2006-12-19 09:23:12 +01:00
|
|
|
#include "builtin.h"
|
2017-06-14 20:07:36 +02:00
|
|
|
#include "config.h"
|
2014-10-01 12:28:42 +02:00
|
|
|
#include "lockfile.h"
|
2018-05-16 01:42:15 +02:00
|
|
|
#include "object-store.h"
|
2018-06-29 03:21:51 +02:00
|
|
|
#include "repository.h"
|
2006-12-19 09:23:12 +01:00
|
|
|
#include "commit.h"
|
|
|
|
#include "refs.h"
|
|
|
|
#include "dir.h"
|
2006-12-22 09:46:33 +01:00
|
|
|
#include "tree-walk.h"
|
reflog expire --fix-stale
The logic in an earlier round to detect reflog entries that
point at a broken commit was not sufficient. Just like we do
not trust presense of a commit during pack transfer (we trust
only our refs), we should not trust a commit's presense, even if
the tree of that commit is complete.
A repository that had reflog enabled on some of the refs that
was rewound and then run git-repack or git-prune from older
versions of git can have reflog entries that point at a commit
that still exist but lack commits (or trees and blobs needed for
that commit) between it and some commit that is reachable from
one of the refs.
This revamps the logic -- the definition of "broken commit"
becomes: a commit that is not reachable from any of the refs and
there is a missing object among the commit, tree, or blob
objects reachable from it that is not reachable from any of the
refs. Entries in the reflog that refer to such a commit are
expired.
Since this computation involves traversing all the reachable
objects, i.e. it has the same cost as 'git prune', it is enabled
only when a new option --fix-stale. Fortunately, once this is
run, we should not have to ever worry about missing objects,
because the current prune and pack-objects know about reflogs
and protect objects referred by them.
Unfortunately, this will be absolutely necessary to help people
migrate to the newer prune and repack.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-01-06 11:16:19 +01:00
|
|
|
#include "diff.h"
|
|
|
|
#include "revision.h"
|
|
|
|
#include "reachable.h"
|
2018-10-21 10:08:59 +02:00
|
|
|
#include "worktree.h"
|
reflog expire --fix-stale
The logic in an earlier round to detect reflog entries that
point at a broken commit was not sufficient. Just like we do
not trust presense of a commit during pack transfer (we trust
only our refs), we should not trust a commit's presense, even if
the tree of that commit is complete.
A repository that had reflog enabled on some of the refs that
was rewound and then run git-repack or git-prune from older
versions of git can have reflog entries that point at a commit
that still exist but lack commits (or trees and blobs needed for
that commit) between it and some commit that is reachable from
one of the refs.
This revamps the logic -- the definition of "broken commit"
becomes: a commit that is not reachable from any of the refs and
there is a missing object among the commit, tree, or blob
objects reachable from it that is not reachable from any of the
refs. Entries in the reflog that refer to such a commit are
expired.
Since this computation involves traversing all the reachable
objects, i.e. it has the same cost as 'git prune', it is enabled
only when a new option --fix-stale. Fortunately, once this is
run, we should not have to ever worry about missing objects,
because the current prune and pack-objects know about reflogs
and protect objects referred by them.
Unfortunately, this will be absolutely necessary to help people
migrate to the newer prune and repack.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-01-06 11:16:19 +01:00
|
|
|
|
2015-03-03 12:43:15 +01:00
|
|
|
/* NEEDSWORK: switch to using parse_options */
|
reflog expire --fix-stale
The logic in an earlier round to detect reflog entries that
point at a broken commit was not sufficient. Just like we do
not trust presense of a commit during pack transfer (we trust
only our refs), we should not trust a commit's presense, even if
the tree of that commit is complete.
A repository that had reflog enabled on some of the refs that
was rewound and then run git-repack or git-prune from older
versions of git can have reflog entries that point at a commit
that still exist but lack commits (or trees and blobs needed for
that commit) between it and some commit that is reachable from
one of the refs.
This revamps the logic -- the definition of "broken commit"
becomes: a commit that is not reachable from any of the refs and
there is a missing object among the commit, tree, or blob
objects reachable from it that is not reachable from any of the
refs. Entries in the reflog that refer to such a commit are
expired.
Since this computation involves traversing all the reachable
objects, i.e. it has the same cost as 'git prune', it is enabled
only when a new option --fix-stale. Fortunately, once this is
run, we should not have to ever worry about missing objects,
because the current prune and pack-objects know about reflogs
and protect objects referred by them.
Unfortunately, this will be absolutely necessary to help people
migrate to the newer prune and repack.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-01-06 11:16:19 +01:00
|
|
|
static const char reflog_expire_usage[] =
|
2018-11-10 06:16:07 +01:00
|
|
|
N_("git reflog expire [--expire=<time>] "
|
|
|
|
"[--expire-unreachable=<time>] "
|
|
|
|
"[--rewrite] [--updateref] [--stale-fix] [--dry-run | -n] "
|
|
|
|
"[--verbose] [--all] <refs>...");
|
2008-02-22 22:08:59 +01:00
|
|
|
static const char reflog_delete_usage[] =
|
2018-11-10 06:16:07 +01:00
|
|
|
N_("git reflog delete [--rewrite] [--updateref] "
|
|
|
|
"[--dry-run | -n] [--verbose] <refs>...");
|
2015-07-21 23:04:53 +02:00
|
|
|
static const char reflog_exists_usage[] =
|
2018-11-10 06:16:07 +01:00
|
|
|
N_("git reflog exists <ref>");
|
2006-12-19 09:23:12 +01:00
|
|
|
|
2017-04-26 21:29:31 +02:00
|
|
|
static timestamp_t default_reflog_expire;
|
|
|
|
static timestamp_t default_reflog_expire_unreachable;
|
2006-12-27 10:47:57 +01:00
|
|
|
|
reflog expire --fix-stale
The logic in an earlier round to detect reflog entries that
point at a broken commit was not sufficient. Just like we do
not trust presense of a commit during pack transfer (we trust
only our refs), we should not trust a commit's presense, even if
the tree of that commit is complete.
A repository that had reflog enabled on some of the refs that
was rewound and then run git-repack or git-prune from older
versions of git can have reflog entries that point at a commit
that still exist but lack commits (or trees and blobs needed for
that commit) between it and some commit that is reachable from
one of the refs.
This revamps the logic -- the definition of "broken commit"
becomes: a commit that is not reachable from any of the refs and
there is a missing object among the commit, tree, or blob
objects reachable from it that is not reachable from any of the
refs. Entries in the reflog that refer to such a commit are
expired.
Since this computation involves traversing all the reachable
objects, i.e. it has the same cost as 'git prune', it is enabled
only when a new option --fix-stale. Fortunately, once this is
run, we should not have to ever worry about missing objects,
because the current prune and pack-objects know about reflogs
and protect objects referred by them.
Unfortunately, this will be absolutely necessary to help people
migrate to the newer prune and repack.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-01-06 11:16:19 +01:00
|
|
|
struct cmd_reflog_expire_cb {
|
|
|
|
struct rev_info revs;
|
|
|
|
int stalefix;
|
2017-04-26 21:29:31 +02:00
|
|
|
timestamp_t expire_total;
|
|
|
|
timestamp_t expire_unreachable;
|
2007-10-17 03:50:45 +02:00
|
|
|
int recno;
|
reflog expire --fix-stale
The logic in an earlier round to detect reflog entries that
point at a broken commit was not sufficient. Just like we do
not trust presense of a commit during pack transfer (we trust
only our refs), we should not trust a commit's presense, even if
the tree of that commit is complete.
