[PATCH 0/4] Make update_refs more atomic V2

[PATCH 0/4] Make update_refs more atomic V2

[Ronnie Sahlberg]

refs.c:update_refs() intermingles doing updates and checks with actually
applying changes to the refs in loops that abort on error.
This is done one ref at a time and means that if an error is detected that
will fail the operation after only some of the ref operations have been
been updated on the disk.

These patches change the update and delete functions to use a three
call pattern of

1, lock
2, update, or flag for deletion
3, apply on disk

In the final patch I change update_refs to perform these actions in three
separate loops where the final loop to 'apply on disk' all the changes will
only be performed if there were no error conditions detected during any of
previous loops.

This should make the changes of refs in update_refs slightly more atomic.


This may overlap with other current patch series for making refs updates
more atomic which may mean these patches become obsolete, but I would still
like some review and feedback on these changes.

Version 2:
Updates and fixes based on Junio's feedback.
* Fix the subject line for patches so they comply with the project standard.
* Redo the update/delete loops so that we maintain the correct order of
  operations. Perform all updates first, then perform the deletes.
* Add an additional patch that allows us to do the update/delete in the correct
  order from within a single loop by first sorting the refs so that deletes
  are after all non-deletes.


Ronnie Sahlberg (4):
  refs.c: split writing and commiting a ref into two separate functions
  refs.c: split delete_ref_loose() into a separate flag-for-deletion and
    commit phase
  refs.c: change update_refs to run the commit loops once all work is
    finished
  refs.c: sort the refs by new_sha1 and merge the two update/delete
    loops into one

 branch.c               |  10 ++++-
 builtin/commit.c       |   5 +++
 builtin/fetch.c        |   7 +++-
 builtin/receive-pack.c |   4 ++
 builtin/replace.c      |   6 ++-
 builtin/tag.c          |   6 ++-
 fast-import.c          |   7 +++-
 refs.c                 | 102 +++++++++++++++++++++++++++++++++----------------
 refs.h                 |   6 +++
 sequencer.c            |   4 ++
 walker.c               |   4 ++
 11 files changed, 123 insertions(+), 38 deletions(-)

-- 
1.9.1.478.ga5a8238.dirty

[PATCH 1/4] refs.c: split writing and commiting a ref into two separate functions

[Ronnie Sahlberg]

Change the function write_ref_sha1() to just write the ref but not
commit the ref or the lockfile.
Add a new function commit_ref_lock() that will commit the change done by
a previous write_ref_sha1().
Update all callers of write_ref_sha1() to call commit_ref_lock().

The new pattern for updating a ref is now :

lock = lock_ref_sha1_basic() (or varient of)
write_ref_sha1(lock)
unlock_ref(lock) | commit_ref_lock(lock)

Once write_ref_sha1() returns, the new ref has been written and the lock
file has been closed.
At that stage we can then either call unlock_ref() which will abort the
update and delete the lock file withouth applying it, or call
commit_ref_lock() which will rename the lock file onto the ref file.

Signed-off-by: Ronnie Sahlberg <sahlberg@google.com>
---
 branch.c               | 10 ++++++++--
 builtin/commit.c       |  5 +++++
 builtin/fetch.c        |  7 ++++++-
 builtin/receive-pack.c |  4 ++++
 builtin/replace.c      |  6 +++++-
 builtin/tag.c          |  6 +++++-
 fast-import.c          |  7 ++++++-
 refs.c                 | 39 ++++++++++++++++++++++++++++++---------
 refs.h                 |  4 ++++
 sequencer.c            |  4 ++++
 walker.c               |  4 ++++
 11 files changed, 81 insertions(+), 15 deletions(-)

diff --git a/branch.c b/branch.c
index 660097b..903ea75 100644
--- a/branch.c
+++ b/branch.c
@@ -304,9 +304,15 @@ void create_branch(const char *head,
 	if (real_ref && track)
 		setup_tracking(ref.buf + 11, real_ref, track, quiet);
 
