git@vger.kernel.org list mirror (unofficial, one of many)
 help / color / mirror / Atom feed
From: "René Scharfe" <l.s.r@web.de>
To: Jeff King <peff@peff.net>
Cc: "Junio C Hamano" <gitster@pobox.com>, 唐宇奕 <winglovet@gmail.com>,
	git@vger.kernel.org
Subject: Re: Bug report: orphaned pack-objects after killing upload-pack on [
Date: Fri, 27 Nov 2020 21:43:06 +0100
Message-ID: <d0fcfa7f-9835-a9e6-c4a4-af4de177ff8c@web.de> (raw)
In-Reply-To: <X8B9589XMlCQEltA@coredump.intra.peff.net>

Am 27.11.20 um 05:17 schrieb Jeff King:
> On Thu, Nov 26, 2020 at 09:04:35PM +0100, René Scharfe wrote:
>
>> Before I could submit that one (or something similar) formally, I'd need
>> to understand what's happening here a lot better and witness the effect
>> of the patch.
>>
>> I understand that the main benefit of stopping the child upon
>> termination of the parent is to avoid using CPU cycles on a heavy task
>> whose results will just go to waste.  But wouldn't the orphaned child
>> then become a zombie?  Init would reap it eventually, but are there
>> perhaps init-less deployments (containerized daemon?) where such
>> zombies could pile up?
>
> I think an init-less deployment like that is already broken. If we
> encounter any error at all in upload-pack we may quit without reaping
> all of our children. And this could never be protected against entirely;
> we could be killed by SIGSEGV, SIGKILL, etc.

That might be true, but it might still be usable if the rate of zombie
production is low enough.  And reducing it slightly might still help by
increasing the time between container restarts.  Segfaults should be
very rare, and people using kill -9 can clean up after themselves..

> My understanding is container deployments often have a tiny pid-1 init
> that takes care of zombie processes like this (but it's not something
> I've dealt with much myself).

True, e.g. https://github.com/krallin/tini, which is built into newer
Docker releases already.  So this problem is real and has an (optional)
solution.

OK, so overall the situation sounds a bit messy to me and perhaps
there's room for improvement, but I agree now that we can leave the
specialists (init, tini) to deal with our zombies.

>> For a test, winning the race condition should be easy if we cheat by
>> letting the child loop forever.  But I struggle even with the most
>> basic task: Making upload-pack invoked by clone call pack-objects.
>> (Feeling a bit silly.)
>
> Here's an easy reproduction. On a clone of something large-ish (by
> number of objects) like linux.git:
>
>   - make sure you don't have bitmaps on (since they make the enumerating
>     phase go quickly). For linux.git it takes ~30s or so to walk the
>     whole graph on my machine.
>
>   - run "git clone --no-local -q . dst"; the "-q" is important because
>     if pack-objects is writing progress to upload-pack (to get
>     multiplexed over the sideband to the client), then it will notice
>     pretty quickly the failure to write to stderr
>
>   - kill just upload-pack with "pkill git-upload-pack" or whatever you
>     like
>
>   - run "ps au | grep pack-objects" (or just "top") to see pack-objects
>     chugging on 100% CPU (and consuming 1GB+ of RAM)
>
> With the patch adding clean_on_exit, that last step turns up nothing.

I was missing --no-local, d'oh!

To win the race consistently I used this:

-- >8 --

diff --git a/run-command.c b/run-command.c
index ea4d0fb4b1..a6bf0a86dd 100644
--- a/run-command.c
+++ b/run-command.c
@@ -672,6 +672,19 @@ int start_command(struct child_process *cmd)
 	int failed_errno;
 	char *str;

+	const char *loop_argv[] = { "while :; do sleep 1; done", NULL };
+	const char *fail_cmd = getenv("GIT_DEBUG_ABANDON_CHILD");
+	const char *argv0 = cmd->argv ? cmd->argv[0] : cmd->args.v[0];
+	int fail = fail_cmd && starts_with(argv0, fail_cmd);
+
+	if (fail) {
+		fprintf(stderr, "starting endless loop instead of %s\n",
+			cmd->argv ? cmd->argv[0] : cmd->args.v[0]);
+		cmd->argv = loop_argv;
+		cmd->use_shell = 1;
+		cmd->git_cmd = 0;
+	}
+
 	if (!cmd->argv)
 		cmd->argv = cmd->args.v;
 	if (!cmd->env)
@@ -982,6 +995,9 @@ int start_command(struct child_process *cmd)
 	else if (cmd->err)
 		close(cmd->err);

+	if (fail)
+		die("abandoning child %"PRIuMAX"\n", (uintmax_t)cmd->pid);
+
 	return 0;
 }


--- 8< ---

We could build tests that always win (or lose, based on your
perspective) the race condition based on that.  Turning on clean_on_exit
is such a no-brainer that I don't see the need for one, though.

