Re: [PATCH] midx.c: clear auxiliary MIDX files first

[Derrick Stolee <derrickstolee@github.com>]

On 10/26/22 1:41 AM, Jeff King wrote:
> On Tue, Oct 25, 2022 at 02:25:20PM -0400, Taylor Blau wrote:
> 
>> Since they were added in c528e17966 (pack-bitmap: write multi-pack
>> bitmaps, 2021-08-31), the routine to remove MIDXs removed the
>> multi-pack-index file itself before removing its associated .bitmap and
>> .rev file(s), if any.
>>
>> This creates a window where a MIDX's .bitmap file exists without its
>> corresponding MIDX. If a reader tries to load a MIDX bitmap during that
>> time, they will get a warning, and the MIDX bitmap code will gracefully
>> degrade.
>>
>> Remove this window entirely by removing the MIDX last, and removing its
>> auxiliary files first.
> 
> We remove that window, but don't we create a new one where a reader may
> see the midx but not the bitmap? That won't generate a warning (it just
> looks like a midx that never had a bitmap generated), but it will cause
> the reader to follow the slow, non-bitmap path.

Yes, this is the worrisome direction. The midx is read first, then that
points to the .bitmap file (based on its trailing hash). If the midx isn't
there, then the .bitmap will not be read.

> Ideally this would just be atomic, but short of stuffing the metadata
> into the same file, we can't do that. But the replacement of the midx
> file itself is atomic, and I'd think everything would (or should at
> least) follow from there.

The interesting case here is that this is in clear_midx_file(), which
is called when repacking to a single pack and no longer needing a midx
file. So it's not using the atomic rewrite from the midx writing code,
but instead the "atomic" deletion.

In this case, a reader will check for the midx first, before looking
for individual packs. Further, the new pack is written, but the old
packs have not been deleted (or the midx would be invalid). So the
new code introduces the window where a midx exists without a bitmap,
so some readers will act as if no bitmap exists on-disk.

This was always possible before, too: the midx could be read by a
reader process before the repack process deletes that file. However,
if the reader does not also gain a handle on the corresponding
.bitmap before the repack process deletes that file, too, then the
reader is also left thinking that no .bitmap exists.

I think the old code is more correct, here. The window is slightly
smaller, and the new code creates a window where the filesystem
doesn't need to change for readers to get an imperfect view of
things.

Aside: in these cases where a .bitmap file is not found for a midx,
do we fall back to trying to find a .bitmap file for a pack-file?
That would assuage most of the concerns here about what happens in
this window where the repack has a new .pack/.bitmap pair but the
old midx still exists (without a .bitmap, depending on timing).

Thanks,
-Stolee