review

codex · Byron · Byron · commit 8606b7a99220 · 2026-05-12T16:45:07.000+08:00
Co-authored-by: Sebastian Thiel &lt;sebastian.thiel@icloud.com&gt;
diff --git a/gix/src/clone/access.rs b/gix/src/clone/access.rs
@@ -73,12 +73,7 @@ impl PrepareFetch {
 impl Drop for PrepareFetch {
     fn drop(&mut self) {
         if let Some(repo) = self.repo.take() {
-            if self.destination_was_empty {
-                std::fs::remove_dir_all(repo.workdir().unwrap_or_else(|| repo.path())).ok();
-            } else {
-                // The destination held pre-existing user files; only remove the `.git` we created.
-                std::fs::remove_dir_all(repo.path()).ok();
-            }
+            super::cleanup_clone_destination_on_drop(&repo, self.remove_worktree_on_drop);
         }
     }
 }
diff --git a/gix/src/clone/checkout.rs b/gix/src/clone/checkout.rs
@@ -171,12 +171,7 @@ impl PrepareCheckout {
 impl Drop for PrepareCheckout {
     fn drop(&mut self) {
         if let Some(repo) = self.repo.take() {
-            if self.destination_was_empty {
-                std::fs::remove_dir_all(repo.workdir().unwrap_or_else(|| repo.path())).ok();
-            } else {
-                // The destination held pre-existing user files; only remove the `.git` we created.
-                std::fs::remove_dir_all(repo.path()).ok();
-            }
+            super::cleanup_clone_destination_on_drop(&repo, self.remove_worktree_on_drop);
         }
     }
 }
diff --git a/gix/src/clone/fetch/mod.rs b/gix/src/clone/fetch/mod.rs
@@ -318,7 +318,7 @@ impl PrepareFetch {
             crate::clone::PrepareCheckout {
                 repo: repo.into(),
                 ref_name: self.ref_name.clone(),
-                destination_was_empty: self.destination_was_empty,
+                remove_worktree_on_drop: self.remove_worktree_on_drop,
             },
             fetch_outcome,
         ))
diff --git a/gix/src/clone/mod.rs b/gix/src/clone/mod.rs
@@ -42,9 +42,8 @@ pub struct PrepareFetch {
     /// The name of the reference to fetch. If `None`, the reference pointed to by `HEAD` will be checked out.
     #[cfg_attr(not(feature = "blocking-network-client"), allow(dead_code))]
     ref_name: Option<gix_ref::PartialName>,
-    /// `true` iff the destination directory was empty (or did not exist) when this handle was created.
-    /// When `false`, drop will avoid removing pre-existing user files and only clean up the `.git` we created.
-    destination_was_empty: bool,
+    /// If `true`, drop removes the entire worktree. Otherwise leave it alone.
+    remove_worktree_on_drop: bool,
 }
 
 /// The error returned by [`PrepareFetch::new()`].
@@ -110,10 +109,12 @@ impl PrepareFetch {
         }
 
         // Capture this before init_opts creates `.git`, otherwise the check below would see our own files.
-        let destination_was_empty = match std::fs::read_dir(path) {
+        let remove_worktree_on_drop = match std::fs::read_dir(path) {
             Ok(mut entries) => entries.next().is_none(),
-            // Non-existent (or unreadable) — init_opts will create the directory.
-            Err(_) => true,
+            // Non-existent destinations will be created by init_opts.
+            Err(err) if err.kind() == std::io::ErrorKind::NotFound => true,
+            // If we can't verify emptiness, keep cleanup conservative and leave the destination untouched.
+            Err(_) => false,
         };
 
