upstream/mercurial-mirror Commit - r47349:e9901d01

revlog: add a mechanism to verify expected file position before appending...

revlog: add a mechanism to verify expected file position before appending If someone uses `hg debuglocks`, or some non-hg process writes to the .hg directory without respecting the locks, or if the repo's on a networked filesystem, it's possible for the revlog code to write out corrupted data. The form of this corruption can vary depending on what data was written and how that happened. We are in the "networked filesystem" case (though I've had users also do this to themselves with the "`hg debuglocks`" scenario), and most often see this with the changelog. What ends up happening is we produce two items (let's call them rev1 and rev2) in the .i file that have the same linkrev, baserev, and offset into the .d file, while the data in the .d file is appended properly. rev2's compressed_size is accurate for rev2, but when we go to decompress the data in the .d file, we use the offset that's recorded in the index file, which is the same as rev1, and attempt to decompress rev2.compressed_size bytes of rev1's data. This usually does not succeed. :) When using inline data, this also fails, though I haven't investigated why too closely. This shows up as a "patch decode" error. I believe what's happening there is that we're basically ignoring the offset field, getting the data properly, but since baserev != rev, it thinks this is a delta based on rev (instead of a full text) and can't actually apply it as such. For now, I'm going to make this an optional component and default it to entirely off. I may increase the default severity of this in the future, once I've enabled it for my users and we gain more experience with it. Luckily, most of my users have a versioned filesystem and can roll back to before the corruption has been written, it's just a hassle to do so and not everyone knows how (so it's a support burden). Users on other filesystems will not have that luxury, and this can cause them to have a corrupted repository that they are unlikely to know how to resolve, and they'll see this as a data-loss event. Refusing to create the corruption is a much better user experience. This mechanism is not perfect. There may be false-negatives (racy writes that are not detected). There should not be any false-positives (non-racy writes that are detected as such). This is not a mechanism that makes putting a repo on a networked filesystem "safe" or "supported", just *less* likely to cause corruption. Differential Revision: https://phab.mercurial-scm.org/D9952

Kyle Lippincott -

r47349:e9901d01 default

parent child

Collapse all files

mercurial/revlogutils/concurrency_checker.py

0 created 644 +38 0

			@@ -0,0 +1,38 b''
		1	from ..i18n import _
		2	from .. import error
		3
		4
		5	def get_checker(ui, revlog_name=b'changelog'):
		6	"""Get a function that checks file handle position is as expected.
		7
		8	This is used to ensure that files haven't been modified outside of our
		9	knowledge (such as on a networked filesystem, if `hg debuglocks` was used,
		10	or writes to .hg that ignored locks happened).
		11
		12	Due to revlogs supporting a concept of buffered, delayed, or diverted
		13	writes, we're allowing the files to be shorter than expected (the data may
		14	not have been written yet), but they can't be longer.
		15
		16	Please note that this check is not perfect; it can't detect all cases (there
		17	may be false-negatives/false-OKs), but it should never claim there's an
		18	issue when there isn't (false-positives/false-failures).
		19	"""
		20
		21	vpos = ui.config(b'debug', b'revlog.verifyposition.' + revlog_name)
		22	# Avoid any `fh.tell` cost if this isn't enabled.
		23	if not vpos or vpos not in [b'log', b'warn', b'fail']:
		24	return None
		25
		26	def _checker(fh, fn, expected):
		27	if fh.tell() <= expected:
		28	return
		29
		30	msg = _(b'%s: file cursor at position %d, expected %d')
		31	# Always log if we're going to warn or fail.
		32	ui.log(b'debug', msg + b'\n', fn, fh.tell(), expected)
		33	if vpos == b'warn':
		34	ui.warn((msg + b'\n') % (fn, fh.tell(), expected))
		35	elif vpos == b'fail':
		36	raise error.RevlogError(msg % (fn, fh.tell(), expected))
		37
		38	return _checker

