File: racy-git.txt

package info (click to toggle)
git-core 1%3A1.4.4.4-4%2Betch4
  • links: PTS
  • area: main
  • in suites: etch
  • size: 6,028 kB
  • ctags: 5,446
  • sloc: ansic: 50,083; sh: 14,854; perl: 12,752; tcl: 5,714; python: 2,754; makefile: 981; lisp: 977; asm: 219
file content (193 lines) | stat: -rw-r--r-- 8,598 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
Use of index and Racy git problem
=================================

Background
----------

The index is one of the most important data structure in git.
It represents a virtual working tree state by recording list of
paths and their object names and serves as a staging area to
write out the next tree object to be committed.  The state is
"virtual" in the sense that it does not necessarily have to, and
often does not, match the files in the working tree.

There are cases git needs to examine the differences between the
virtual working tree state in the index and the files in the
working tree.  The most obvious case is when the user asks `git
diff` (or its low level implementation, `git diff-files`) or
`git-ls-files --modified`.  In addition, git internally checks
if the files in the working tree is different from what are
recorded in the index to avoid stomping on local changes in them
during patch application, switching branches, and merging.

In order to speed up this comparison between the files in the
working tree and the index entries, the index entries record the
information obtained from the filesystem via `lstat(2)` system
call when they were last updated.  When checking if they differ,
git first runs `lstat(2)` on the files and compare the result
with this information (this is what was originally done by the
`ce_match_stat()` function, which the current code does in
`ce_match_stat_basic()` function).  If some of these "cached
stat information" fields do not match, git can tell that the
files are modified without even looking at their contents.

Note: not all members in `struct stat` obtained via `lstat(2)`
are used for this comparison.  For example, `st_atime` obviously
is not useful.  Currently, git compares the file type (regular
files vs symbolic links) and executable bits (only for regular
files) from `st_mode` member, `st_mtime` and `st_ctime`
timestamps, `st_uid`, `st_gid`, `st_ino`, and `st_size` members.
With a `USE_STDEV` compile-time option, `st_dev` is also
compared, but this is not enabled by default because this member
is not stable on network filesystems.  With `USE_NSEC`
compile-time option, `st_mtim.tv_nsec` and `st_ctim.tv_nsec`
members are also compared, but this is not enabled by default
because the value of this member becomes meaningless once the
inode is evicted from the inode cache on filesystems that do not
store it on disk.


Racy git
--------

There is one slight problem with the optimization based on the
cached stat information.  Consider this sequence:

  $ git update-index 'foo'
  : modify 'foo' in-place without changing its size

The first `update-index` computes the object name of the
contents of file `foo` and updates the index entry for `foo`
along with the `struct stat` information.  If the modification
that follows it happens very fast so that the file's `st_mtime`
timestamp does not change, after this sequence, the cached stat
information the index entry records still exactly match what you
can obtain from the filesystem, but the file `foo` is modified.
This way, git can incorrectly think files in the working tree
are unmodified even though they actually are.  This is called
the "racy git" problem (discovered by Pasky), and the entries
that appear clean when they may not be because of this problem
are called "racily clean".

To avoid this problem, git does two things:

. When the cached stat information says the file has not been
  modified, and the `st_mtime` is the same as (or newer than)
  the timestamp of the index file itself (which is the time `git
  update-index foo` finished running in the above example), it
  also compares the contents with the object registered in the
  index entry to make sure they match.

. When the index file is updated that contains racily clean
  entries, cached `st_size` information is truncated to zero
  before writing a new version of the index file.

Because the index file itself is written after collecting all
the stat information from updated paths, `st_mtime` timestamp of
it is usually the same as or newer than any of the paths the
index contains.  And no matter how quick the modification that
follows `git update-index foo` finishes, the resulting
`st_mtime` timestamp on `foo` cannot get the timestamp earlier
than the index file.  Therefore, index entries that can be
racily clean are limited to the ones that have the same
timestamp as the index file itself.

The callers that want to check if an index entry matches the
corresponding file in the working tree continue to call
`ce_match_stat()`, but with this change, `ce_match_stat()` uses
`ce_modified_check_fs()` to see if racily clean ones are
actually clean after comparing the cached stat information using
`ce_match_stat_basic()`.

The problem the latter solves is this sequence:

  $ git update-index 'foo'
  : modify 'foo' in-place without changing its size
  : wait for enough time
  $ git update-index 'bar'

Without the latter, the timestamp of the index file gets a newer
value, and falsely clean entry `foo` would not be caught by the
timestamp comparison check done with the former logic anymore.
The latter makes sure that the cached stat information for `foo`
would never match with the file in the working tree, so later
checks by `ce_match_stat_basic()` would report the index entry
does not match the file and git does not have to fall back on more
expensive `ce_modified_check_fs()`.


Runtime penalty
---------------

The runtime penalty of falling back to `ce_modified_check_fs()`
from `ce_match_stat()` can be very expensive when there are many
racily clean entries.  An obvious way to artificially create
this situation is to give the same timestamp to all the files in
the working tree in a large project, run `git update-index` on
them, and give the same timestamp to the index file:

  $ date >.datestamp
  $ git ls-files | xargs touch -r .datestamp
  $ git ls-files | git update-index --stdin
  $ touch -r .datestamp .git/index

This will make all index entries racily clean.  The linux-2.6
project, for example, there are over 20,000 files in the working
tree.  On my Athron 64X2 3800+, after the above:

  $ /usr/bin/time git diff-files
  1.68user 0.54system 0:02.22elapsed 100%CPU (0avgtext+0avgdata 0maxresident)k
  0inputs+0outputs (0major+67111minor)pagefaults 0swaps
  $ git update-index MAINTAINERS
  $ /usr/bin/time git diff-files
  0.02user 0.12system 0:00.14elapsed 100%CPU (0avgtext+0avgdata 0maxresident)k
  0inputs+0outputs (0major+935minor)pagefaults 0swaps

Running `git update-index` in the middle checked the racily
clean entries, and left the cached `st_mtime` for all the paths
intact because they were actually clean (so this step took about
the same amount of time as the first `git diff-files`).  After
that, they are not racily clean anymore but are truly clean, so
the second invocation of `git diff-files` fully took advantage
of the cached stat information.


Avoiding runtime penalty
------------------------

In order to avoid the above runtime penalty, the recent "master"
branch (post 1.4.2) has a code that makes sure the index file
gets timestamp newer than the youngest files in the index when
there are many young files with the same timestamp as the
resulting index file would otherwise would have by waiting
before finishing writing the index file out.

I suspect that in practice the situation where many paths in the
index are all racily clean is quite rare.  The only code paths
that can record recent timestamp for large number of paths I
know of are:

. Initial `git add .` of a large project.

. `git checkout` of a large project from an empty index into an
  unpopulated working tree.

Note: switching branches with `git checkout` keeps the cached
stat information of existing working tree files that are the
same between the current branch and the new branch, which are
all older than the resulting index file, and they will not
become racily clean.  Only the files that are actually checked
out can become racily clean.

In a large project where raciness avoidance cost really matters,
however, the initial computation of all object names in the
index takes more than one second, and the index file is written
out after all that happens.  Therefore the timestamp of the
index file will be more than one seconds later than the the
youngest file in the working tree.  This means that in these
cases there actually will not be any racily clean entry in
the resulting index.

So in summary I think we should not worry about avoiding the
runtime penalty and get rid of the "wait before finishing
writing" code out.