-	if (!dont_change_ref)
-		if (write_ref_sha1(lock, sha1, msg) < 0)
+	if (!dont_change_ref) {
+		if (write_ref_sha1(lock, sha1, msg) < 0) {
+			unlock_ref(lock);
 			die_errno(_("Failed to write ref"));
+		}
+		if (commit_ref_lock(lock) < 0) {
+			die_errno(_("Failed to commit ref"));
+		}
+	}
 
 	strbuf_release(&ref);
 	free(real_ref);
diff --git a/builtin/commit.c b/builtin/commit.c
index d9550c5..3d8a3a8 100644
--- a/builtin/commit.c
+++ b/builtin/commit.c
@@ -1686,9 +1686,14 @@ int cmd_commit(int argc, const char **argv, const char *prefix)
 		die(_("cannot lock HEAD ref"));
 	}
 	if (write_ref_sha1(ref_lock, sha1, sb.buf) < 0) {
+		unlock_ref(ref_lock);
 		rollback_index_files();
 		die(_("cannot update HEAD ref"));
 	}
+	if (commit_ref_lock(ref_lock) < 0) {
+		rollback_index_files();
+		die(_("cannot commit HEAD ref"));
+	}
 
 	unlink(git_path("CHERRY_PICK_HEAD"));
 	unlink(git_path("REVERT_HEAD"));
diff --git a/builtin/fetch.c b/builtin/fetch.c
index 55f457c..ebfb854 100644
--- a/builtin/fetch.c
+++ b/builtin/fetch.c
@@ -388,7 +388,12 @@ static int s_update_ref(const char *action,
 	if (!lock)
 		return errno == ENOTDIR ? STORE_REF_ERROR_DF_CONFLICT :
 					  STORE_REF_ERROR_OTHER;
-	if (write_ref_sha1(lock, ref->new_sha1, msg) < 0)
+	if (write_ref_sha1(lock, ref->new_sha1, msg) < 0) {
+		unlock_ref(lock);
+		return errno == ENOTDIR ? STORE_REF_ERROR_DF_CONFLICT :
+					  STORE_REF_ERROR_OTHER;
+	}
+	if (commit_ref_lock(lock) < 0)
 		return errno == ENOTDIR ? STORE_REF_ERROR_DF_CONFLICT :
 					  STORE_REF_ERROR_OTHER;
 	return 0;
diff --git a/builtin/receive-pack.c b/builtin/receive-pack.c
index c323081..4760274 100644
--- a/builtin/receive-pack.c
+++ b/builtin/receive-pack.c
@@ -587,8 +587,12 @@ static const char *update(struct command *cmd, struct shallow_info *si)
 			return "failed to lock";
 		}
 		if (write_ref_sha1(lock, new_sha1, "push")) {
+			unlock_ref(lock);
 			return "failed to write"; /* error() already called */
 		}
+		if (commit_ref_lock(lock))
+			return "failed to commit"; /* error() already called */
+
 		return NULL; /* good */
 	}
 }
diff --git a/builtin/replace.c b/builtin/replace.c
index b62420a..c09ff49 100644
--- a/builtin/replace.c
+++ b/builtin/replace.c
@@ -160,8 +160,12 @@ static int replace_object(const char *object_ref, const char *replace_ref,
 	lock = lock_any_ref_for_update(ref, prev, 0, NULL);
 	if (!lock)
 		die("%s: cannot lock the ref", ref);
-	if (write_ref_sha1(lock, repl, NULL) < 0)
+	if (write_ref_sha1(lock, repl, NULL) < 0) {
+		unlock_ref(lock);
 		die("%s: cannot update the ref", ref);
+	}
+	if (commit_ref_lock(lock) < 0)
+		die("%s: cannot commit the ref", ref);
 
 	return 0;
 }
diff --git a/builtin/tag.c b/builtin/tag.c
index 40356e3..8653a64 100644
--- a/builtin/tag.c
+++ b/builtin/tag.c
@@ -644,8 +644,12 @@ int cmd_tag(int argc, const char **argv, const char *prefix)
 	lock = lock_any_ref_for_update(ref.buf, prev, 0, NULL);
 	if (!lock)
 		die(_("%s: cannot lock the ref"), ref.buf);
-	if (write_ref_sha1(lock, object, NULL) < 0)
+	if (write_ref_sha1(lock, object, NULL) < 0) {
+		unlock_ref(lock);
 		die(_("%s: cannot update the ref"), ref.buf);
+	}
+	if (commit_ref_lock(lock) < 0)
+		die(_("%s: cannot commit the ref"), ref.buf);
 	if (force && !is_null_sha1(prev) && hashcmp(prev, object))
 		printf(_("Updated tag '%s' (was %s)\n"), tag, find_unique_abbrev(prev, DEFAULT_ABBREV));
 
