[PATCH] rev-list: allow cached objects in existence check

[PATCH] rev-list: allow cached objects in existence check

[Jeff King]

This fixes a regression in 7c0fe330d5 (rev-list: handle missing tree
objects properly, 2018-10-05) where rev-list will now complain about the
empty tree when it doesn't physically exist on disk.

Before that commit, we relied on the traversal code in list-objects.c to
walk through the trees. Since it uses parse_tree(), we'd do a normal
object lookup that includes looking in the set of "cached" objects
(which is where our magic internal empty-tree kicks in).

After that commit, we instead tell list-objects.c not to die on any
missing trees, and we check them ourselves using has_object_file(). But
that function uses OBJECT_INFO_SKIP_CACHED, which means we won't use our
internal empty tree.

This normally wouldn't come up. For most operations, Git will try to
write out the empty tree object as it would any other object. And
pack-objects in a push or fetch will send the empty tree (even if it's
virtual on the sending side). However, there are cases where this can
matter. One I found in the wild:

  1. The root tree of a commit became empty by deleting all files,
     without using an index. In this case it was done using libgit2's
     tree builder API, but as the included test shows, it can easily be
     done with regular git using hash-object.

     The resulting repo works OK, as we'd avoid walking over our own
     reachable commits for a connectivity check.

  2. Cloning with --reference pointing to the repository from (1) can
     trigger the problem, because we tell the other side we already have
     that commit (and hence the empty tree), but then walk over it
     during the connectivity check (where we complain about it missing).

Arguably the workflow in step (1) should be more careful about writing
the empty tree object if we're referencing it. But this workflow did
work prior to 7c0fe330d5, so let's restore it.

This patch makes the minimal fix, which is to swap out a direct call to
oid_object_info_extended(), minus the SKIP_CACHED flag, instead of
calling has_object_file(). This is all that has_object_file() is doing
under the hood. And there's little danger of unrelated fallout from
other unexpected "cached" objects, since there's only one call site that
ends such a cached object, and it's in git-blame.

Signed-off-by: Jeff King <peff@peff.net>
---
I prepared this directly on top of 7c0fe330d5, but it should merge
cleanly into the current tip of master.

I think we might also consider just having has_object_file() respect
cached objects. The SKIP_CACHED flag comes from Jonathan Tan's
e83e71c5e1 (sha1_file: refactor has_sha1_file_with_flags, 2017-06-21).
But it was just matching the old behavior; it's not clear to me that we
particularly care about that, and it wasn't simply that nobody bothered
to put the cached-object check into has_sha1_file().

Some concerns/arguments against it:

  - we probably would want to make sure we do not short-cut
    write_sha1_file(). I.e., we should still write it to disk when
    somebody wants it. But I think that works, because that function
    uses its own check-and-freshen infrastructure.

  - some callers of has_sha1_file() might care about durability between
    processes. Because it's baked in, the empty tree is safe for that
    (whatever follow-on process runs, it will also be baked in there).
    But that's not necessarily true for other "cached" objects. I'm not
    really that worried about it because we use it sparingly (the only
    call to pretend_sha1_file() is in git-blame, and if it ever did ask
    "do we have this object", I actually think the right answer would be
    "yes").

    But if this is a concern, we could perhaps have two levels of flags:
    SKIP_CACHED and SKIP_INTERNAL.

 builtin/rev-list.c           |  2 +-
 t/t1060-object-corruption.sh | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/builtin/rev-list.c b/builtin/rev-list.c
index 49d6deed70..877b6561f4 100644
--- a/builtin/rev-list.c
+++ b/builtin/rev-list.c
@@ -237,7 +237,7 @@ static inline void finish_object__ma(struct object *obj)
 static int finish_object(struct object *obj, const char *name, void *cb_data)
 {
 	struct rev_list_info *info = cb_data;
-	if (!has_object_file(&obj->oid)) {
+	if (oid_object_info_extended(the_repository, &obj->oid, NULL, 0) < 0) {
 		finish_object__ma(obj);
 		return 1;
 	}
diff --git a/t/t1060-object-corruption.sh b/t/t1060-object-corruption.sh
index ac1f189fd2..807b63b473 100755
--- a/t/t1060-object-corruption.sh
+++ b/t/t1060-object-corruption.sh
@@ -125,4 +125,14 @@ test_expect_success 'fetch into corrupted repo with index-pack' '
 	)
 '
 