A repository that had reflog enabled on some of the refs that
was rewound and then run git-repack or git-prune from older
versions of git can have reflog entries that point at a commit
that still exist but lack commits (or trees and blobs needed for
that commit) between it and some commit that is reachable from
one of the refs.
This revamps the logic -- the definition of "broken commit"
becomes: a commit that is not reachable from any of the refs and
there is a missing object among the commit, tree, or blob
objects reachable from it that is not reachable from any of the
refs. Entries in the reflog that refer to such a commit are
expired.
Since this computation involves traversing all the reachable
objects, i.e. it has the same cost as 'git prune', it is enabled
only when a new option --fix-stale. Fortunately, once this is
run, we should not have to ever worry about missing objects,
because the current prune and pack-objects know about reflogs
and protect objects referred by them.
Unfortunately, this will be absolutely necessary to help people
migrate to the newer prune and repack.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-01-06 11:16:19 +01:00
|
|
|
};
|
|
|
|
|
2014-12-12 09:56:52 +01:00
|
|
|
struct expire_reflog_policy_cb {
|
2010-04-09 22:20:02 +02:00
|
|
|
enum {
|
|
|
|
UE_NORMAL,
|
|
|
|
UE_ALWAYS,
|
|
|
|
UE_HEAD
|
|
|
|
} unreachable_expire_kind;
|
2010-04-07 20:09:12 +02:00
|
|
|
struct commit_list *mark_list;
|
|
|
|
unsigned long mark_limit;
|
2014-12-12 09:56:58 +01:00
|
|
|
struct cmd_reflog_expire_cb cmd;
|
2014-12-12 09:56:48 +01:00
|
|
|
struct commit *tip_commit;
|
|
|
|
struct commit_list *tips;
|
2006-12-19 09:23:12 +01:00
|
|
|
};
|
|
|
|
|
2008-01-26 08:53:05 +01:00
|
|
|
struct collected_reflog {
|
2017-10-16 00:06:58 +02:00
|
|
|
struct object_id oid;
|
2008-01-26 08:53:05 +01:00
|
|
|
char reflog[FLEX_ARRAY];
|
|
|
|
};
|
2014-12-12 09:56:53 +01:00
|
|
|
|
2008-01-26 08:53:05 +01:00
|
|
|
struct collect_reflog_cb {
|
|
|
|
struct collected_reflog **e;
|
|
|
|
int alloc;
|
|
|
|
int nr;
|
2018-10-21 10:08:59 +02:00
|
|
|
struct worktree *wt;
|
2008-01-26 08:53:05 +01:00
|
|
|
};
|
|
|
|
|
2018-03-06 11:16:14 +01:00
|
|
|
/* Remember to update object flag allocation in object.h */
|
2007-01-07 07:32:41 +01:00
|
|
|
#define INCOMPLETE (1u<<10)
|
|
|
|
#define STUDYING (1u<<11)
|
2009-03-31 06:34:14 +02:00
|
|
|
#define REACHABLE (1u<<12)
|
2007-01-07 07:32:41 +01:00
|
|
|
|
2017-05-07 00:10:16 +02:00
|
|
|
static int tree_is_complete(const struct object_id *oid)
|
2006-12-22 09:46:33 +01:00
|
|
|
{
|
|
|
|
struct tree_desc desc;
|
2007-01-07 07:32:41 +01:00
|
|
|
struct name_entry entry;
|
|
|
|
int complete;
|
|
|
|
struct tree *tree;
|
2006-12-22 09:46:33 +01:00
|
|
|
|
2018-06-29 03:21:56 +02:00
|
|
|
tree = lookup_tree(the_repository, oid);
|
2007-01-07 07:32:41 +01:00
|
|
|
if (!tree)
|
2006-12-22 09:46:33 +01:00
|
|
|
return 0;
|
2007-01-07 07:32:41 +01:00
|
|
|
if (tree->object.flags & SEEN)
|
|
|
|
return 1;
|
|
|
|
if (tree->object.flags & INCOMPLETE)
|
|
|
|
return 0;
|
|
|
|
|
2007-03-21 18:08:25 +01:00
|
|
|
if (!tree->buffer) {
|
2007-02-26 20:55:59 +01:00
|
|
|
enum object_type type;
|
2007-03-21 18:08:25 +01:00
|
|
|
unsigned long size;
|
sha1_file: convert read_sha1_file to struct object_id
Convert read_sha1_file to take a pointer to struct object_id and rename
it read_object_file. Do the same for read_sha1_file_extended.
Convert one use in grep.c to use the new function without any other code
change, since the pointer being passed is a void pointer that is already
initialized with a pointer to struct object_id. Update the declaration
and definitions of the modified functions, and apply the following
semantic patch to convert the remaining callers:
@@
expression E1, E2, E3;
@@
- read_sha1_file(E1.hash, E2, E3)
+ read_object_file(&E1, E2, E3)
@@
expression E1, E2, E3;
@@
- read_sha1_file(E1->hash, E2, E3)
+ read_object_file(E1, E2, E3)
@@
expression E1, E2, E3, E4;
@@
- read_sha1_file_extended(E1.hash, E2, E3, E4)
+ read_object_file_extended(&E1, E2, E3, E4)
@@
expression E1, E2, E3, E4;
@@
- read_sha1_file_extended(E1->hash, E2, E3, E4)
+ read_object_file_extended(E1, E2, E3, E4)
Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-03-12 03:27:53 +01:00
|
|
|
void *data = read_object_file(oid, &type, &size);
|
2007-01-07 07:32:41 +01:00
|
|
|
if (!data) {
|
|
|
|
tree->object.flags |= INCOMPLETE;
|
2006-12-22 09:46:33 +01:00
|
|
|
return 0;
|
|
|
|
}
|
2007-01-07 07:32:41 +01:00
|
|
|
tree->buffer = data;
|
2007-03-21 18:08:25 +01:00
|
|
|
tree->size = size;
|
2006-12-22 09:46:33 +01:00
|
|
|
}
|
2007-03-21 18:08:25 +01:00
|
|
|
init_tree_desc(&desc, tree->buffer, tree->size);
|
2007-01-07 07:32:41 +01:00
|
|
|
complete = 1;
|
|
|
|
while (tree_entry(&desc, &entry)) {
|
2019-02-07 07:05:27 +01:00
|
|
|
if (!has_object_file(&entry.oid) ||
|
2019-01-15 01:39:44 +01:00
|
|
|
(S_ISDIR(entry.mode) && !tree_is_complete(&entry.oid))) {
|
2007-01-07 07:32:41 +01:00
|
|
|
tree->object.flags |= INCOMPLETE;
|
|
|
|
complete = 0;
|
|
|
|
}
|
|
|
|
}
|
2013-06-06 00:37:39 +02:00
|
|
|
free_tree_buffer(tree);
|
2006-12-22 09:46:33 +01:00
|
|
|
|
2007-01-07 07:32:41 +01:00
|
|
|
if (complete)
|
|
|
|
tree->object.flags |= SEEN;
|
|
|
|
return complete;
|
|
|
|
}
|
reflog expire --fix-stale
The logic in an earlier round to detect reflog entries that
point at a broken commit was not sufficient. Just like we do
not trust presense of a commit during pack transfer (we trust
only our refs), we should not trust a commit's presense, even if
the tree of that commit is complete.
A repository that had reflog enabled on some of the refs that
was rewound and then run git-repack or git-prune from older
versions of git can have reflog entries that point at a commit
that still exist but lack commits (or trees and blobs needed for
that commit) between it and some commit that is reachable from
one of the refs.
This revamps the logic -- the definition of "broken commit"
becomes: a commit that is not reachable from any of the refs and
there is a missing object among the commit, tree, or blob
objects reachable from it that is not reachable from any of the
refs. Entries in the reflog that refer to such a commit are
expired.