diff --git a/fast-import.c b/fast-import.c
index fb4738d..65c41ad 100644
--- a/fast-import.c
+++ b/fast-import.c
@@ -1706,8 +1706,13 @@ static int update_branch(struct branch *b)
 			return -1;
 		}
 	}
-	if (write_ref_sha1(lock, b->sha1, msg) < 0)
+	if (write_ref_sha1(lock, b->sha1, msg) < 0) {
+		unlock_ref(lock);
 		return error("Unable to update %s", b->name);
+	}
+	if (commit_ref_lock(lock) < 0) {
+		return error("Unable to commit %s", b->name);
+	}
 	return 0;
 }
 
diff --git a/refs.c b/refs.c
index 28d5eca..9771237 100644
--- a/refs.c
+++ b/refs.c
@@ -2633,9 +2633,14 @@ int rename_ref(const char *oldrefname, const char *newrefname, const char *logms
 	lock->force_write = 1;
 	hashcpy(lock->old_sha1, orig_sha1);
 	if (write_ref_sha1(lock, orig_sha1, logmsg)) {
+		unlock_ref(lock);
 		error("unable to write current sha1 into %s", newrefname);
 		goto rollback;
 	}
+	if (commit_ref_lock(lock)) {
+		error("unable to commit current sha1 into %s", newrefname);
+		goto rollback;
+	}
 
 	return 0;
 
@@ -2649,8 +2654,12 @@ int rename_ref(const char *oldrefname, const char *newrefname, const char *logms
 	lock->force_write = 1;
 	flag = log_all_ref_updates;
 	log_all_ref_updates = 0;
-	if (write_ref_sha1(lock, orig_sha1, NULL))
+	if (write_ref_sha1(lock, orig_sha1, NULL)) {
+		unlock_ref(lock);
 		error("unable to write current sha1 into %s", oldrefname);
+	}
+	if (commit_ref_lock(lock))
+		error("unable to commit current sha1 into %s", oldrefname);
 	log_all_ref_updates = flag;
 
  rollbacklog:
@@ -2807,34 +2816,30 @@ int write_ref_sha1(struct ref_lock *lock,
 	if (!lock)
 		return -1;
 	if (!lock->force_write && !hashcmp(lock->old_sha1, sha1)) {
-		unlock_ref(lock);
+		lock->skipped_write = 1;
 		return 0;
 	}
 	o = parse_object(sha1);
 	if (!o) {
 		error("Trying to write ref %s with nonexistent object %s",
 			lock->ref_name, sha1_to_hex(sha1));
-		unlock_ref(lock);
 		return -1;
 	}
 	if (o->type != OBJ_COMMIT && is_branch(lock->ref_name)) {
 		error("Trying to write non-commit object %s to branch %s",
 			sha1_to_hex(sha1), lock->ref_name);
-		unlock_ref(lock);
 		return -1;
 	}
 	if (write_in_full(lock->lock_fd, sha1_to_hex(sha1), 40) != 40 ||
 	    write_in_full(lock->lock_fd, &term, 1) != 1
 		|| close_ref(lock) < 0) {
 		error("Couldn't write %s", lock->lk->filename);
-		unlock_ref(lock);
 		return -1;
 	}
 	clear_loose_ref_cache(&ref_cache);
 	if (log_ref_write(lock->ref_name, lock->old_sha1, sha1, logmsg) < 0 ||
 	    (strcmp(lock->ref_name, lock->orig_ref_name) &&
 	     log_ref_write(lock->orig_ref_name, lock->old_sha1, sha1, logmsg) < 0)) {
-		unlock_ref(lock);
 		return -1;
 	}
 	if (strcmp(lock->orig_ref_name, "HEAD") != 0) {
@@ -2858,7 +2863,12 @@ int write_ref_sha1(struct ref_lock *lock,
 		    !strcmp(head_ref, lock->ref_name))
 			log_ref_write("HEAD", lock->old_sha1, sha1, logmsg);
 	}
-	if (commit_ref(lock)) {
+	return 0;
+}
+
+int commit_ref_lock(struct ref_lock *lock)
+{
+        if (!lock->skipped_write && commit_ref(lock)) {
 		error("Couldn't set %s", lock->ref_name);
 		unlock_ref(lock);
 		return -1;
@@ -3272,10 +3282,17 @@ int update_ref(const char *action, const char *refname,
 	       int flags, enum action_on_err onerr)
 {
 	struct ref_lock *lock;
+	int ret;
+
 	lock = update_ref_lock(refname, oldval, flags, NULL, onerr);
 	if (!lock)
 		return 1;
-	return update_ref_write(action, refname, sha1, lock, onerr);
+	ret = update_ref_write(action, refname, sha1, lock, onerr);
+	if (ret)
+		unlock_ref(lock);
+	else
+		ret = commit_ref_lock(lock);
+	return ret;
 }
 
 static int ref_update_compare(const void *r1, const void *r2)
@@ -3351,7 +3368,11 @@ int update_refs(const char *action, const struct ref_update **updates_orig,
 					       updates[i]->ref_name,
 					       updates[i]->new_sha1,
 					       locks[i], onerr);
-			locks[i] = NULL; /* freed by update_ref_write */
+			if (ret)
+				unlock_ref(locks[i]);
+			else
+				commit_ref_lock(locks[i]);
+			locks[i] = NULL;
 			if (ret)
 				goto cleanup;
 		}
diff --git a/refs.h b/refs.h
index 87a1a79..0382128 100644
--- a/refs.h
+++ b/refs.h
@@ -8,6 +8,7 @@ struct ref_lock {
 	unsigned char old_sha1[20];
 	int lock_fd;
 	int force_write;
+	int skipped_write;
 };
 
 /**
@@ -165,6 +166,9 @@ extern void unlock_ref(struct ref_lock *lock);
 /** Writes sha1 into the ref specified by the lock. **/
 extern int write_ref_sha1(struct ref_lock *lock, const unsigned char *sha1, const char *msg);
 
+/** Commit any changes done to the ref specified by the lock. **/
+extern int commit_ref_lock(struct ref_lock *lock);
+
 /** Setup reflog before using. **/
 int log_ref_setup(const char *ref_name, char *logfile, int bufsize);
 
diff --git a/sequencer.c b/sequencer.c
index bde5f04..ffadf82 100644
--- a/sequencer.c
+++ b/sequencer.c
@@ -283,6 +283,10 @@ static int fast_forward_to(const unsigned char *to, const unsigned char *from,
 					   0, NULL);
 	strbuf_addf(&sb, "%s: fast-forward", action_name(opts));
 	ret = write_ref_sha1(ref_lock, to, sb.buf);
+	if (ret)
+		unlock_ref(ref_lock);
+	else
+		ret |= commit_ref_lock(ref_lock);
 	strbuf_release(&sb);
 	return ret;
 }
diff --git a/walker.c b/walker.c
index 1dd86b8..5ce5a1d 100644
--- a/walker.c
+++ b/walker.c
@@ -295,6 +295,10 @@ int walker_fetch(struct walker *walker, int targets, char **target,
 		if (!write_ref || !write_ref[i])
 			continue;
 		ret = write_ref_sha1(lock[i], &sha1[20 * i], msg ? msg : "fetch (unknown)");
+		if (ret)
+			unlock_ref(lock[i]);
+		else
+			ret |= commit_ref_lock(lock[i]);
 		lock[i] = NULL;
 		if (ret)
 			goto unlock_and_fail;
-- 
1.9.1.478.ga5a8238.dirty

[PATCH 2/4] refs.c: split delete_ref_loose() into a separate flag-for-deletion and commit phase

[Ronnie Sahlberg]

Change delete_ref_loose()) to just flag that a ref is to be deleted but do
not actually unlink the files.
Change commit_ref_lock() so that it will unlink refs that are flagged for
deletion.
Change all callers of delete_ref_loose() to explicitely call commit_ref_lock()
to commit the deletion.

The new pattern for deleting loose refs thus become:

lock = lock_ref_sha1_basic() (or varient of)
delete_ref_loose(lock)
unlock_ref(lock) | commit_ref_lock(lock)

Signed-off-by: Ronnie Sahlberg <sahlberg@google.com>
---
 refs.c | 31 ++++++++++++++++++++-----------
 refs.h |  2 ++
 2 files changed, 22 insertions(+), 11 deletions(-)

diff --git a/refs.c b/refs.c
index 9771237..038614d 100644
--- a/refs.c
+++ b/refs.c
@@ -2484,16 +2484,9 @@ static int repack_without_ref(const char *refname)
 
 static int delete_ref_loose(struct ref_lock *lock, int flag)
 {
-	if (!(flag & REF_ISPACKED) || flag & REF_ISSYMREF) {
-		/* loose */
-		int err, i = strlen(lock->lk->filename) - 5; /* .lock */
-
-		lock->lk->filename[i] = 0;
-		err = unlink_or_warn(lock->lk->filename);
-		lock->lk->filename[i] = '.';
-		if (err && errno != ENOENT)
-			return 1;
-	}
+	lock->delete_ref = 1;
+	lock->delete_flag = flag;
+
 	return 0;
 }
 