tests/test-racy-mutations.t

0 created 644 +102 0

			@@ -0,0 +1,102 b''
		1	#testcases skip-detection fail-if-detected
		2
		3	Test situations that "should" only be reproducible:
		4	- on networked filesystems, or
		5	- user using `hg debuglocks` to eliminate the lock file, or
		6	- something (that doesn't respect the lock file) writing to the .hg directory
		7	while we're running
		8
		9	$ hg init a
		10	$ cd a
		11
		12	$ cat > "$TESTTMP/waitlock_editor.sh" <<EOF
		13	> [ -n "\${WAITLOCK_ANNOUNCE:-}" ] && touch "\${WAITLOCK_ANNOUNCE}"
		14	> f="\${WAITLOCK_FILE}"
		15	> start=\`date +%s\`
		16	> timeout=5
		17	> while [ \$ ! -f \$f \$ -a \$ ! -L \$f \$ ]; do
		18	> now=\`date +%s\`
		19	> if [ "\`expr \$now - \$start\`" -gt \$timeout ]; then
		20	> echo "timeout: \$f was not created in \$timeout seconds (it is now \$(date +%s))"
		21	> exit 1
		22	> fi
		23	> sleep 0.1
		24	> done
		25	> if [ \$# -gt 1 ]; then
		26	> cat "\$@"
		27	> fi
		28	> EOF
		29	$ chmod +x "$TESTTMP/waitlock_editor.sh"
		30
		31	Things behave differently if we don't already have a 00changelog.i file when
		32	this all starts, so let's make one.
		33
		34	$ echo r0 > r0
		35	$ hg commit -qAm 'r0'
		36
		37	Start an hg commit that will take a while
		38	$ EDITOR_STARTED="$(pwd)/.editor_started"
		39	$ MISCHIEF_MANAGED="$(pwd)/.mischief_managed"
		40	$ JOBS_FINISHED="$(pwd)/.jobs_finished"
		41
		42	#if fail-if-detected
		43	$ cat >> .hg/hgrc << EOF
		44	> [debug]
		45	> revlog.verifyposition.changelog = fail
		46	> EOF
		47	#endif
		48
		49	$ echo foo > foo
		50	$ (WAITLOCK_ANNOUNCE="${EDITOR_STARTED}" \
		51	> WAITLOCK_FILE="${MISCHIEF_MANAGED}" \
		52	> HGEDITOR="$TESTTMP/waitlock_editor.sh" \
		53	> hg commit -qAm 'r1 (foo)' --edit foo > .foo_commit_out 2>&1 ; touch "${JOBS_FINISHED}") &
		54
		55	Wait for the "editor" to actually start
		56	$ WAITLOCK_FILE="${EDITOR_STARTED}" "$TESTTMP/waitlock_editor.sh"
		57
		58	Break the locks, and make another commit.
		59	$ hg debuglocks -LW
		60	$ echo bar > bar
		61	$ hg commit -qAm 'r2 (bar)' bar
		62	$ hg debugrevlogindex -c
		63	rev linkrev nodeid p1 p2
		64	0 0 222799e2f90b 000000000000 000000000000
		65	1 1 6f124f6007a0 222799e2f90b 000000000000
		66
		67	Awaken the editor from that first commit
		68	$ touch "${MISCHIEF_MANAGED}"
		69	And wait for it to finish
		70	$ WAITLOCK_FILE="${JOBS_FINISHED}" "$TESTTMP/waitlock_editor.sh"
		71
		72	#if skip-detection
		73	(Ensure there was no output)
		74	$ cat .foo_commit_out
		75	And observe a corrupted repository -- rev 2's linkrev is 1, which should never
		76	happen for the changelog (the linkrev should always refer to itself).
		77	$ hg debugrevlogindex -c
		78	rev linkrev nodeid p1 p2
		79	0 0 222799e2f90b 000000000000 000000000000
		80	1 1 6f124f6007a0 222799e2f90b 000000000000
		81	2 1 ac80e6205bb2 222799e2f90b 000000000000
		82	#endif
		83
		84	#if fail-if-detected
		85	$ cat .foo_commit_out
		86	transaction abort!
		87	rollback completed
		88	note: commit message saved in .hg/last-message.txt
		89	note: use 'hg commit --logfile .hg/last-message.txt --edit' to reuse it
		90	abort: 00changelog.i: file cursor at position 249, expected 121
		91	And no corruption in the changelog.
		92	$ hg debugrevlogindex -c
		93	rev linkrev nodeid p1 p2
		94	0 0 222799e2f90b 000000000000 000000000000
		95	1 1 6f124f6007a0 222799e2f90b 000000000000
		96	And, because of transactions, there's none in the manifestlog either.
		97	$ hg debugrevlogindex -m
		98	rev linkrev nodeid p1 p2
		99	0 0 7b7020262a56 000000000000 000000000000
		100	1 1 ad3fe36d86d9 7b7020262a56 000000000000
		101	#endif
		102