Since this computation involves traversing all the reachable
objects, i.e. it has the same cost as 'git prune', it is enabled
only when a new option --fix-stale. Fortunately, once this is
run, we should not have to ever worry about missing objects,
because the current prune and pack-objects know about reflogs
and protect objects referred by them.
Unfortunately, this will be absolutely necessary to help people
migrate to the newer prune and repack.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-01-06 11:16:19 +01:00
|
|
|
|
|
|
|
static int commit_is_complete(struct commit *commit)
|
|
|
|
{
|
|
|
|
struct object_array study;
|
|
|
|
struct object_array found;
|
|
|
|
int is_incomplete = 0;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
/* early return */
|
|
|
|
if (commit->object.flags & SEEN)
|
|
|
|
return 1;
|
|
|
|
if (commit->object.flags & INCOMPLETE)
|
|
|
|
return 0;
|
|
|
|
/*
|
|
|
|
* Find all commits that are reachable and are not marked as
|
|
|
|
* SEEN. Then make sure the trees and blobs contained are
|
|
|
|
* complete. After that, mark these commits also as SEEN.
|
|
|
|
* If some of the objects that are needed to complete this
|
|
|
|
* commit are missing, mark this commit as INCOMPLETE.
|
|
|
|
*/
|
|
|
|
memset(&study, 0, sizeof(study));
|
|
|
|
memset(&found, 0, sizeof(found));
|
|
|
|
add_object_array(&commit->object, NULL, &study);
|
|
|
|
add_object_array(&commit->object, NULL, &found);
|
|
|
|
commit->object.flags |= STUDYING;
|
|
|
|
while (study.nr) {
|
|
|
|
struct commit *c;
|
|
|
|
struct commit_list *parent;
|
|
|
|
|
object_array: add and use `object_array_pop()`
In a couple of places, we pop objects off an object array `foo` by
decreasing `foo.nr`. We access `foo.nr` in many places, but most if not
all other times we do so read-only, e.g., as we iterate over the array.
But when we change `foo.nr` behind the array's back, it feels a bit
nasty and looks like it might leak memory.
Leaks happen if the popped element has an allocated `name` or `path`.
At the moment, that is not the case. Still, 1) the object array might
gain more fields that want to be freed, 2) a code path where we pop
might start using names or paths, 3) one of these code paths might be
copied to somewhere where we do, and 4) using a dedicated function for
popping is conceptually cleaner.
Introduce and use `object_array_pop()` instead. Release memory in the
new function. Document that popping an object leaves the associated
elements in limbo.
The converted places were identified by grepping for "\.nr\>" and
looking for "--".
Make the new function return NULL on an empty array. This is consistent
with `pop_commit()` and allows the following:
while ((o = object_array_pop(&foo)) != NULL) {
// do something
}
But as noted above, we don't need to go out of our way to avoid reading
`foo.nr`. This is probably more readable:
while (foo.nr) {
... o = object_array_pop(&foo);
// do something
}
The name of `object_array_pop()` does not quite align with
`add_object_array()`. That is unfortunate. On the other hand, it matches
`object_array_clear()`. Arguably it's `add_...` that is the odd one out,
since it reads like it's used to "add" an "object array". For that
reason, side with `object_array_clear()`.
Signed-off-by: Martin Ågren <martin.agren@gmail.com>
Reviewed-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-09-23 01:34:53 +02:00
|
|
|
c = (struct commit *)object_array_pop(&study);
|
2018-06-29 03:21:51 +02:00
|
|
|
if (!c->object.parsed && !parse_object(the_repository, &c->object.oid))
|
reflog expire --fix-stale
The logic in an earlier round to detect reflog entries that
point at a broken commit was not sufficient. Just like we do
not trust presense of a commit during pack transfer (we trust
only our refs), we should not trust a commit's presense, even if
the tree of that commit is complete.
A repository that had reflog enabled on some of the refs that
was rewound and then run git-repack or git-prune from older
versions of git can have reflog entries that point at a commit
that still exist but lack commits (or trees and blobs needed for
that commit) between it and some commit that is reachable from
one of the refs.
This revamps the logic -- the definition of "broken commit"
becomes: a commit that is not reachable from any of the refs and
there is a missing object among the commit, tree, or blob
objects reachable from it that is not reachable from any of the
refs. Entries in the reflog that refer to such a commit are
expired.
Since this computation involves traversing all the reachable
objects, i.e. it has the same cost as 'git prune', it is enabled
only when a new option --fix-stale. Fortunately, once this is
run, we should not have to ever worry about missing objects,
because the current prune and pack-objects know about reflogs
and protect objects referred by them.
Unfortunately, this will be absolutely necessary to help people
migrate to the newer prune and repack.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-01-06 11:16:19 +01:00
|
|
|
c->object.flags |= INCOMPLETE;
|
|
|
|
|
|
|
|
if (c->object.flags & INCOMPLETE) {
|
|
|
|
is_incomplete = 1;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
else if (c->object.flags & SEEN)
|
|
|
|
continue;
|
|
|
|
for (parent = c->parents; parent; parent = parent->next) {
|
|
|
|
struct commit *p = parent->item;
|
|
|
|
if (p->object.flags & STUDYING)
|
|
|
|
continue;
|
|
|
|
p->object.flags |= STUDYING;
|
|
|
|
add_object_array(&p->object, NULL, &study);
|
|
|
|
add_object_array(&p->object, NULL, &found);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (!is_incomplete) {
|
2007-01-07 07:32:41 +01:00
|
|
|
/*
|
|
|
|
* make sure all commits in "found" array have all the
|
reflog expire --fix-stale
The logic in an earlier round to detect reflog entries that
point at a broken commit was not sufficient. Just like we do
not trust presense of a commit during pack transfer (we trust
only our refs), we should not trust a commit's presense, even if
the tree of that commit is complete.
A repository that had reflog enabled on some of the refs that
was rewound and then run git-repack or git-prune from older
versions of git can have reflog entries that point at a commit
that still exist but lack commits (or trees and blobs needed for
that commit) between it and some commit that is reachable from
one of the refs.
This revamps the logic -- the definition of "broken commit"
becomes: a commit that is not reachable from any of the refs and
there is a missing object among the commit, tree, or blob
objects reachable from it that is not reachable from any of the
refs. Entries in the reflog that refer to such a commit are
expired.
Since this computation involves traversing all the reachable
objects, i.e. it has the same cost as 'git prune', it is enabled
only when a new option --fix-stale. Fortunately, once this is
run, we should not have to ever worry about missing objects,
because the current prune and pack-objects know about reflogs
and protect objects referred by them.
Unfortunately, this will be absolutely necessary to help people
migrate to the newer prune and repack.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-01-06 11:16:19 +01:00
|
|
|
* necessary objects.
|
|
|
|
*/
|
2007-01-07 07:32:41 +01:00
|
|
|
for (i = 0; i < found.nr; i++) {
|
reflog expire --fix-stale
The logic in an earlier round to detect reflog entries that
point at a broken commit was not sufficient. Just like we do
not trust presense of a commit during pack transfer (we trust
only our refs), we should not trust a commit's presense, even if
the tree of that commit is complete.
A repository that had reflog enabled on some of the refs that
was rewound and then run git-repack or git-prune from older
versions of git can have reflog entries that point at a commit
that still exist but lack commits (or trees and blobs needed for
that commit) between it and some commit that is reachable from
one of the refs.
This revamps the logic -- the definition of "broken commit"
becomes: a commit that is not reachable from any of the refs and
there is a missing object among the commit, tree, or blob
objects reachable from it that is not reachable from any of the
refs. Entries in the reflog that refer to such a commit are
expired.