@@ -2515,7 +2508,7 @@ int delete_ref(const char *refname, const unsigned char *sha1, int delopt)
 
 	unlink_or_warn(git_path("logs/%s", lock->ref_name));
 	clear_loose_ref_cache(&ref_cache);
-	unlock_ref(lock);
+	ret |= commit_ref_lock(lock);
 	return ret;
 }
 
@@ -2868,6 +2861,20 @@ int write_ref_sha1(struct ref_lock *lock,
 
 int commit_ref_lock(struct ref_lock *lock)
 {
+	if (lock->delete_ref) {
+		int flag = lock->delete_flag;
+
+		if (!(flag & REF_ISPACKED) || flag & REF_ISSYMREF) {
+			/* loose */
+			int err, i = strlen(lock->lk->filename) - 5; /* .lock */
+
+			lock->lk->filename[i] = 0;
+			err = unlink_or_warn(lock->lk->filename);
+			lock->lk->filename[i] = '.';
+			if (err && errno != ENOENT)
+				return 1;
+		}
+	} else
         if (!lock->skipped_write && commit_ref(lock)) {
 		error("Couldn't set %s", lock->ref_name);
 		unlock_ref(lock);
@@ -3382,6 +3389,8 @@ int update_refs(const char *action, const struct ref_update **updates_orig,
 		if (locks[i]) {
 			delnames[delnum++] = locks[i]->ref_name;
 			ret |= delete_ref_loose(locks[i], types[i]);
+			ret |= commit_ref_lock(locks[i]);
+			locks[i] = NULL;
 		}
 	ret |= repack_without_refs(delnames, delnum);
 	for (i = 0; i < delnum; i++)
diff --git a/refs.h b/refs.h
index 0382128..2230d67 100644
--- a/refs.h
+++ b/refs.h
@@ -9,6 +9,8 @@ struct ref_lock {
 	int lock_fd;
 	int force_write;
 	int skipped_write;
+	int delete_ref;
+	int delete_flag;
 };
 
 /**
-- 
1.9.1.478.ga5a8238.dirty

[PATCH 3/4] refs.c: change update_refs to run the commit loops once all work is finished

[Ronnie Sahlberg]

During update_refs we will both be deleting refs as well as updating/changing
the refs.
Since both delete and update now use the same lock/update/commit pattern

    lock = lock_ref_sha1_basic() (or varient of)
    write_ref_sha1(lock)/delete_ref_loose(lock)
    unlock_ref(lock) | commit_ref_lock(lock)

we can now simplify update_update refs to have one loop that locks all
involved refs.
A second loop that writes or flags for deletion, but does not commit, all
the refs.
And a final third loop that commits all the refs once all the work and
preparations are complete.

This makes updating/deleting multiple refs 'more atomic' since we will not start
the commit phase until all the preparations have completed successfully.

Signed-off-by: Ronnie Sahlberg <sahlberg@google.com>
---
 refs.c | 38 +++++++++++++++++++++-----------------
 1 file changed, 21 insertions(+), 17 deletions(-)

diff --git a/refs.c b/refs.c
index 038614d..1678e12 100644
--- a/refs.c
+++ b/refs.c
@@ -3368,34 +3368,38 @@ int update_refs(const char *action, const struct ref_update **updates_orig,
 		}
 	}
 
-	/* Perform updates first so live commits remain referenced */
-	for (i = 0; i < n; i++)
-		if (!is_null_sha1(updates[i]->new_sha1)) {
+	/* Go through and prepare all updates and deletes */
+	for (i = 0; i < n; i++) {
+		if (!is_null_sha1(updates[i]->new_sha1))
 			ret = update_ref_write(action,
 					       updates[i]->ref_name,
 					       updates[i]->new_sha1,
 					       locks[i], onerr);
-			if (ret)
-				unlock_ref(locks[i]);
-			else
-				commit_ref_lock(locks[i]);
-			locks[i] = NULL;
-			if (ret)
-				goto cleanup;
+		else {
+			delnames[delnum++] = locks[i]->ref_name;
+			ret = delete_ref_loose(locks[i], types[i]);
 		}
+		if (ret)
+			goto cleanup;
+	}
 
