On 2024.10.29 14:11, Jonathan Tan wrote:
> When fetching, there is a step in which sought objects are first checked
> against the local repository; only objects that are not in the local
> repository are then fetched. This check first looks up the commit graph
> file, and returns "present" if the object is in there.
>
> However, the action of first looking up the commit graph file is not
> done everywhere in Git, especially if the type of the object at the time
> of lookup is not known. This means that in a repo corruption situation,
> a user may encounter an "object missing" error, attempt to fetch it, and
> still encounter the same error later when they reattempt their original
> action, because the object is present in the commit graph file but not in
> the object DB.
>
> Therefore, detect when this occurs and print a warning. (Note that
> we cannot proceed to include this object in the list of objects to
> be fetched without changing at least the fetch negotiation code:
> what would happen is that the client will send "want X" and "have X"
> and when I tested at $DAYJOB with a work server that uses JGit, the
> server reasonably returned an empty packfile. And changing the fetch
> negotiation code to only use the object DB when deciding what to report
> as "have" would be an unnecessary slowdown, I think.)
>
> This was discovered when a lazy fetch of a missing commit completed with
> nothing actually fetched, and the writing of the commit graph file after
> every fetch then attempted to read said missing commit, triggering a
> lazy fetch of said missing commit, resulting in an infinite loop with no
> user-visible indication (until they check the list of processes running
> on their computer). With this fix, at least a warning message will be
> printed. Note that although the repo corruption we discovered was caused
> by a bug in GC in a partial clone, the behavior that this patch teaches
> Git to warn about applies to any repo with commit graph enabled and with
> a missing commit, whether it is a partial clone or not.
>
> Signed-off-by: Jonathan Tan <jonathantanmy@xxxxxxxxxx>
> ---
> fetch-pack.c | 22 +++++++++++++++++++---
> object.h | 2 +-
> 2 files changed, 20 insertions(+), 4 deletions(-)
>
> diff --git a/fetch-pack.c b/fetch-pack.c
> index 6728a0d2f5..5a0020366b 100644
> --- a/fetch-pack.c
> +++ b/fetch-pack.c
> @@ -57,6 +57,7 @@ static struct string_list uri_protocols = STRING_LIST_INIT_DUP;
> #define ALTERNATE (1U << 1)
> #define COMMON (1U << 6)
> #define REACH_SCRATCH (1U << 7)
> +#define COMPLETE_FROM_COMMIT_GRAPH (1U << 8)
We're defining a new flag, and we note it in object.h as well below, so
looks good so far.
> /*
> * After sending this many "have"s if we do not get any new ACK , we
> @@ -123,15 +124,18 @@ static void for_each_cached_alternate(struct fetch_negotiator *negotiator,
> }
>
> static struct commit *deref_without_lazy_fetch(const struct object_id *oid,
> - int mark_tags_complete)
> + int mark_additional_complete_information)
We're already marking some completion flags here, so we're just making
the parameter name more descriptive, OK.
> {
> enum object_type type;
> struct object_info info = { .typep = &type };
> struct commit *commit;
>
> commit = lookup_commit_in_graph(the_repository, oid);
> - if (commit)
> + if (commit) {
> + if (mark_additional_complete_information)
> + commit->object.flags |= COMPLETE_FROM_COMMIT_GRAPH;
> return commit;
> + }
We already have a case where we're checking the commit graph, so we can
also mark the commit complete here... well, not the original "COMPLETE"
flag since we don't want to change behavior, but our new
COMPLETE_FROM_COMMIT_GRAPH flag. Sounds good.
>
> while (1) {
> if (oid_object_info_extended(the_repository, oid, &info,
> @@ -143,7 +147,7 @@ static struct commit *deref_without_lazy_fetch(const struct object_id *oid,
>
> if (!tag->tagged)
> return NULL;
> - if (mark_tags_complete)
> + if (mark_additional_complete_information)
> tag->object.flags |= COMPLETE;
> oid = &tag->tagged->oid;
> } else {
> @@ -809,6 +813,14 @@ static void mark_complete_and_common_ref(struct fetch_negotiator *negotiator,
> save_commit_buffer = old_save_commit_buffer;
> }
>
> +static void warn_in_commit_graph_only(const struct object_id *oid)
> +{
> + warning(_("You are attempting to fetch %s, which is in the commit graph file but not in the object database."),
> + oid_to_hex(oid));
> + warning(_("This is probably due to repo corruption."));
> + warning(_("If you are attempting to repair this repo corruption by refetching the missing object, use 'git fetch --refetch' with the missing object."));
> +}
> +
Here's the new warning. As mentioned in my reply to the cover letter, I
feel like it makes more sense to die(), but I don't feel too strongly
about it.
> /*
> * Returns 1 if every object pointed to by the given remote refs is available
> * locally and reachable from a local ref, and 0 otherwise.
> @@ -830,6 +842,10 @@ static int everything_local(struct fetch_pack_args *args,
> ref->name);
> continue;
> }
> + if (o->flags & COMPLETE_FROM_COMMIT_GRAPH) {
> + if (!has_object(the_repository, remote, 0))
> + warn_in_commit_graph_only(remote);
> + }
And now that we're checking what's local, we issue our warning if we
have an object missing from the DB but mentioned in the commit graph.
Seems fine, although I wonder if it makes more sense to fail earlier. It
looks like the only place we do the
`mark_additional_complete_information` checks is in `mark_complete()`,
so should we just check this condition there? No strong feelings either
way, just curious.
> print_verbose(args, _("already have %s (%s)"), oid_to_hex(remote),
> ref->name);
> }
> diff --git a/object.h b/object.h
> index 17f32f1103..196e489253 100644
> --- a/object.h
> +++ b/object.h
> @@ -65,7 +65,7 @@ void object_array_init(struct object_array *array);
> /*
> * object flag allocation:
> * revision.h: 0---------10 15 23------27
> - * fetch-pack.c: 01 67
> + * fetch-pack.c: 01 6-8
> * negotiator/default.c: 2--5
> * walker.c: 0-2
> * upload-pack.c: 4 11-----14 16-----19
> --
> 2.47.0.163.g1226f6d8fa-goog
>
>