Since this computation involves traversing all the reachable
objects, i.e. it has the same cost as 'git prune', it is enabled
only when a new option --fix-stale. Fortunately, once this is
run, we should not have to ever worry about missing objects,
because the current prune and pack-objects know about reflogs
and protect objects referred by them.
Unfortunately, this will be absolutely necessary to help people
migrate to the newer prune and repack.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-01-06 11:16:19 +01:00
|
|
|
struct commit *c =
|
|
|
|
(struct commit *)found.objects[i].item;
|
2018-04-06 21:09:38 +02:00
|
|
|
if (!tree_is_complete(get_commit_tree_oid(c))) {
|
reflog expire --fix-stale
The logic in an earlier round to detect reflog entries that
point at a broken commit was not sufficient. Just like we do
not trust presense of a commit during pack transfer (we trust
only our refs), we should not trust a commit's presense, even if
the tree of that commit is complete.
A repository that had reflog enabled on some of the refs that
was rewound and then run git-repack or git-prune from older
versions of git can have reflog entries that point at a commit
that still exist but lack commits (or trees and blobs needed for
that commit) between it and some commit that is reachable from
one of the refs.
This revamps the logic -- the definition of "broken commit"
becomes: a commit that is not reachable from any of the refs and
there is a missing object among the commit, tree, or blob
objects reachable from it that is not reachable from any of the
refs. Entries in the reflog that refer to such a commit are
expired.
Since this computation involves traversing all the reachable
objects, i.e. it has the same cost as 'git prune', it is enabled
only when a new option --fix-stale. Fortunately, once this is
run, we should not have to ever worry about missing objects,
because the current prune and pack-objects know about reflogs
and protect objects referred by them.
Unfortunately, this will be absolutely necessary to help people
migrate to the newer prune and repack.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-01-06 11:16:19 +01:00
|
|
|
is_incomplete = 1;
|
2007-01-07 07:32:41 +01:00
|
|
|
c->object.flags |= INCOMPLETE;
|
|
|
|
}
|
reflog expire --fix-stale
The logic in an earlier round to detect reflog entries that
point at a broken commit was not sufficient. Just like we do
not trust presense of a commit during pack transfer (we trust
only our refs), we should not trust a commit's presense, even if
the tree of that commit is complete.
A repository that had reflog enabled on some of the refs that
was rewound and then run git-repack or git-prune from older
versions of git can have reflog entries that point at a commit
that still exist but lack commits (or trees and blobs needed for
that commit) between it and some commit that is reachable from
one of the refs.
This revamps the logic -- the definition of "broken commit"
becomes: a commit that is not reachable from any of the refs and
there is a missing object among the commit, tree, or blob
objects reachable from it that is not reachable from any of the
refs. Entries in the reflog that refer to such a commit are
expired.
Since this computation involves traversing all the reachable
objects, i.e. it has the same cost as 'git prune', it is enabled
only when a new option --fix-stale. Fortunately, once this is
run, we should not have to ever worry about missing objects,
because the current prune and pack-objects know about reflogs
and protect objects referred by them.
Unfortunately, this will be absolutely necessary to help people
migrate to the newer prune and repack.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-01-06 11:16:19 +01:00
|
|
|
}
|
|
|
|
if (!is_incomplete) {
|
|
|
|
/* mark all found commits as complete, iow SEEN */
|
|
|
|
for (i = 0; i < found.nr; i++)
|
|
|
|
found.objects[i].item->flags |= SEEN;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/* clear flags from the objects we traversed */
|
|
|
|
for (i = 0; i < found.nr; i++)
|
|
|
|
found.objects[i].item->flags &= ~STUDYING;
|
|
|
|
if (is_incomplete)
|
|
|
|
commit->object.flags |= INCOMPLETE;
|
2007-01-07 07:32:41 +01:00
|
|
|
else {
|
|
|
|
/*
|
|
|
|
* If we come here, we have (1) traversed the ancestry chain
|
|
|
|
* from the "commit" until we reach SEEN commits (which are
|
|
|
|
* known to be complete), and (2) made sure that the commits
|
|
|
|
* encountered during the above traversal refer to trees that
|
|
|
|
* are complete. Which means that we know *all* the commits
|
|
|
|
* we have seen during this process are complete.
|
|
|
|
*/
|
|
|
|
for (i = 0; i < found.nr; i++)
|
|
|
|
found.objects[i].item->flags |= SEEN;
|
|
|
|
}
|
reflog expire --fix-stale
The logic in an earlier round to detect reflog entries that
point at a broken commit was not sufficient. Just like we do
not trust presense of a commit during pack transfer (we trust
only our refs), we should not trust a commit's presense, even if
the tree of that commit is complete.
A repository that had reflog enabled on some of the refs that
was rewound and then run git-repack or git-prune from older
versions of git can have reflog entries that point at a commit
that still exist but lack commits (or trees and blobs needed for
that commit) between it and some commit that is reachable from
one of the refs.
This revamps the logic -- the definition of "broken commit"
becomes: a commit that is not reachable from any of the refs and
there is a missing object among the commit, tree, or blob
objects reachable from it that is not reachable from any of the
refs. Entries in the reflog that refer to such a commit are
expired.
Since this computation involves traversing all the reachable
objects, i.e. it has the same cost as 'git prune', it is enabled
only when a new option --fix-stale. Fortunately, once this is
run, we should not have to ever worry about missing objects,
because the current prune and pack-objects know about reflogs
and protect objects referred by them.
Unfortunately, this will be absolutely necessary to help people
migrate to the newer prune and repack.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-01-06 11:16:19 +01:00
|
|
|
/* free object arrays */
|
2017-09-23 01:34:52 +02:00
|
|
|
object_array_clear(&study);
|
|
|
|
object_array_clear(&found);
|
reflog expire --fix-stale
The logic in an earlier round to detect reflog entries that
point at a broken commit was not sufficient. Just like we do
not trust presense of a commit during pack transfer (we trust
only our refs), we should not trust a commit's presense, even if
the tree of that commit is complete.
A repository that had reflog enabled on some of the refs that
was rewound and then run git-repack or git-prune from older
versions of git can have reflog entries that point at a commit
that still exist but lack commits (or trees and blobs needed for
that commit) between it and some commit that is reachable from
one of the refs.
This revamps the logic -- the definition of "broken commit"
becomes: a commit that is not reachable from any of the refs and
there is a missing object among the commit, tree, or blob
objects reachable from it that is not reachable from any of the
refs. Entries in the reflog that refer to such a commit are
expired.
Since this computation involves traversing all the reachable
objects, i.e. it has the same cost as 'git prune', it is enabled
only when a new option --fix-stale. Fortunately, once this is
run, we should not have to ever worry about missing objects,
because the current prune and pack-objects know about reflogs
and protect objects referred by them.
Unfortunately, this will be absolutely necessary to help people
migrate to the newer prune and repack.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-01-06 11:16:19 +01:00
|
|
|
return !is_incomplete;
|
|
|
|
}
|
|
|
|
|
2017-05-07 00:10:00 +02:00
|
|
|
static int keep_entry(struct commit **it, struct object_id *oid)
|
2006-12-19 09:23:12 +01:00
|
|
|
{
|
2006-12-22 09:46:33 +01:00
|
|
|
struct commit *commit;
|
|
|
|
|
2017-05-07 00:10:00 +02:00
|
|
|
if (is_null_oid(oid))
|
2006-12-19 09:23:12 +01:00
|
|
|
return 1;
|
2018-06-29 03:21:57 +02:00
|
|
|
commit = lookup_commit_reference_gently(the_repository, oid, 1);
|
2006-12-22 09:46:33 +01:00
|
|
|
if (!commit)
|
|
|
|
return 0;
|
|
|
|
|
reflog expire --fix-stale
The logic in an earlier round to detect reflog entries that
point at a broken commit was not sufficient. Just like we do
not trust presense of a commit during pack transfer (we trust
only our refs), we should not trust a commit's presense, even if
the tree of that commit is complete.