-	/* Perform deletes now that updates are safely completed */
+	ret = repack_without_refs(delnames, delnum);
+	for (i = 0; i < delnum; i++)
+		unlink_or_warn(git_path("logs/%s", delnames[i]));
+	clear_loose_ref_cache(&ref_cache);
+
+	/* Perform updates first so live commits remain referenced */
+	for (i = 0; i < n; i++)
+		if (locks[i] && !locks[i]->delete_ref) {
+			ret |= commit_ref_lock(locks[i]);
+			locks[i] = NULL;
+		}
+	/* And finally perform all deletes */
 	for (i = 0; i < n; i++)
 		if (locks[i]) {
-			delnames[delnum++] = locks[i]->ref_name;
-			ret |= delete_ref_loose(locks[i], types[i]);
 			ret |= commit_ref_lock(locks[i]);
 			locks[i] = NULL;
 		}
-	ret |= repack_without_refs(delnames, delnum);
-	for (i = 0; i < delnum; i++)
-		unlink_or_warn(git_path("logs/%s", delnames[i]));
-	clear_loose_ref_cache(&ref_cache);
 
 cleanup:
 	for (i = 0; i < n; i++)
-- 
1.9.1.478.ga5a8238.dirty

[PATCH 4/4] refs.c: sort the refs by new_sha1 and merge the two update/delete loops into one

[Ronnie Sahlberg]

We want to make sure that we update all refs before we delete any refs
so that there is no point in time where the tips may not be reachable
from any ref in the system.
We currently acheive this by first looping over all updates and applying
them before we run a second loop and perform all the deletes.

If we sort the new sha1 for all the refs so that a deleted ref,
with sha1 0{40} comes at the end of the array, then we can just run
a single loop and still guarantee that all updates happen before
any deletes.

Signed-off-by: Ronnie Sahlberg <sahlberg@google.com>
---
 refs.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/refs.c b/refs.c
index 1678e12..453318e 100644
--- a/refs.c
+++ b/refs.c
@@ -3309,6 +3309,15 @@ static int ref_update_compare(const void *r1, const void *r2)
 	return strcmp((*u1)->ref_name, (*u2)->ref_name);
 }
 
+static int ref_delete_compare(const void *r1, const void *r2)
+{
+	const struct ref_update * const *u1 = r1;
+	const struct ref_update * const *u2 = r2;
+
+	/* -strcmp so that 0{40} sorts to the end */
+	return -strcmp((*u1)->new_sha1, (*u2)->new_sha1);
+}
+
 static int ref_update_reject_duplicates(struct ref_update **updates, int n,
 					enum action_on_err onerr)
 {
@@ -3388,13 +3397,8 @@ int update_refs(const char *action, const struct ref_update **updates_orig,
 		unlink_or_warn(git_path("logs/%s", delnames[i]));
 	clear_loose_ref_cache(&ref_cache);
 
-	/* Perform updates first so live commits remain referenced */
-	for (i = 0; i < n; i++)
-		if (locks[i] && !locks[i]->delete_ref) {
-			ret |= commit_ref_lock(locks[i]);
-			locks[i] = NULL;
-		}
-	/* And finally perform all deletes */
+	/* Sort the array so that we perform all updates before any deletes */
+	qsort(updates, n, sizeof(*updates), ref_delete_compare);
 	for (i = 0; i < n; i++)
 		if (locks[i]) {
 			ret |= commit_ref_lock(locks[i]);
-- 
1.9.1.478.ga5a8238.dirty

Re: [PATCH 0/4] Make update_refs more atomic V2

[Junio C Hamano]

CC'ing Michael who has been active in this area as an area expert.

Ronnie, please make it a habit to run something like

    $ git shortlog --no-merges --since=18.months <affected paths>...

to help you decide who your series may want to be reviewed by,
before sending them.

Thanks.

Ronnie Sahlberg <sahlberg@google.com> writes:

> refs.c:update_refs() intermingles doing updates and checks with actually
> applying changes to the refs in loops that abort on error.
> This is done one ref at a time and means that if an error is detected that
> will fail the operation after only some of the ref operations have been
> been updated on the disk.
>
> These patches change the update and delete functions to use a three
> call pattern of
>
> 1, lock
> 2, update, or flag for deletion
> 3, apply on disk
>
> In the final patch I change update_refs to perform these actions in three
> separate loops where the final loop to 'apply on disk' all the changes will
> only be performed if there were no error conditions detected during any of
> previous loops.
>
> This should make the changes of refs in update_refs slightly more atomic.
>
>
> This may overlap with other current patch series for making refs updates
> more atomic which may mean these patches become obsolete, but I would still
> like some review and feedback on these changes.
>
> Version 2:
> Updates and fixes based on Junio's feedback.
> * Fix the subject line for patches so they comply with the project standard.
> * Redo the update/delete loops so that we maintain the correct order of
>   operations. Perform all updates first, then perform the deletes.
> * Add an additional patch that allows us to do the update/delete in the correct
>   order from within a single loop by first sorting the refs so that deletes
>   are after all non-deletes.
>
>
> Ronnie Sahlberg (4):
>   refs.c: split writing and commiting a ref into two separate functions
>   refs.c: split delete_ref_loose() into a separate flag-for-deletion and
>     commit phase
>   refs.c: change update_refs to run the commit loops once all work is
>     finished
>   refs.c: sort the refs by new_sha1 and merge the two update/delete
>     loops into one
>
>  branch.c               |  10 ++++-
>  builtin/commit.c       |   5 +++
>  builtin/fetch.c        |   7 +++-
>  builtin/receive-pack.c |   4 ++
>  builtin/replace.c      |   6 ++-
>  builtin/tag.c          |   6 ++-
>  fast-import.c          |   7 +++-
>  refs.c                 | 102 +++++++++++++++++++++++++++++++++----------------
>  refs.h                 |   6 +++
>  sequencer.c            |   4 ++
>  walker.c               |   4 ++
>  11 files changed, 123 insertions(+), 38 deletions(-)

Re: [PATCH 4/4] refs.c: sort the refs by new_sha1 and merge the two update/delete loops into one

[Junio C Hamano]

Ronnie Sahlberg <sahlberg@google.com> writes:

> We want to make sure that we update all refs before we delete any refs
> so that there is no point in time where the tips may not be reachable
> from any ref in the system.
> We currently acheive this by first looping over all updates and applying
> them before we run a second loop and perform all the deletes.
>
> If we sort the new sha1 for all the refs so that a deleted ref,
> with sha1 0{40} comes at the end of the array, then we can just run
> a single loop and still guarantee that all updates happen before
> any deletes.
>
> Signed-off-by: Ronnie Sahlberg <sahlberg@google.com>
> ---
>  refs.c | 18 +++++++++++-------
>  1 file changed, 11 insertions(+), 7 deletions(-)
>
> diff --git a/refs.c b/refs.c
> index 1678e12..453318e 100644
> --- a/refs.c
> +++ b/refs.c
> @@ -3309,6 +3309,15 @@ static int ref_update_compare(const void *r1, const void *r2)
>  	return strcmp((*u1)->ref_name, (*u2)->ref_name);
>  }
>  
> +static int ref_delete_compare(const void *r1, const void *r2)
> +{
> +	const struct ref_update * const *u1 = r1;
> +	const struct ref_update * const *u2 = r2;
> +
> +	/* -strcmp so that 0{40} sorts to the end */
> +	return -strcmp((*u1)->new_sha1, (*u2)->new_sha1);

Two glitches:

 - Didn't you mean hashcmp()?

 - Don't you have an explicit ->delete_ref field that is a more
   direct way, than relying on the convention "updating to 0{40}
   is to delte", to express this?

In other words, wouldn't it be more like

	return !(*u1)->delete_ref - !(*u2)->delete_ref;

or something (I may be wrong about the sign, tho---I didn't think
carefully)?


> +}
> +
>  static int ref_update_reject_duplicates(struct ref_update **updates, int n,
>  					enum action_on_err onerr)
>  {
> @@ -3388,13 +3397,8 @@ int update_refs(const char *action, const struct ref_update **updates_orig,
>  		unlink_or_warn(git_path("logs/%s", delnames[i]));
>  	clear_loose_ref_cache(&ref_cache);
>  
> -	/* Perform updates first so live commits remain referenced */
> -	for (i = 0; i < n; i++)
> -		if (locks[i] && !locks[i]->delete_ref) {
> -			ret |= commit_ref_lock(locks[i]);
> -			locks[i] = NULL;
> -		}
> -	/* And finally perform all deletes */
> +	/* Sort the array so that we perform all updates before any deletes */
> +	qsort(updates, n, sizeof(*updates), ref_delete_compare);
>  	for (i = 0; i < n; i++)
>  		if (locks[i]) {
>  			ret |= commit_ref_lock(locks[i]);

Re: [PATCH 4/4] refs.c: sort the refs by new_sha1 and merge the two update/delete loops into one

[Ronnie Sahlberg]

On Thu, Apr 10, 2014 at 12:01 PM, Junio C Hamano <gitster@pobox.com> wrote:
> Ronnie Sahlberg <sahlberg@google.com> writes:
>
>> We want to make sure that we update all refs before we delete any refs
>> so that there is no point in time where the tips may not be reachable
>> from any ref in the system.
>> We currently acheive this by first looping over all updates and applying
>> them before we run a second loop and perform all the deletes.
>>
>> If we sort the new sha1 for all the refs so that a deleted ref,
>> with sha1 0{40} comes at the end of the array, then we can just run
>> a single loop and still guarantee that all updates happen before
>> any deletes.
>>
>> Signed-off-by: Ronnie Sahlberg <sahlberg@google.com>
>> ---
>>  refs.c | 18 +++++++++++-------
>>  1 file changed, 11 insertions(+), 7 deletions(-)
>>
>> diff --git a/refs.c b/refs.c
>> index 1678e12..453318e 100644
>> --- a/refs.c
>> +++ b/refs.c
>> @@ -3309,6 +3309,15 @@ static int ref_update_compare(const void *r1, const void *r2)
>>       return strcmp((*u1)->ref_name, (*u2)->ref_name);
>>  }
>>
>> +static int ref_delete_compare(const void *r1, const void *r2)
>> +{
>> +     const struct ref_update * const *u1 = r1;
>> +     const struct ref_update * const *u2 = r2;
>> +
>> +     /* -strcmp so that 0{40} sorts to the end */
>> +     return -strcmp((*u1)->new_sha1, (*u2)->new_sha1);
>
> Two glitches:
>
>  - Didn't you mean hashcmp()?
>
>  - Don't you have an explicit ->delete_ref field that is a more
>    direct way, than relying on the convention "updating to 0{40}
>    is to delte", to express this?
>
> In other words, wouldn't it be more like
>
>         return !(*u1)->delete_ref - !(*u2)->delete_ref;
>
> or something (I may be wrong about the sign, tho---I didn't think
> carefully)?

I don't have access to delete_ref from 'struct ref_update'.

But much worse is that the patch is completely bogus.
Sorting and changing the order of the items in the updates[] array
does not affect the ordering of the items in the locks[] array
so this can not work.

I will delete this bogus patch from any new version of the patch series.


regards
ronnie sahlberg

>
>
>> +}
>> +
>>  static int ref_update_reject_duplicates(struct ref_update **updates, int n,
>>                                       enum action_on_err onerr)
>>  {
>> @@ -3388,13 +3397,8 @@ int update_refs(const char *action, const struct ref_update **updates_orig,
>>               unlink_or_warn(git_path("logs/%s", delnames[i]));
>>       clear_loose_ref_cache(&ref_cache);
>>
>> -     /* Perform updates first so live commits remain referenced */
>> -     for (i = 0; i < n; i++)
>> -             if (locks[i] && !locks[i]->delete_ref) {
>> -                     ret |= commit_ref_lock(locks[i]);
>> -                     locks[i] = NULL;
>> -             }
>> -     /* And finally perform all deletes */
>> +     /* Sort the array so that we perform all updates before any deletes */
>> +     qsort(updates, n, sizeof(*updates), ref_delete_compare);
>>       for (i = 0; i < n; i++)
>>               if (locks[i]) {
>>                       ret |= commit_ref_lock(locks[i]);

Re: [PATCH 0/4] Make update_refs more atomic V2

[Junio C Hamano]

Junio C Hamano <gitster@pobox.com> writes:

> CC'ing Michael who has been active in this area as an area expert.
>
> Ronnie, please make it a habit to run something like
>
>     $ git shortlog --no-merges --since=18.months <affected paths>...
>
> to help you decide who your series may want to be reviewed by,
> before sending them.
>
> Thanks.

Another tip.  "git format-patch -v3" would produce

	Subject: [PATCH v3 0/4] blah blah blah...