         let mut repo = crate::ThreadSafeRepository::init_opts(path, kind, create_opts, open_opts)?.to_thread_local();
@@ -135,7 +136,7 @@ impl PrepareFetch {
             configure_connection: None,
             shallow: remote::fetch::Shallow::NoChange,
             ref_name: None,
-            destination_was_empty,
+            remove_worktree_on_drop,
         })
     }
 }
@@ -150,9 +151,21 @@ pub struct PrepareCheckout {
     pub(self) repo: Option<crate::Repository>,
     /// The name of the reference to check out. If `None`, the reference pointed to by `HEAD` will be checked out.
     pub(self) ref_name: Option<gix_ref::PartialName>,
-    /// `true` iff the destination directory was empty (or did not exist) when the parent [`PrepareFetch`] was created.
-    /// When `false`, drop must avoid removing pre-existing user files and only clean up the `.git` we created.
-    pub(self) destination_was_empty: bool,
+    /// If `true`, drop removes the entire worktree. Otherwise leave it alone.
+    pub(self) remove_worktree_on_drop: bool,
+}
+
+fn cleanup_clone_destination_on_drop(repo: &crate::Repository, remove_worktree_on_drop: bool) {
+    let path_to_remove = if remove_worktree_on_drop {
+        Some(repo.workdir().unwrap_or_else(|| repo.path()))
+    } else {
+        // The destination held pre-existing user files. Leave everything, including the `.git` we created,
+        // so the user can inspect or clean up the partially cloned repository with Git tooling.
+        None
+    };
+    if let Some(path_to_remove) = path_to_remove {
+        std::fs::remove_dir_all(path_to_remove).ok();
+    }
 }
 
 // This module encapsulates functionality that works with both feature toggles. Can be combined with `fetch`
diff --git a/gix/src/create.rs b/gix/src/create.rs
@@ -108,16 +108,20 @@ fn create_dir(p: &Path) -> Result<(), Error> {
 }
 
 /// Options for use in [`into()`];
-#[derive(Copy, Clone, Default)]
+#[derive(Copy, Default, Clone)]
 pub struct Options {
     /// Control whether the destination directory must be empty when creating a repository with a worktree.
     ///
-    /// - `None` (default): worktree repos may be initialized into a non-empty directory as long as no `.git`
-    ///   directory is present. [`crate::clone::PrepareFetch::new`] interprets `None` as `Some(true)` to preserve
-    ///   the historical strict-by-default behavior for clones.
+    /// - `None` (default): initialize like Git and allow a non-empty destination directory, as long as no `.git`
+    ///   directory is present.
     /// - `Some(true)`: require an empty destination directory.
-    /// - `Some(false)`: explicitly allow initialization into a non-empty destination directory (still requires
-    ///   that no `.git` directory is present).
+    /// - `Some(false)`: explicitly allow initialization into a non-empty destination directory (still requires that no
+    ///   `.git` directory is present).
+    ///
+    /// For clones, checkout failure cleanup is based on whether the destination was already present and non-empty before
+    /// initialization began, not on this option alone. In particular, if the destination was empty or had to be created,
+    /// cleanup may remove the entire destination, including the created `.git` directory. Preservation of the destination
+    /// for inspection or manual cleanup is only guaranteed when the destination was non-empty before the clone started.
     ///
     /// Bare repositories always require an empty destination, regardless of this option.
     pub destination_must_be_empty: Option<bool>,
diff --git a/gix/src/init.rs b/gix/src/init.rs
@@ -42,8 +42,10 @@ pub enum Error {
 impl ThreadSafeRepository {
     /// Create a repository with work-tree within `directory`, creating intermediate directories as needed.
     ///
-    /// Fails without action if there is already a `.git` repository inside of `directory`, but
-    /// won't mind if the `directory` otherwise is non-empty.
+    /// Fails without action if the destination directory isn't empty unless
+    /// [`create::Options::destination_must_be_empty`][crate::create::Options::destination_must_be_empty] is `None`
+    /// or `Some(false)`. Note that initialization still fails if a `.git` directory already exists in
+    /// the destination.
     pub fn init(
         directory: impl AsRef<Path>,
         kind: crate::create::Kind,
diff --git a/gix/tests/fixtures/generated-archives/make_clone_destinations.tar b/gix/tests/fixtures/generated-archives/make_clone_destinations.tar
diff --git a/gix/tests/fixtures/make_clone_destinations.sh b/gix/tests/fixtures/make_clone_destinations.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -eu -o pipefail
+
+mkdir non-empty
+printf "Pre-existing user content.\n" > non-empty/existing.txt
+
+mkdir non-empty-with-conflicting-file
+printf "Pre-existing user content.\n" > non-empty-with-conflicting-file/file
+
+cp -R non-empty non-empty-with-dot-git
+mkdir non-empty-with-dot-git/.git
+printf "ref: refs/heads/pre-existing\n" > non-empty-with-dot-git/.git/HEAD
diff --git a/gix/tests/gix/clone.rs b/gix/tests/gix/clone.rs
@@ -20,6 +20,9 @@ mod blocking_io {
     use gix_ref::TargetRef;
     use gix_refspec::parse::Operation;
 