> Now the situation above is probably pretty rare. Nobody is usually going
> to kill upload-pack specifically. The more common case is when
> upload-pack realizes that the client (or the network) has gone away,
> because it tries to write and finds the connection gone. But what is it
> writing? Most of the time it's stuff from pack-objects! So in the normal
> case, pack-objects is continually writing either data or progress
> reports, so it would notice for its next write.
>
> But again, a client asking for no progress is a problem. upload-pack
> will be sending keepalives every 5s or so, so it will notice client
> death then. But pack-objects will keep running, not generating any
> output until it starts spewing the pack.
>
> So you could probably make the scenario above a bit more realistic by
> killing the parent git-clone process. But don't use ^C; that will send
> SIGINT to all of the processes. Simulate a network failure by killing
> the "git clone" process specifically. This shows the same problem, and
> the same improvement after the patch (though remember it may take up to
> 5 seconds for upload-pack to send a keepalive and notice the problem).

With the debug patch above and GIT_DEBUG_ABANDON_CHILD=git-upload-pack I
need the following patch get rid of the spawned process:

--- >8 ---

diff --git a/connect.c b/connect.c
index 8b8f56cf6d..e1b1b73ef5 100644
--- a/connect.c
+++ b/connect.c
@@ -1369,6 +1369,7 @@ struct child_process *git_connect(int fd[2], const char *url,

 		conn->use_shell = 1;
 		conn->in = conn->out = -1;
+		conn->clean_on_exit = 1;
 		if (protocol == PROTO_SSH) {
 			char *ssh_host = hostandport;
 			const char *port = NULL;

--- 8< ---

So is there a downside to clean_on_exit?  It doesn't make sense when we
start browsers or pagers, but for hooks and helpers (which are probably
the majority of started processes) cascading program termination makes
sense, no?

René


  reply	other threads:[~2020-11-27 20:49 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-19  8:18 唐宇奕
2020-11-20 18:52 ` Bug report: orphaned pack-objects after killing upload-pack on [was: (no subject)] René Scharfe
2020-11-21  0:29   ` Jeff King
2020-11-21 21:54     ` Bug report: orphaned pack-objects after killing upload-pack on [ Junio C Hamano
2020-11-24  3:21       ` 唐宇奕
2020-11-24  9:11       ` Jeff King
2020-11-25 21:42         ` Junio C Hamano
2020-11-26  0:53           ` Jeff King
2020-11-26  1:04             ` Junio C Hamano
2020-11-26 20:04               ` René Scharfe
2020-11-27  4:17                 ` Jeff King
2020-11-27 20:43                   ` René Scharfe [this message]
2020-11-28  6:30                     ` Jeff King
2020-12-01 12:15                 ` Jeff King
2020-12-02 11:45                   ` René Scharfe
2020-12-02 22:14                     ` Junio C Hamano

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d0fcfa7f-9835-a9e6-c4a4-af4de177ff8c@web.de \
    --to=l.s.r@web.de \
    --cc=git@vger.kernel.org \
    --cc=gitster@pobox.com \
    --cc=peff@peff.net \
    --cc=winglovet@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

git@vger.kernel.org list mirror (unofficial, one of many)

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://public-inbox.org/git
	git clone --mirror http://ou63pmih66umazou.onion/git
	git clone --mirror http://czquwvybam4bgbro.onion/git
	git clone --mirror http://hjrcffqmbrq6wope.onion/git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 git git/ https://public-inbox.org/git \
		git@vger.kernel.org
	public-inbox-index git

Example config snippet for mirrors.
Newsgroups are available over NNTP:
	nntp://news.public-inbox.org/inbox.comp.version-control.git
	nntp://ou63pmih66umazou.onion/inbox.comp.version-control.git
	nntp://czquwvybam4bgbro.onion/inbox.comp.version-control.git
	nntp://hjrcffqmbrq6wope.onion/inbox.comp.version-control.git
	nntp://news.gmane.io/gmane.comp.version-control.git
 note: .onion URLs require Tor: https://www.torproject.org/

code repositories for the project(s) associated with this inbox:

	https://80x24.org/mirrors/git.git

AGPL code for this site: git clone https://public-inbox.org/public-inbox.git