hgext/git/__init__.py

0 +1 -1

                          return os.path.join(self.path, b'..', b'.hg', f)
                      raise NotImplementedError(b'Need to pick file for %s.' % f)
-                 def changelog(self, trypending):
+                 def changelog(self, trypending, concurrencychecker):
                      # TODO we don't have a plan for trypending in hg's git support yet
                      return gitlog.changelog(self.git, self._db)

mercurial/changelog.py

0 +5 -1

              class changelog(revlog.revlog):
-                 def __init__(self, opener, trypending=False):
+                 def __init__(self, opener, trypending=False, concurrencychecker=None):
                      """Load a changelog revlog using an opener.
                      If ``trypending`` is true, we attempt to load the index from a
                      revision) data for a transaction that hasn't been finalized yet.
                      It exists in a separate file to facilitate readers (such as
                      hooks processes) accessing data before a transaction is finalized.
+                     ``concurrencychecker`` will be passed to the revlog init function, see
+                     the documentation there.
                      """
                      if trypending and opener.exists(b'00changelog.i.a'):
                          indexfile = b'00changelog.i.a'
                          checkambig=True,
                          mmaplargeindex=True,
                          persistentnodemap=opener.options.get(b'persistent-nodemap', False),
+                         concurrencychecker=concurrencychecker,
                      )
                      if self._initempty and (self.version & 0xFFFF == revlog.REVLOGV1):

mercurial/configitems.py

0 +5 0

                  default=0,
              )
              coreconfigitem(
+                 b'debug',
+                 b'revlog.verifyposition.changelog',
+                 default=b'',
+             )
+             coreconfigitem(
                  b'defaults',
                  b'.*',
                  default=None,

mercurial/localrepo.py

0 +8 -2

                  stringutil,
              )
-             from .revlogutils import constants as revlogconst
+             from .revlogutils import (
+                 concurrency_checker as revlogchecker,
+                 constants as revlogconst,
+             )
              release = lockmod.release
              urlerr = util.urlerr
                  def changelog(self):
                      # load dirstate before changelog to avoid race see issue6303
                      self.dirstate.prefetch_parents()
-                     return self.store.changelog(txnutil.mayhavepending(self.root))
+                     return self.store.changelog(
+                         txnutil.mayhavepending(self.root),
+                         concurrencychecker=revlogchecker.get_checker(self.ui, b'changelog'),
+                     )
                  @storecache(b'00manifest.i')
                  def manifestlog(self):

mercurial/revlog.py

0 +23 0

                  If `upperboundcomp` is not None, this is the expected maximal gain from
                  compression for the data content.
+                 `concurrencychecker` is an optional function that receives 3 arguments: a
+                 file handle, a filename, and an expected position. It should check whether
+                 the current position in the file handle is valid, and log/warn/fail (by
+                 raising).
                  """
                  _flagserrorclass = error.RevlogError
                      censorable=False,
                      upperboundcomp=None,
                      persistentnodemap=False,
+                     concurrencychecker=None,
                  ):
                      """
                      create a revlog object
                      self._loadindex()
+                     self._concurrencychecker = concurrencychecker
                  def _loadindex(self):
                      mmapindexthreshold = None
                      opts = self.opener.options
                      curr = len(self)
                      prev = curr - 1
                      offset = self.end(prev)
+                     if self._concurrencychecker:
+                         if self._inline:
+                             # offset is "as if" it were in the .d file, so we need to add on
+                             # the size of the entry metadata.
+                             self._concurrencychecker(
+                                 ifh, self.indexfile, offset + curr * self._io.size
+                             )
+                         else:
+                             # Entries in the .i are a consistent size.
+                             self._concurrencychecker(
+                                 ifh, self.indexfile, curr * self._io.size
+                             )
+                             self._concurrencychecker(dfh, self.datafile, offset)
                      p1r, p2r = self.rev(p1), self.rev(p2)
                      # full versions are inserted when the needed deltas

mercurial/store.py

0 +6 -2

                      l.sort()
                      return l
-                 def changelog(self, trypending):
-                     return changelog.changelog(self.vfs, trypending=trypending)
+                 def changelog(self, trypending, concurrencychecker=None):
+                     return changelog.changelog(
+                         self.vfs,
+                         trypending=trypending,
+                         concurrencychecker=concurrencychecker,
+                     )
                  def manifestlog(self, repo, storenarrowmatch):
                      rootstore = manifest.manifestrevlog(self.vfs)

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages