly detect the situation. We now do for clarity.

dirstate-guard: remove its usage in `backout` We can simply replace it with a transaction.

dirstate-guard: remove the usage in `import` It is now redundant with the transaction spawning the same scope.

dirstate-guard: replace a usage in `rebase` with a transaction Opening the transaction sooner will provide us with the same benefit.

dirstate-guard: remove usage in `rebase` Now that the dirstate change and write are clearer, it does not seems we need to use a dirstate-guard here anymore. The transaction already wrap the full operation.