Am 27.11.20 um 05:17 schrieb Jeff King: > On Thu, Nov 26, 2020 at 09:04:35PM +0100, René Scharfe wrote: > >> Before I could submit that one (or something similar) formally, I'd need >> to understand what's happening here a lot better and witness the effect >> of the patch. >> >> I understand that the main benefit of stopping the child upon >> termination of the parent is to avoid using CPU cycles on a heavy task >> whose results will just go to waste. But wouldn't the orphaned child >> then become a zombie? Init would reap it eventually, but are there >> perhaps init-less deployments (containerized daemon?) where such >> zombies could pile up? > > I think an init-less deployment like that is already broken. If we > encounter any error at all in upload-pack we may quit without reaping > all of our children. And this could never be protected against entirely; > we could be killed by SIGSEGV, SIGKILL, etc. That might be true, but it might still be usable if the rate of zombie production is low enough. And reducing it slightly might still help by increasing the time between container restarts. Segfaults should be very rare, and people using kill -9 can clean up after themselves.. > My understanding is container deployments often have a tiny pid-1 init > that takes care of zombie processes like this (but it's not something > I've dealt with much myself). True, e.g. https://github.com/krallin/tini, which is built into newer Docker releases already. So this problem is real and has an (optional) solution. OK, so overall the situation sounds a bit messy to me and perhaps there's room for improvement, but I agree now that we can leave the specialists (init, tini) to deal with our zombies. >> For a test, winning the race condition should be easy if we cheat by >> letting the child loop forever. But I struggle even with the most >> basic task: Making upload-pack invoked by clone call pack-objects. >> (Feeling a bit silly.) > > Here's an easy reproduction. On a clone of something large-ish (by > number of objects) like linux.git: > > - make sure you don't have bitmaps on (since they make the enumerating > phase go quickly). For linux.git it takes ~30s or so to walk the > whole graph on my machine. > > - run "git clone --no-local -q . dst"; the "-q" is important because > if pack-objects is writing progress to upload-pack (to get > multiplexed over the sideband to the client), then it will notice > pretty quickly the failure to write to stderr > > - kill just upload-pack with "pkill git-upload-pack" or whatever you > like > > - run "ps au | grep pack-objects" (or just "top") to see pack-objects > chugging on 100% CPU (and consuming 1GB+ of RAM) > > With the patch adding clean_on_exit, that last step turns up nothing. I was missing --no-local, d'oh! To win the race consistently I used this: -- >8 -- diff --git a/run-command.c b/run-command.c index ea4d0fb4b1..a6bf0a86dd 100644 --- a/run-command.c +++ b/run-command.c @@ -672,6 +672,19 @@ int start_command(struct child_process *cmd) int failed_errno; char *str; + const char *loop_argv[] = { "while :; do sleep 1; done", NULL }; + const char *fail_cmd = getenv("GIT_DEBUG_ABANDON_CHILD"); + const char *argv0 = cmd->argv ? cmd->argv[0] : cmd->args.v[0]; + int fail = fail_cmd && starts_with(argv0, fail_cmd); + + if (fail) { + fprintf(stderr, "starting endless loop instead of %s\n", + cmd->argv ? cmd->argv[0] : cmd->args.v[0]); + cmd->argv = loop_argv; + cmd->use_shell = 1; + cmd->git_cmd = 0; + } + if (!cmd->argv) cmd->argv = cmd->args.v; if (!cmd->env) @@ -982,6 +995,9 @@ int start_command(struct child_process *cmd) else if (cmd->err) close(cmd->err); + if (fail) + die("abandoning child %"PRIuMAX"\n", (uintmax_t)cmd->pid); + return 0; } --- 8< --- We could build tests that always win (or lose, based on your perspective) the race condition based on that. Turning on clean_on_exit is such a no-brainer that I don't see the need for one, though. > Now the situation above is probably pretty rare. Nobody is usually going > to kill upload-pack specifically. The more common case is when > upload-pack realizes that the client (or the network) has gone away, > because it tries to write and finds the connection gone. But what is it > writing? Most of the time it's stuff from pack-objects! So in the normal > case, pack-objects is continually writing either data or progress > reports, so it would notice for its next write. > > But again, a client asking for no progress is a problem. upload-pack > will be sending keepalives every 5s or so, so it will notice client > death then. But pack-objects will keep running, not generating any > output until it starts spewing the pack. > > So you could probably make the scenario above a bit more realistic by > killing the parent git-clone process. But don't use ^C; that will send > SIGINT to all of the processes. Simulate a network failure by killing > the "git clone" process specifically. This shows the same problem, and > the same improvement after the patch (though remember it may take up to > 5 seconds for upload-pack to send a keepalive and notice the problem). With the debug patch above and GIT_DEBUG_ABANDON_CHILD=git-upload-pack I need the following patch get rid of the spawned process: --- >8 --- diff --git a/connect.c b/connect.c index 8b8f56cf6d..e1b1b73ef5 100644 --- a/connect.c +++ b/connect.c @@ -1369,6 +1369,7 @@ struct child_process *git_connect(int fd[2], const char *url, conn->use_shell = 1; conn->in = conn->out = -1; + conn->clean_on_exit = 1; if (protocol == PROTO_SSH) { char *ssh_host = hostandport; const char *port = NULL; --- 8< --- So is there a downside to clean_on_exit? It doesn't make sense when we start browsers or pagers, but for hooks and helpers (which are probably the majority of started processes) cascading program termination makes sense, no? René
