Re: [PATCH 4/4] pack-check: fix verification of large objects

[Junio C Hamano <gitster@pobox.com>]

Patrick Steinhardt <ps@pks.im> writes:

> It was reported [1] that git-fsck(1) may sometimes run into an infinite
> loop when processing packfiles. This bug was bisected to c31bad4f7d
> (packfile: track packs via the MRU list exclusively, 2025-10-30), which
> refactored our lsit of packfiles to only be tracked via an MRU list,

"lsit of" -> "list of"

> exclusively. This isn't entirely surprising: any caller that iterates
> through the list of packfiles and then hits `find_pack_entry()`, for
> example because they read an object from it, may cause the MRU list to
> be updated. And if the caller is unlucky, this may cause the mentioned
> infinite loop.
>
> While this mechanism is somewhat fragile, it is still surprising that we
> encounter it when verifying the packfile. We iterate through objects in
> a given pack one by one and then read them via their offset, and doing
> this shouldn't ever end up in `find_pack_entry()`.
>
> But there is an edge case here: when the object in question is a blob
> bigger than "core.largeFileThreshold", then we will be careful to not
> read it into memory. Instead, we read it via an object stream by calling
> `odb_read_object_stream()`, and that function will perform an object
> lookup via `odb_read_object_info()`. So in the case where there are at
> least two blobs in two different packfiles, and both of these blobs
> exceed "core.largeFileThreshold", then we'll run into an infinite loop
> because we'll always update the MRU.

Good find, and it is not surprising.  What is surprising is that we
do not see this kind of breakage more often.  The mechanism does
sound fragile, not just "somewhat" X-<.

> We could fix this by improving `repo_for_each_pack()` to not update the
> MRU, and this would address the issue. But the fun part is that using
> `odb_read_object_stream()` is the wrong thing to do in the first place:
> it may open _any_ instance of this object, so we ultimately cannot be
> sure that we even verified the object in our given packfile.

Again, very good reasoning.

> Fix this bug by creating the object stream for the packed object
> directly via `packfile_read_object_stream()`. Add a test that would have
> caused the infinite loop.

Curious that we have a completely different test.  I've locally
applied (without committing or amending) t1050 update from brian's
patch and with this series, fsck there does not seem to get stuck.
Of course, the new test added here doesn't either ;-).

>
> [1]: <20260222183710.2963424-1-sandals@crustytoothpaste.net>
>
> Reported-by: brian m. carlson <sandals@crustytoothpaste.net>
> Signed-off-by: Patrick Steinhardt <ps@pks.im>
> ---
>  pack-check.c    |  2 +-
>  t/t1450-fsck.sh | 15 +++++++++++++++
>  2 files changed, 16 insertions(+), 1 deletion(-)
>
> diff --git a/pack-check.c b/pack-check.c
> index 46782a29d5..6149567060 100644
> --- a/pack-check.c
> +++ b/pack-check.c
> @@ -155,7 +155,7 @@ static int verify_packfile(struct repository *r,
>  			err = error("packed %s from %s is corrupt",
>  				    oid_to_hex(&oid), p->pack_name);
>  		else if (!data &&
> -			 (!(stream = odb_read_stream_open(r->objects, &oid, NULL)) ||
> +			 (packfile_read_object_stream(&stream, p, entries[i].offset) < 0 ||
>  			  stream_object_signature(r, stream, &oid) < 0))
>  			err = error("packed %s from %s is corrupt",
>  				    oid_to_hex(&oid), p->pack_name);
> diff --git a/t/t1450-fsck.sh b/t/t1450-fsck.sh
> index 8fb79b3e5d..ec68397ea3 100755
> --- a/t/t1450-fsck.sh
> +++ b/t/t1450-fsck.sh
> @@ -852,6 +852,21 @@ test_expect_success 'fsck errors in packed objects' '
>  	! grep corrupt out
>  '
>  
> +test_expect_success 'fsck handles multiple packfiles with big blobs' '
> +	test_when_finished "rm -rf repo" &&
> +	git init repo &&
> +	(
> +		cd repo &&
> +		blob_one=$(test-tool genrandom one 200k | git hash-object -t blob -w --stdin) &&
> +		blob_two=$(test-tool genrandom two 200k | git hash-object -t blob -w --stdin) &&
> +		printf "%s\n" "$blob_one" | git pack-objects .git/objects/pack/pack &&
> +		printf "%s\n" "$blob_two" | git pack-objects .git/objects/pack/pack &&
> +		remove_object "$blob_one" &&
> +		remove_object "$blob_two" &&
> +		git -c core.bigFileThreshold=100k fsck
> +	)
> +'
> +
>  test_expect_success 'fsck fails on corrupt packfile' '
>  	hsh=$(git commit-tree -m mycommit HEAD^{tree}) &&
>  	pack=$(echo $hsh | git pack-objects .git/objects/pack/pack) &&