A repository that had reflog enabled on some of the refs that
was rewound and then run git-repack or git-prune from older
versions of git can have reflog entries that point at a commit
that still exist but lack commits (or trees and blobs needed for
that commit) between it and some commit that is reachable from
one of the refs.
This revamps the logic -- the definition of "broken commit"
becomes: a commit that is not reachable from any of the refs and
there is a missing object among the commit, tree, or blob
objects reachable from it that is not reachable from any of the
refs. Entries in the reflog that refer to such a commit are
expired.
Since this computation involves traversing all the reachable
objects, i.e. it has the same cost as 'git prune', it is enabled
only when a new option --fix-stale. Fortunately, once this is
run, we should not have to ever worry about missing objects,
because the current prune and pack-objects know about reflogs
and protect objects referred by them.
Unfortunately, this will be absolutely necessary to help people
migrate to the newer prune and repack.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-01-06 11:16:19 +01:00
|
|
|
/*
|
|
|
|
* Make sure everything in this commit exists.
|
|
|
|
*
|
|
|
|
* We have walked all the objects reachable from the refs
|
|
|
|
* and cache earlier. The commits reachable by this commit
|
|
|
|
* must meet SEEN commits -- and then we should mark them as
|
|
|
|
* SEEN as well.
|
|
|
|
*/
|
|
|
|
if (!commit_is_complete(commit))
|
2006-12-22 09:46:33 +01:00
|
|
|
return 0;
|
|
|
|
*it = commit;
|
|
|
|
return 1;
|
2006-12-19 09:23:12 +01:00
|
|
|
}
|
|
|
|
|
2010-04-07 20:09:12 +02:00
|
|
|
/*
|
|
|
|
* Starting from commits in the cb->mark_list, mark commits that are
|
|
|
|
* reachable from them. Stop the traversal at commits older than
|
|
|
|
* the expire_limit and queue them back, so that the caller can call
|
|
|
|
* us again to restart the traversal with longer expire_limit.
|
|
|
|
*/
|
2014-12-12 09:56:52 +01:00
|
|
|
static void mark_reachable(struct expire_reflog_policy_cb *cb)
|
2009-03-31 18:45:22 +02:00
|
|
|
{
|
2010-04-07 20:09:12 +02:00
|
|
|
struct commit_list *pending;
|
2017-04-26 21:29:31 +02:00
|
|
|
timestamp_t expire_limit = cb->mark_limit;
|
2010-04-07 20:09:12 +02:00
|
|
|
struct commit_list *leftover = NULL;
|
2009-03-31 18:45:22 +02:00
|
|
|
|
2010-04-07 20:09:12 +02:00
|
|
|
for (pending = cb->mark_list; pending; pending = pending->next)
|
|
|
|
pending->item->object.flags &= ~REACHABLE;
|
2009-03-31 06:34:14 +02:00
|
|
|
|
2010-04-07 20:09:12 +02:00
|
|
|
pending = cb->mark_list;
|
2009-03-31 06:34:14 +02:00
|
|
|
while (pending) {
|
|
|
|
struct commit_list *parent;
|
2015-10-24 18:21:31 +02:00
|
|
|
struct commit *commit = pop_commit(&pending);
|
2009-03-31 06:34:14 +02:00
|
|
|
if (commit->object.flags & REACHABLE)
|
|
|
|
continue;
|
|
|
|
if (parse_commit(commit))
|
|
|
|
continue;
|
|
|
|
commit->object.flags |= REACHABLE;
|
2010-04-07 20:09:12 +02:00
|
|
|
if (commit->date < expire_limit) {
|
|
|
|
commit_list_insert(commit, &leftover);
|
2009-03-31 06:34:14 +02:00
|
|
|
continue;
|
2010-04-07 20:09:12 +02:00
|
|
|
}
|
|
|
|
commit->object.flags |= REACHABLE;
|
2009-03-31 06:34:14 +02:00
|
|
|
parent = commit->parents;
|
|
|
|
while (parent) {
|
|
|
|
commit = parent->item;
|
|
|
|
parent = parent->next;
|
|
|
|
if (commit->object.flags & REACHABLE)
|
|
|
|
continue;
|
|
|
|
commit_list_insert(commit, &pending);
|
|
|
|
}
|
|
|
|
}
|
2010-04-07 20:09:12 +02:00
|
|
|
cb->mark_list = leftover;
|
|
|
|
}
|
|
|
|
|
2017-05-07 00:10:00 +02:00
|
|
|
static int unreachable(struct expire_reflog_policy_cb *cb, struct commit *commit, struct object_id *oid)
|
2010-04-07 20:09:12 +02:00
|
|
|
{
|
|
|
|
/*
|
|
|
|
* We may or may not have the commit yet - if not, look it
|
|
|
|
* up using the supplied sha1.
|
|
|
|
*/
|
|
|
|
if (!commit) {
|
2017-05-07 00:10:00 +02:00
|
|
|
if (is_null_oid(oid))
|
2010-04-07 20:09:12 +02:00
|
|
|
return 0;
|
|
|
|
|
2018-06-29 03:21:57 +02:00
|
|
|
commit = lookup_commit_reference_gently(the_repository, oid,
|
|
|
|
1);
|
2010-04-07 20:09:12 +02:00
|
|
|
|
|
|
|
/* Not a commit -- keep it */
|
|
|
|
if (!commit)
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Reachable from the current ref? Don't prune. */
|
|
|
|
if (commit->object.flags & REACHABLE)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (cb->mark_list && cb->mark_limit) {
|
|
|
|
cb->mark_limit = 0; /* dig down to the root */
|
|
|
|
mark_reachable(cb);
|
|
|
|
}
|
|
|
|
|
|
|
|
return !(commit->object.flags & REACHABLE);
|
2009-03-31 06:34:14 +02:00
|
|
|
}
|
|
|
|
|
2014-12-12 09:56:47 +01:00
|
|
|
/*
|
|
|
|
* Return true iff the specified reflog entry should be expired.