+test_expect_success 'internal tree objects are not "missing"' '
+	git init missing-empty &&
+	(
+		cd missing-empty &&
+		empty_tree=$(git hash-object -t tree /dev/null) &&
+		commit=$(echo foo | git commit-tree $empty_tree) &&
+		git rev-list --objects $commit
+	)
+'
+
 test_done
-- 
2.21.0.684.gc9dc8b89c9

Re: [PATCH] rev-list: allow cached objects in existence check

[Jonathan Tan]

> This patch makes the minimal fix, which is to swap out a direct call to
> oid_object_info_extended(), minus the SKIP_CACHED flag, instead of
> calling has_object_file(). This is all that has_object_file() is doing
> under the hood. And there's little danger of unrelated fallout from
> other unexpected "cached" objects, since there's only one call site that
> ends such a cached object, and it's in git-blame.

Thanks - this patch looks good to me.

> I think we might also consider just having has_object_file() respect
> cached objects. The SKIP_CACHED flag comes from Jonathan Tan's
> e83e71c5e1 (sha1_file: refactor has_sha1_file_with_flags, 2017-06-21).
> But it was just matching the old behavior; it's not clear to me that we
> particularly care about that, and it wasn't simply that nobody bothered
> to put the cached-object check into has_sha1_file().

Making has_object_file() respect cached objects sounds good to me too.

> Some concerns/arguments against it:
> 
>   - we probably would want to make sure we do not short-cut
>     write_sha1_file(). I.e., we should still write it to disk when
>     somebody wants it. But I think that works, because that function
>     uses its own check-and-freshen infrastructure.

write_object_file() (formerly write_sha1_file()) indeed uses its own
check-and-freshen mechanism.

>   - some callers of has_sha1_file() might care about durability between
>     processes. Because it's baked in, the empty tree is safe for that
>     (whatever follow-on process runs, it will also be baked in there).
>     But that's not necessarily true for other "cached" objects. I'm not
>     really that worried about it because we use it sparingly (the only
>     call to pretend_sha1_file() is in git-blame, and if it ever did ask
>     "do we have this object", I actually think the right answer would be
>     "yes").
> 
>     But if this is a concern, we could perhaps have two levels of flags:
>     SKIP_CACHED and SKIP_INTERNAL.

Or teach git-blame to have its own pretend mechanism, and remove the
pretend mechanism from sha1-file.c.

The last time I deeply thought of this was during the partial clone
implementation, so I am probably not completely up-to-date, but it seems
to me that ideally, for reading, we would remove SKIP_CACHED completely
(and always consult the cache), and also remove completely the ability
to pretend (blame will have to do it by itself); and for writing, we
would write the empty tree whenever we do now (for backwards
compatibility with old versions of Git that read what we write). Both
the approach in this patch and making has_object_file() respect cached
objects are steps in that direction, so I'm OK with both.

Re: [PATCH] rev-list: allow cached objects in existence check

[Jeff King]

On Mon, Mar 04, 2019 at 11:19:32AM -0800, Jonathan Tan wrote:

> >   - some callers of has_sha1_file() might care about durability between
> >     processes. Because it's baked in, the empty tree is safe for that
> >     (whatever follow-on process runs, it will also be baked in there).
> >     But that's not necessarily true for other "cached" objects. I'm not
> >     really that worried about it because we use it sparingly (the only
> >     call to pretend_sha1_file() is in git-blame, and if it ever did ask
> >     "do we have this object", I actually think the right answer would be
> >     "yes").
> > 
> >     But if this is a concern, we could perhaps have two levels of flags:
> >     SKIP_CACHED and SKIP_INTERNAL.
> 
> Or teach git-blame to have its own pretend mechanism, and remove the
> pretend mechanism from sha1-file.c.

I think that would be ideal, but I'm not sure if it's feasible due to
the layering of the various modules. IOW, the blame code isn't just
pretending a fake object file for _itself_, it needs to then call into
the diff code, which must be able to then find that content in order to
produce a diff.

But maybe it is not so bad. Our diff_filespec struct does represent
working-tree files (as it must, since we diff them!). So it may be
possible to feed it to the diff code at the right spot.

I haven't looked closely enough to say for sure whether it's feasible or
not. But it does imply to me that we should go with this regression fix
in the near-term and think about building bigger changes separately on
master.

> The last time I deeply thought of this was during the partial clone
> implementation, so I am probably not completely up-to-date, but it seems
> to me that ideally, for reading, we would remove SKIP_CACHED completely
> (and always consult the cache), and also remove completely the ability
> to pretend (blame will have to do it by itself); and for writing, we
> would write the empty tree whenever we do now (for backwards
> compatibility with old versions of Git that read what we write). Both
> the approach in this patch and making has_object_file() respect cached
> objects are steps in that direction, so I'm OK with both.

Yeah, I think our world-views are in accord. :)

-Peff

Re: [PATCH] rev-list: allow cached objects in existence check

[Junio C Hamano]

Jeff King <peff@peff.net> writes:

> This fixes a regression in 7c0fe330d5 (rev-list: handle missing tree
> objects properly, 2018-10-05) where rev-list will now complain about the
> empty tree when it doesn't physically exist on disk.
>
> Before that commit, we relied on the traversal code in list-objects.c to
> walk through the trees. Since it uses parse_tree(), we'd do a normal
> object lookup that includes looking in the set of "cached" objects
> (which is where our magic internal empty-tree kicks in).
>
> After that commit, we instead tell list-objects.c not to die on any
> missing trees, and we check them ourselves using has_object_file(). But
> that function uses OBJECT_INFO_SKIP_CACHED, which means we won't use our
> internal empty tree.

Yikes.  Thanks for spotting.

> This patch makes the minimal fix, which is to swap out a direct call to
> oid_object_info_extended(), minus the SKIP_CACHED flag, instead of
> calling has_object_file(). This is all that has_object_file() is doing
> under the hood. And there's little danger of unrelated fallout from
> other unexpected "cached" objects, since there's only one call site that
> ends such a cached object, and it's in git-blame.

OK.  That last one is not even "cached" but "merely exists in-core"
virtual commit, that represents the locally modified state, right?
I do not think rev-list ever asks if these object exist, but if they
were asked, we should say they also exist.

> Signed-off-by: Jeff King <peff@peff.net>
> ---
> I prepared this directly on top of 7c0fe330d5, but it should merge
> cleanly into the current tip of master.
>
> I think we might also consider just having has_object_file() respect
> cached objects. The SKIP_CACHED flag comes from Jonathan Tan's
> e83e71c5e1 (sha1_file: refactor has_sha1_file_with_flags, 2017-06-21).
> But it was just matching the old behavior; it's not clear to me that we
> particularly care about that, and it wasn't simply that nobody bothered
> to put the cached-object check into has_sha1_file().

Yup, I am fine with such a clean-up after we fix this regression.

> Some concerns/arguments against it:
>
>   - we probably would want to make sure we do not short-cut
>     write_sha1_file(). I.e., we should still write it to disk when
>     somebody wants it. But I think that works, because that function
>     uses its own check-and-freshen infrastructure.
>
>   - some callers of has_sha1_file() might care about durability between
>     processes. Because it's baked in, the empty tree is safe for that
>     (whatever follow-on process runs, it will also be baked in there).
>     But that's not necessarily true for other "cached" objects. I'm not
>     really that worried about it because we use it sparingly (the only
>     call to pretend_sha1_file() is in git-blame, and if it ever did ask
>     "do we have this object", I actually think the right answer would be
>     "yes").

... and I realize that I should have read ahead before writing the
four lines above myself ;-)  We are on the same page.

>     But if this is a concern, we could perhaps have two levels of flags:
>     SKIP_CACHED and SKIP_INTERNAL.
>
>  builtin/rev-list.c           |  2 +-
>  t/t1060-object-corruption.sh | 10 ++++++++++
>  2 files changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/builtin/rev-list.c b/builtin/rev-list.c
> index 49d6deed70..877b6561f4 100644
> --- a/builtin/rev-list.c
> +++ b/builtin/rev-list.c
> @@ -237,7 +237,7 @@ static inline void finish_object__ma(struct object *obj)
>  static int finish_object(struct object *obj, const char *name, void *cb_data)
>  {
>  	struct rev_list_info *info = cb_data;
> -	if (!has_object_file(&obj->oid)) {
> +	if (oid_object_info_extended(the_repository, &obj->oid, NULL, 0) < 0) {
>  		finish_object__ma(obj);
>  		return 1;
>  	}
> diff --git a/t/t1060-object-corruption.sh b/t/t1060-object-corruption.sh
> index ac1f189fd2..807b63b473 100755
> --- a/t/t1060-object-corruption.sh
> +++ b/t/t1060-object-corruption.sh
> @@ -125,4 +125,14 @@ test_expect_success 'fetch into corrupted repo with index-pack' '
>  	)
>  '
>  
> +test_expect_success 'internal tree objects are not "missing"' '
> +	git init missing-empty &&
> +	(
> +		cd missing-empty &&
> +		empty_tree=$(git hash-object -t tree /dev/null) &&
> +		commit=$(echo foo | git commit-tree $empty_tree) &&
> +		git rev-list --objects $commit
> +	)
> +'
> +
>  test_done

Re: [PATCH] rev-list: allow cached objects in existence check

[Junio C Hamano]

Jeff King <peff@peff.net> writes:

>> Or teach git-blame to have its own pretend mechanism, and remove the
>> pretend mechanism from sha1-file.c.
>
> I think that would be ideal, but I'm not sure if it's feasible due to
> the layering of the various modules.

Sorry, but I do not get why we want command-line specific pretend
mechanism.  When one part of the system wants to behave as if object
X exists, doesn't that part want other parts of the system to share
that same world view to be consistent?

I am mostly reacting to "would be _ideal_"; if it were "if we have
per-system ad-hoc pretend mechanism, things like this and that would
become easier to implement, even though that is an ugly hack", I may
agree when I see examples of things that get easier, though.

Re: [PATCH] rev-list: allow cached objects in existence check

[Jeff King]

On Tue, Mar 05, 2019 at 10:33:13PM +0900, Junio C Hamano wrote:

> Jeff King <peff@peff.net> writes:
> 
> >> Or teach git-blame to have its own pretend mechanism, and remove the
> >> pretend mechanism from sha1-file.c.
> >
> > I think that would be ideal, but I'm not sure if it's feasible due to
> > the layering of the various modules.
> 
> Sorry, but I do not get why we want command-line specific pretend
> mechanism.  When one part of the system wants to behave as if object
> X exists, doesn't that part want other parts of the system to share
> that same world view to be consistent?
> 
> I am mostly reacting to "would be _ideal_"; if it were "if we have
> per-system ad-hoc pretend mechanism, things like this and that would
> become easier to implement, even though that is an ugly hack", I may
> agree when I see examples of things that get easier, though.

The problem is that it's not clear how each of those other parts of the
system should react to these pretend objects. E.g., they probably should
_not_ be used in any operation that might write, since we would not want
to create a permanent object that points to an ephemeral one.

By sticking this in sha1-file.c, it becomes hard to know who will access
them, or with what expectations. Things work right now because we use
the feature sparingly (and only from a process that's purely read-only).
But we're at risk of somebody later misusing it, especially if we spread
its use to more functions like has_object_file().  If this were local to
git-blame, then that risk goes away.

So that's what I meant by "ideal".

I don't think it makes anything easier (in fact, after looking, I think
it makes things in git-blame much harder, to the point that I am not
planning to work on it anytime soon).

-Peff