+    const EXISTING_CONTENT: &[u8] = b"Pre-existing user content.\n";
+    const EXISTING_HEAD_CONTENT: &[u8] = b"ref: refs/heads/pre-existing\n";
+
     fn shallow_ids(repo: &gix::Repository, expected: &'static str) -> crate::Result<Vec<gix::ObjectId>> {
         let commits = repo.shallow_commits()?.expect(expected);
         Ok(std::iter::once(commits.head)
@@ -587,14 +590,13 @@ mod blocking_io {
 
     #[test]
     fn fetch_and_checkout_into_non_empty_directory() -> crate::Result {
-        let tmp = gix_testtools::tempfile::TempDir::new()?;
-        let existing_path = tmp.path().join("existing.txt");
-        let existing_content = b"I was here before you";
-        std::fs::write(&existing_path, existing_content)?;
+        let fixture = gix_testtools::scripted_fixture_writable("make_clone_destinations.sh")?;
+        let destination = fixture.path().join("non-empty");
+        let existing_path = destination.join("existing.txt");
 
         let mut prepare = gix::clone::PrepareFetch::new(
             remote::repo("base").path(),
-            tmp.path(),
+            &destination,
             gix::create::Kind::WithWorktree,
             gix::create::Options {
                 destination_must_be_empty: Some(false),
@@ -610,20 +612,94 @@ mod blocking_io {
         assert_eq!(index.entries().len(), 1, "All entries are known as per HEAD tree");
         assure_index_entries_on_disk(&index, repo.workdir().expect("non-bare"));
 
-        assert_eq!(std::fs::read(&existing_path)?, existing_content);
+        assert_eq!(std::fs::read(&existing_path)?, EXISTING_CONTENT);
         Ok(())
     }
 
     #[test]
-    fn drop_after_failed_fetch_into_non_empty_directory_preserves_pre_existing_files() -> crate::Result {
-        let tmp = gix_testtools::tempfile::TempDir::new()?;
-        let existing_path = tmp.path().join("existing.txt");
-        let existing_content = b"I was here before you";
-        std::fs::write(&existing_path, existing_content)?;
+    fn fetch_and_checkout_into_non_empty_directory_does_not_overwrite_pre_existing_tracked_file() -> crate::Result {
+        let fixture = gix_testtools::scripted_fixture_writable("make_clone_destinations.sh")?;
+        let destination = fixture.path().join("non-empty-with-conflicting-file");
+        let existing_path = destination.join("file");
+        let remote_file_content = std::fs::read(remote::repo("base").workdir().expect("non-bare").join("file"))?;
+        assert_ne!(
+            EXISTING_CONTENT, remote_file_content,
+            "the fixture must differ from the file that checkout would write"
+        );
 
         let mut prepare = gix::clone::PrepareFetch::new(
             remote::repo("base").path(),
-            tmp.path(),
+            &destination,
+            gix::create::Kind::WithWorktree,
+            gix::create::Options {
+                destination_must_be_empty: Some(false),
+                ..Default::default()
+            },
+            restricted(),
+        )?;
+        let (mut checkout, _out) = prepare.fetch_then_checkout(gix::progress::Discard, &AtomicBool::default())?;
+        let (repo, outcome) = checkout.main_worktree(gix::progress::Discard, &AtomicBool::default())?;
+
+        assert_eq!(
+            std::fs::read(&existing_path)?,
+            EXISTING_CONTENT,
+            "checkout must not overwrite the pre-existing tracked path"
+        );
+        assert_eq!(repo.index()?.entries().len(), 1, "the index is still written");
+        assert_eq!(
+            outcome.collisions,
+            [gix_worktree_state::checkout::Collision {
+                path: BString::from("file"),
+                error_kind: std::io::ErrorKind::AlreadyExists
+            }],
+            "the pre-existing tracked path is reported as a normal checkout collision"
+        );
+        Ok(())
+    }
+
+    #[test]
+    fn fetch_and_checkout_into_non_empty_directory_with_existing_dot_git_is_rejected() -> crate::Result {
+        let fixture = gix_testtools::scripted_fixture_writable("make_clone_destinations.sh")?;
+        let destination = fixture.path().join("non-empty-with-dot-git");
+        let existing_path = destination.join("existing.txt");
+        let dot_git = destination.join(".git");
+        let head_path = dot_git.join("HEAD");
+
+        let err = gix::clone::PrepareFetch::new(
+            remote::repo("base").path(),
+            &destination,
+            gix::create::Kind::WithWorktree,
+            gix::create::Options {
+                destination_must_be_empty: Some(false),
+                ..Default::default()
+            },
+            restricted(),
+        )
+        .map(drop)
+        .expect_err("an existing .git directory must not be reused for clone");
+
+        assert!(
+            matches!(
+                err,
+                gix::clone::Error::Init(gix::init::Error::Init(gix::create::Error::DirectoryExists { ref path }))
+                    if *path == dot_git
+            ),
+            "unexpected error: {err}"
+        );
+        assert_eq!(std::fs::read(&existing_path)?, EXISTING_CONTENT);
+        assert_eq!(std::fs::read(&head_path)?, EXISTING_HEAD_CONTENT);
+        Ok(())
+    }
+
+    #[test]
+    fn drop_after_failed_fetch_into_non_empty_directory_preserves_destination() -> crate::Result {
+        let fixture = gix_testtools::scripted_fixture_writable("make_clone_destinations.sh")?;
+        let destination = fixture.path().join("non-empty");
+        let existing_path = destination.join("existing.txt");
+
+        let mut prepare = gix::clone::PrepareFetch::new(
+            remote::repo("base").path(),
+            &destination,
             gix::create::Kind::WithWorktree,
             gix::create::Options {
                 destination_must_be_empty: Some(false),
@@ -640,12 +716,12 @@ mod blocking_io {
 
         assert_eq!(
             std::fs::read(&existing_path)?,
-            existing_content,
+            EXISTING_CONTENT,
             "pre-existing user files must survive a failed clone+drop"
         );
         assert!(
-            !tmp.path().join(".git").exists(),
-            "only the .git directory we created should have been cleaned up"
+            destination.join(".git").is_dir(),
+            "the .git directory we created should remain for user cleanup"
         );
         Ok(())
     }
@@ -899,21 +975,21 @@ fn clone_and_destination_must_be_empty() -> crate::Result {
 
 #[test]
 fn clone_with_worktree_and_destination_must_be_empty() -> crate::Result {
-    let tmp = gix_testtools::tempfile::TempDir::new()?;
-    std::fs::write(tmp.path().join("file"), b"hello")?;
-    match gix::clone::PrepareFetch::new(
+    let fixture = gix_testtools::scripted_fixture_writable("make_clone_destinations.sh")?;
+    let destination = fixture.path().join("non-empty");
+    let err = gix::clone::PrepareFetch::new(
         remote::repo("base").path(),
-        tmp.path(),
+        &destination,
         gix::create::Kind::WithWorktree,
         Default::default(),
         restricted(),
-    ) {
-        Ok(_) => unreachable!("this should fail as the directory isn't empty"),
-        Err(err) => assert!(
-            err.to_string()
-                .starts_with("Refusing to initialize the non-empty directory as ")
-        ),
-    }
+    )
+    .map(drop)
+    .expect_err("this should fail as the directory isn't empty");
+    assert!(
+        err.to_string()
+            .starts_with("Refusing to initialize the non-empty directory as ")
+    );
     Ok(())
 }
 
diff --git a/gix/tests/gix/init.rs b/gix/tests/gix/init.rs
@@ -164,7 +164,32 @@ mod non_bare {
     }
 
     #[test]
-    fn init_into_non_empty_directory_is_not_allowed_if_option_is_set_as_used_for_clone() -> crate::Result {
+    fn init_into_non_empty_directory_is_allowed_if_option_is_none_or_false() -> crate::Result {
+        for destination_must_be_empty in [None, Some(false)] {
+            let tmp = tempfile::tempdir()?;
+            std::fs::write(tmp.path().join("existing.txt"), b"I was here before you")?;
+            let repo: gix::Repository = gix::ThreadSafeRepository::init_opts(
+                tmp.path(),
+                gix::create::Kind::WithWorktree,
+                gix::create::Options {
+                    destination_must_be_empty,
+                    ..Default::default()
+                },
+                gix::open::Options::isolated(),
+            )?
+            .into();
+            assert_eq!(repo.workdir().expect("present"), tmp.path());
+            assert_eq!(
+                repo.git_dir(),
+                tmp.path().join(".git"),
+                "gitdir is inside of the workdir"
+            );
+        }
+        Ok(())
+    }
+
+    #[test]
+    fn init_into_non_empty_directory_is_not_allowed_if_option_is_true() -> crate::Result {
         let tmp = tempfile::tempdir()?;
         std::fs::write(tmp.path().join("existing.txt"), b"I was here before you")?;
 
@@ -184,19 +209,4 @@ mod non_bare {
         );
         Ok(())
     }
-
-    #[test]
-    fn init_into_non_empty_directory_is_allowed_by_default() -> crate::Result {
-        let tmp = tempfile::tempdir()?;
-        std::fs::write(tmp.path().join("existing.txt"), b"I was here before you")?;
-
-        let repo = gix::init(tmp.path())?;
-        assert_eq!(repo.workdir().expect("present"), tmp.path());
-        assert_eq!(
-            repo.git_dir(),
-            tmp.path().join(".git"),
-            "gitdir is inside of the workdir"
-        );
-        Ok(())
-    }
 }

Original file line number	Diff line number	Diff line change
`@@ -73,12 +73,7 @@ impl PrepareFetch {`
`73`	`73`	`impl Drop for PrepareFetch {`
`74`	`74`	`fn drop(&mut self) {`
`75`	`75`	`if let Some(repo) = self.repo.take() {`
`76`		`- if self.destination_was_empty {`
`77`		`- std::fs::remove_dir_all(repo.workdir().unwrap_or_else(\|\| repo.path())).ok();`
`78`		`- } else {`
`79`		- // The destination held pre-existing user files; only remove the `.git` we created.
`80`		`- std::fs::remove_dir_all(repo.path()).ok();`
`81`		`- }`
	`76`	`+ super::cleanup_clone_destination_on_drop(&repo, self.remove_worktree_on_drop);`
`82`	`77`	`}`
`83`	`78`	`}`
`84`	`79`	`}`
Original file line number	Diff line number	Diff line change
`@@ -171,12 +171,7 @@ impl PrepareCheckout {`
`171`	`171`	`impl Drop for PrepareCheckout {`
`172`	`172`	`fn drop(&mut self) {`
`173`	`173`	`if let Some(repo) = self.repo.take() {`
`174`		`- if self.destination_was_empty {`
`175`		`- std::fs::remove_dir_all(repo.workdir().unwrap_or_else(\|\| repo.path())).ok();`
`176`		`- } else {`
`177`		- // The destination held pre-existing user files; only remove the `.git` we created.
`178`		`- std::fs::remove_dir_all(repo.path()).ok();`
`179`		`- }`
	`174`	`+ super::cleanup_clone_destination_on_drop(&repo, self.remove_worktree_on_drop);`
`180`	`175`	`}`
`181`	`176`	`}`
`182`	`177`	`}`