|
|
|
|
*/
|
2017-05-07 00:10:00 +02:00
|
|
|
static int should_expire_reflog_ent(struct object_id *ooid, struct object_id *noid,
|
2017-04-26 21:29:31 +02:00
|
|
|
const char *email, timestamp_t timestamp, int tz,
|
2014-12-12 09:56:47 +01:00
|
|
|
const char *message, void *cb_data)
|
2006-12-19 09:23:12 +01:00
|
|
|
{
|
2014-12-12 09:56:52 +01:00
|
|
|
struct expire_reflog_policy_cb *cb = cb_data;
|
2018-02-14 19:59:34 +01:00
|
|
|
struct commit *old_commit, *new_commit;
|
2006-12-19 09:23:12 +01:00
|
|
|
|
2014-12-12 09:56:58 +01:00
|
|
|
if (timestamp < cb->cmd.expire_total)
|
2014-12-12 09:56:47 +01:00
|
|
|
return 1;
|
2008-02-22 19:56:50 +01:00
|
|
|
|
2018-02-14 19:59:34 +01:00
|
|
|
old_commit = new_commit = NULL;
|
2014-12-12 09:56:58 +01:00
|
|
|
if (cb->cmd.stalefix &&
|
2018-02-14 19:59:34 +01:00
|
|
|
(!keep_entry(&old_commit, ooid) || !keep_entry(&new_commit, noid)))
|
2014-12-12 09:56:47 +01:00
|
|
|
return 1;
|
2006-12-19 09:23:12 +01:00
|
|
|
|
2014-12-12 09:56:58 +01:00
|
|
|
if (timestamp < cb->cmd.expire_unreachable) {
|
2010-04-09 22:20:02 +02:00
|
|
|
if (cb->unreachable_expire_kind == UE_ALWAYS)
|
2014-12-12 09:56:47 +01:00
|
|
|
return 1;
|
2018-02-14 19:59:34 +01:00
|
|
|
if (unreachable(cb, old_commit, ooid) || unreachable(cb, new_commit, noid))
|
2014-12-12 09:56:47 +01:00
|
|
|
return 1;
|
2007-01-12 04:56:43 +01:00
|
|
|
}
|
2006-12-19 09:23:12 +01:00
|
|
|
|
2014-12-12 09:56:58 +01:00
|
|
|
if (cb->cmd.recno && --(cb->cmd.recno) == 0)
|
2014-12-12 09:56:47 +01:00
|
|
|
return 1;
|
|
|
|
|
2006-12-19 09:23:12 +01:00
|
|
|
return 0;
|
2014-12-12 09:56:47 +01:00
|
|
|
}
|
|
|
|
|
2015-05-25 20:38:40 +02:00
|
|
|
static int push_tip_to_list(const char *refname, const struct object_id *oid,
|
2014-12-12 09:56:52 +01:00
|
|
|
int flags, void *cb_data)
|
2010-04-09 22:20:02 +02:00
|
|
|
{
|
|
|
|
struct commit_list **list = cb_data;
|
|
|
|
struct commit *tip_commit;
|
|
|
|
if (flags & REF_ISSYMREF)
|
|
|
|
return 0;
|
2018-06-29 03:21:57 +02:00
|
|
|
tip_commit = lookup_commit_reference_gently(the_repository, oid, 1);
|
2010-04-09 22:20:02 +02:00
|
|
|
if (!tip_commit)
|
|
|
|
return 0;
|
|
|
|
commit_list_insert(tip_commit, list);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2018-10-21 10:08:59 +02:00
|
|
|
static int is_head(const char *refname)
|
|
|
|
{
|
|
|
|
switch (ref_type(refname)) {
|
|
|
|
case REF_TYPE_OTHER_PSEUDOREF:
|
|
|
|
case REF_TYPE_MAIN_PSEUDOREF:
|
|
|
|
if (parse_worktree_ref(refname, NULL, NULL, &refname))
|
|
|
|
BUG("not a worktree ref: %s", refname);
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
return !strcmp(refname, "HEAD");
|
|
|
|
}
|
|
|
|
|
2014-12-12 09:56:48 +01:00
|
|
|
static void reflog_expiry_prepare(const char *refname,
|
2017-05-07 00:10:00 +02:00
|
|
|
const struct object_id *oid,
|
2014-12-12 09:56:58 +01:00
|
|
|
void *cb_data)
|
2014-12-12 09:56:48 +01:00
|
|
|
{
|
2014-12-12 09:56:58 +01:00
|
|
|
struct expire_reflog_policy_cb *cb = cb_data;
|
|
|
|
|
2018-10-21 10:08:59 +02:00
|
|
|
if (!cb->cmd.expire_unreachable || is_head(refname)) {
|
2014-12-12 09:56:48 +01:00
|
|
|
cb->tip_commit = NULL;
|
|
|
|
cb->unreachable_expire_kind = UE_HEAD;
|
|
|
|
} else {
|
2018-06-29 03:21:57 +02:00
|
|
|
cb->tip_commit = lookup_commit_reference_gently(the_repository,
|
|
|
|
oid, 1);
|
2014-12-12 09:56:48 +01:00
|
|
|
if (!cb->tip_commit)
|
|
|
|
cb->unreachable_expire_kind = UE_ALWAYS;
|
|
|
|
else
|
|
|
|
cb->unreachable_expire_kind = UE_NORMAL;
|
|
|
|
}
|
|
|
|
|
2014-12-12 09:56:58 +01:00
|
|
|
if (cb->cmd.expire_unreachable <= cb->cmd.expire_total)
|
2014-12-12 09:56:48 +01:00
|
|
|
cb->unreachable_expire_kind = UE_ALWAYS;
|
|
|
|
|
|
|
|
cb->mark_list = NULL;
|
|
|
|
cb->tips = NULL;
|
|
|
|
if (cb->unreachable_expire_kind != UE_ALWAYS) {
|
|
|
|
if (cb->unreachable_expire_kind == UE_HEAD) {
|
|
|
|
struct commit_list *elem;
|
2015-05-25 20:38:28 +02:00
|
|
|
|
2015-05-25 20:38:40 +02:00
|
|
|
for_each_ref(push_tip_to_list, &cb->tips);
|
2014-12-12 09:56:48 +01:00
|
|
|
for (elem = cb->tips; elem; elem = elem->next)
|
|
|
|
commit_list_insert(elem->item, &cb->mark_list);
|
|
|
|
} else {
|
|
|
|
commit_list_insert(cb->tip_commit, &cb->mark_list);
|
|
|
|
}
|
2014-12-12 09:56:58 +01:00
|
|
|
cb->mark_limit = cb->cmd.expire_total;
|
2014-12-12 09:56:48 +01:00
|
|
|
mark_reachable(cb);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-12-12 09:56:58 +01:00
|
|
|
static void reflog_expiry_cleanup(void *cb_data)
|
2014-12-12 09:56:48 +01:00
|
|
|
{
|
2014-12-12 09:56:58 +01:00
|
|
|
struct expire_reflog_policy_cb *cb = cb_data;
|
|
|
|
|
2014-12-12 09:56:48 +01:00
|
|
|
if (cb->unreachable_expire_kind != UE_ALWAYS) {
|
|
|
|
if (cb->unreachable_expire_kind == UE_HEAD) {
|
|
|
|
struct commit_list *elem;
|
|
|
|
for (elem = cb->tips; elem; elem = elem->next)
|
|
|
|
clear_commit_marks(elem->item, REACHABLE);
|
|
|
|
free_commit_list(cb->tips);
|
|
|
|
} else {
|
|
|
|
clear_commit_marks(cb->tip_commit, REACHABLE);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-05-25 20:38:40 +02:00
|
|
|
static int collect_reflog(const char *ref, const struct object_id *oid, int unused, void *cb_data)
|
2008-01-26 08:53:05 +01:00
|
|
|
{
|
|
|
|
struct collected_reflog *e;
|
|
|
|
struct collect_reflog_cb *cb = cb_data;
|
2018-10-21 10:08:59 +02:00
|
|
|
struct strbuf newref = STRBUF_INIT;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Avoid collecting the same shared ref multiple times because
|
|
|
|
* they are available via all worktrees.
|
|
|
|
*/
|
|
|
|
if (!cb->wt->is_current && ref_type(ref) == REF_TYPE_NORMAL)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
strbuf_worktree_ref(cb->wt, &newref, ref);
|
|
|
|
FLEX_ALLOC_STR(e, reflog, newref.buf);
|
|
|
|
strbuf_release(&newref);
|
2008-01-26 08:53:05 +01:00
|
|
|
|
2017-10-16 00:06:58 +02:00
|
|
|
oidcpy(&e->oid, oid);
|
2008-01-26 08:53:05 +01:00
|
|
|
ALLOC_GROW(cb->e, cb->nr + 1, cb->alloc);
|
|
|
|
cb->e[cb->nr++] = e;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2008-06-16 08:48:46 +02:00
|
|
|
static struct reflog_expire_cfg {
|
|
|
|
struct reflog_expire_cfg *next;
|
2017-04-26 21:29:31 +02:00
|
|
|
timestamp_t expire_total;
|
|
|
|
timestamp_t expire_unreachable;
|
2008-06-16 08:48:46 +02:00
|
|
|
char pattern[FLEX_ARRAY];
|
|
|
|
} *reflog_expire_cfg, **reflog_expire_cfg_tail;
|
|
|
|
|
|
|
|
static struct reflog_expire_cfg *find_cfg_ent(const char *pattern, size_t len)
|
2006-12-27 10:47:57 +01:00
|
|
|
{
|
2008-06-16 08:48:46 +02:00
|
|
|
struct reflog_expire_cfg *ent;
|
|
|
|
|
|
|
|
if (!reflog_expire_cfg_tail)
|
|
|
|
reflog_expire_cfg_tail = &reflog_expire_cfg;
|
|
|
|
|
|
|
|
for (ent = reflog_expire_cfg; ent; ent = ent->next)
|
2016-02-19 12:21:08 +01:00
|
|
|
if (!strncmp(ent->pattern, pattern, len) &&
|
|
|
|
ent->pattern[len] == '\0')
|
2008-06-16 08:48:46 +02:00
|
|
|
return ent;
|
|
|
|
|
2016-02-22 23:44:32 +01:00
|
|
|
FLEX_ALLOC_MEM(ent, pattern, pattern, len);
|
2008-06-16 08:48:46 +02:00
|
|
|
*reflog_expire_cfg_tail = ent;
|
|
|
|
reflog_expire_cfg_tail = &(ent->next);
|
|
|
|
return ent;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* expiry timer slot */
|
|
|
|
#define EXPIRE_TOTAL 01
|
|
|
|
#define EXPIRE_UNREACH 02
|
|
|
|
|
|
|
|
static int reflog_expire_config(const char *var, const char *value, void *cb)
|
|
|
|
{
|
2013-01-23 07:27:37 +01:00
|
|
|
const char *pattern, *key;
|
2020-04-10 21:44:28 +02:00
|
|
|
size_t pattern_len;
|
2017-04-26 21:29:31 +02:00
|
|
|
timestamp_t expire;
|
2008-06-16 08:48:46 +02:00
|
|
|
int slot;
|
|
|
|
struct reflog_expire_cfg *ent;
|
|
|
|
|
2013-01-23 07:27:37 +01:00
|
|
|
if (parse_config_key(var, "gc", &pattern, &pattern_len, &key) < 0)
|
2008-06-16 08:48:46 +02:00
|
|
|
return git_default_config(var, value, cb);
|
|
|
|
|
2013-01-23 07:27:37 +01:00
|
|
|
if (!strcmp(key, "reflogexpire")) {
|
2008-06-16 08:48:46 +02:00
|
|
|
slot = EXPIRE_TOTAL;
|
2017-11-18 03:27:27 +01:00
|
|
|
if (git_config_expiry_date(&expire, var, value))
|
2008-06-16 08:48:46 +02:00
|
|
|
return -1;
|
2013-01-23 07:27:37 +01:00
|
|
|
} else if (!strcmp(key, "reflogexpireunreachable")) {
|
2008-06-16 08:48:46 +02:00
|
|
|
slot = EXPIRE_UNREACH;
|
2017-11-18 03:27:27 +01:00
|
|
|
if (git_config_expiry_date(&expire, var, value))
|
2008-06-16 08:48:46 +02:00
|
|
|
return -1;
|
|
|
|
} else
|
|
|
|
return git_default_config(var, value, cb);
|
|
|
|
|
2013-01-23 07:27:37 +01:00
|
|
|
if (!pattern) {
|
2008-06-16 08:48:46 +02:00
|
|
|
switch (slot) {
|
|
|
|
case EXPIRE_TOTAL:
|
|
|
|
default_reflog_expire = expire;
|
|
|
|
break;
|
|
|
|
case EXPIRE_UNREACH:
|
|
|
|
default_reflog_expire_unreachable = expire;
|
|
|
|
break;
|
|
|
|
}
|
2008-02-11 19:50:06 +01:00
|
|
|
return 0;
|
|
|
|
}
|
2008-06-16 08:48:46 +02:00
|
|
|
|
2013-01-23 07:27:37 +01:00
|
|
|
ent = find_cfg_ent(pattern, pattern_len);
|
2008-06-16 08:48:46 +02:00
|
|
|
if (!ent)
|
|
|
|
return -1;
|
|
|
|
switch (slot) {
|
|
|
|
case EXPIRE_TOTAL:
|
|
|
|
ent->expire_total = expire;
|
|
|
|
break;
|
|
|
|
case EXPIRE_UNREACH:
|
|
|
|
ent->expire_unreachable = expire;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void set_reflog_expiry_param(struct cmd_reflog_expire_cb *cb, int slot, const char *ref)
|
|
|
|
{
|
|
|
|
struct reflog_expire_cfg *ent;
|
|
|
|
|
|
|
|
if (slot == (EXPIRE_TOTAL|EXPIRE_UNREACH))
|
|
|
|
return; /* both given explicitly -- nothing to tweak */
|
|
|
|
|
|
|
|
for (ent = reflog_expire_cfg; ent; ent = ent->next) {
|
2017-06-22 23:38:08 +02:00
|
|
|
if (!wildmatch(ent->pattern, ref, 0)) {
|
2008-06-16 08:48:46 +02:00
|
|
|
if (!(slot & EXPIRE_TOTAL))
|
|
|
|
cb->expire_total = ent->expire_total;
|
|
|
|
if (!(slot & EXPIRE_UNREACH))
|
|
|
|
cb->expire_unreachable = ent->expire_unreachable;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2008-06-29 07:24:49 +02:00
|
|
|
/*
|
|
|
|
* If unconfigured, make stash never expire
|
|
|
|
*/
|
|
|
|
if (!strcmp(ref, "refs/stash")) {
|
|
|
|
if (!(slot & EXPIRE_TOTAL))
|
|
|
|
cb->expire_total = 0;
|
|
|
|
if (!(slot & EXPIRE_UNREACH))
|
|
|
|
cb->expire_unreachable = 0;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2008-06-16 08:48:46 +02:00
|
|
|
/* Nothing matched -- use the default value */
|
|
|
|
if (!(slot & EXPIRE_TOTAL))
|
|
|
|
cb->expire_total = default_reflog_expire;
|
|
|
|
if (!(slot & EXPIRE_UNREACH))
|
|
|
|
cb->expire_unreachable = default_reflog_expire_unreachable;
|
2006-12-27 10:47:57 +01:00
|
|
|
}
|
|
|
|
|
2006-12-19 09:23:12 +01:00
|
|
|
static int cmd_reflog_expire(int argc, const char **argv, const char *prefix)
|
|
|
|
{
|
2014-12-12 09:56:58 +01:00
|
|
|
struct expire_reflog_policy_cb cb;
|
2017-04-26 21:29:31 +02:00
|
|
|
timestamp_t now = time(NULL);
|
2018-10-21 10:08:59 +02:00
|
|
|
int i, status, do_all, all_worktrees = 1;
|
2008-06-16 08:48:46 +02:00
|
|
|
int explicit_expiry = 0;
|
2014-12-12 09:56:49 +01:00
|
|
|
unsigned int flags = 0;
|
2006-12-19 09:23:12 +01:00
|
|
|
|
2010-02-27 04:50:03 +01:00
|
|
|
default_reflog_expire_unreachable = now - 30 * 24 * 3600;
|
|
|
|
default_reflog_expire = now - 90 * 24 * 3600;
|
2008-05-14 19:46:53 +02:00
|
|
|
git_config(reflog_expire_config, NULL);
|
2006-12-27 10:47:57 +01:00
|
|
|
|
2006-12-19 09:23:12 +01:00
|
|
|
save_commit_buffer = 0;
|
|
|
|
do_all = status = 0;
|
|
|
|
memset(&cb, 0, sizeof(cb));
|
2006-12-27 10:47:57 +01:00
|
|
|
|
2014-12-12 09:56:58 +01:00
|
|
|
cb.cmd.expire_total = default_reflog_expire;
|
|
|
|
cb.cmd.expire_unreachable = default_reflog_expire_unreachable;
|
2006-12-19 09:23:12 +01:00
|
|
|
|
|
|
|
for (i = 1; i < argc; i++) {
|
|
|
|
const char *arg = argv[i];
|
2020-01-30 20:35:46 +01:00
|
|
|
|
2006-12-19 09:23:12 +01:00
|
|
|
if (!strcmp(arg, "--dry-run") || !strcmp(arg, "-n"))
|
2014-12-12 09:56:50 +01:00
|
|
|
flags |= EXPIRE_REFLOGS_DRY_RUN;
|
2020-01-30 20:35:46 +01:00
|
|
|
else if (skip_prefix(arg, "--expire=", &arg)) {
|
|
|
|
if (parse_expiry_date(arg, &cb.cmd.expire_total))
|
2013-04-18 00:38:08 +02:00
|
|
|
die(_("'%s' is not a valid timestamp"), arg);
|
2008-06-16 08:48:46 +02:00
|
|
|
explicit_expiry |= EXPIRE_TOTAL;
|
|
|
|
}
|
2020-01-30 20:35:46 +01:00
|
|
|
else if (skip_prefix(arg, "--expire-unreachable=", &arg)) {
|
|
|
|
if (parse_expiry_date(arg, &cb.cmd.expire_unreachable))
|
2013-04-18 00:38:08 +02:00
|
|
|
die(_("'%s' is not a valid timestamp"), arg);
|
2008-06-16 08:48:46 +02:00
|
|
|
explicit_expiry |= EXPIRE_UNREACH;
|
|
|
|
}
|
reflog expire --fix-stale
The logic in an earlier round to detect reflog entries that
point at a broken commit was not sufficient. Just like we do
not trust presense of a commit during pack transfer (we trust
only our refs), we should not trust a commit's presense, even if
the tree of that commit is complete.
A repository that had reflog enabled on some of the refs that
was rewound and then run git-repack or git-prune from older
versions of git can have reflog entries that point at a commit
that still exist but lack commits (or trees and blobs needed for
that commit) between it and some commit that is reachable from
one of the refs.
This revamps the logic -- the definition of "broken commit"
becomes: a commit that is not reachable from any of the refs and
there is a missing object among the commit, tree, or blob
objects reachable from it that is not reachable from any of the
refs. Entries in the reflog that refer to such a commit are
expired.
Since this computation involves traversing all the reachable
objects, i.e. it has the same cost as 'git prune', it is enabled
only when a new option --fix-stale. Fortunately, once this is
run, we should not have to ever worry about missing objects,
because the current prune and pack-objects know about reflogs
and protect objects referred by them.
Unfortunately, this will be absolutely necessary to help people
migrate to the newer prune and repack.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-01-06 11:16:19 +01:00
|
|
|
else if (!strcmp(arg, "--stale-fix"))
|
2014-12-12 09:56:58 +01:00
|
|
|
cb.cmd.stalefix = 1;
|
2008-02-22 19:56:50 +01:00
|
|
|
else if (!strcmp(arg, "--rewrite"))
|
2014-12-12 09:56:56 +01:00
|
|
|
flags |= EXPIRE_REFLOGS_REWRITE;
|
2008-02-22 20:04:12 +01:00
|
|
|
else if (!strcmp(arg, "--updateref"))
|
2014-12-12 09:56:51 +01:00
|
|
|
flags |= EXPIRE_REFLOGS_UPDATE_REF;
|
2006-12-19 09:23:12 +01:00
|
|
|
else if (!strcmp(arg, "--all"))
|
|
|
|
do_all = 1;
|
2018-10-21 10:08:59 +02:00
|
|
|
else if (!strcmp(arg, "--single-worktree"))
|
|
|
|
all_worktrees = 0;
|
reflog expire --fix-stale
The logic in an earlier round to detect reflog entries that
point at a broken commit was not sufficient. Just like we do
not trust presense of a commit during pack transfer (we trust
only our refs), we should not trust a commit's presense, even if
the tree of that commit is complete.
A repository that had reflog enabled on some of the refs that
was rewound and then run git-repack or git-prune from older
versions of git can have reflog entries that point at a commit
that still exist but lack commits (or trees and blobs needed for
that commit) between it and some commit that is reachable from
one of the refs.
This revamps the logic -- the definition of "broken commit"
becomes: a commit that is not reachable from any of the refs and
there is a missing object among the commit, tree, or blob
objects reachable from it that is not reachable from any of the
refs. Entries in the reflog that refer to such a commit are
expired.
Since this computation involves traversing all the reachable
objects, i.e. it has the same cost as 'git prune', it is enabled
only when a new option --fix-stale. Fortunately, once this is
run, we should not have to ever worry about missing objects,
because the current prune and pack-objects know about reflogs
and protect objects referred by them.
Unfortunately, this will be absolutely necessary to help people
migrate to the newer prune and repack.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-01-06 11:16:19 +01:00
|
|
|
else if (!strcmp(arg, "--verbose"))
|
2014-12-12 09:56:55 +01:00
|
|
|
flags |= EXPIRE_REFLOGS_VERBOSE;
|
2006-12-19 09:23:12 +01:00
|
|
|
else if (!strcmp(arg, "--")) {
|
|
|
|
i++;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
else if (arg[0] == '-')
|
2018-11-10 06:16:07 +01:00
|
|
|
usage(_(reflog_expire_usage));
|
2006-12-19 09:23:12 +01:00
|
|
|
else
|
|
|
|
break;
|
|
|
|
}
|
2008-06-16 08:48:46 +02:00
|
|
|
|
|
|
|
/*
|
|
|
|
* We can trust the commits and objects reachable from refs
|
|
|
|
* even in older repository. We cannot trust what's reachable
|
|
|
|
* from reflog if the repository was pruned with older git.
|
|
|
|
*/
|
2014-12-12 09:56:58 +01:00
|
|
|
if (cb.cmd.stalefix) {
|
2018-09-21 17:57:38 +02:00
|
|
|
repo_init_revisions(the_repository, &cb.cmd.revs, prefix);
|
2021-02-10 17:11:38 +01:00
|
|
|
cb.cmd.revs.do_not_die_on_missing_tree = 1;
|
|
|
|
cb.cmd.revs.ignore_missing = 1;
|
|
|
|
cb.cmd.revs.ignore_missing_links = 1;
|
2014-12-12 09:56:55 +01:00
|
|
|
if (flags & EXPIRE_REFLOGS_VERBOSE)
|
2018-11-10 06:16:07 +01:00
|
|
|
printf(_("Marking reachable objects..."));
|
2014-12-12 09:56:58 +01:00
|
|
|
mark_reachable_objects(&cb.cmd.revs, 0, 0, NULL);
|
2014-12-12 09:56:55 +01:00
|
|
|
if (flags & EXPIRE_REFLOGS_VERBOSE)
|
reflog expire --fix-stale
The logic in an earlier round to detect reflog entries that
point at a broken commit was not sufficient. Just like we do
not trust presense of a commit during pack transfer (we trust
only our refs), we should not trust a commit's presense, even if
the tree of that commit is complete.
A repository that had reflog enabled on some of the refs that
was rewound and then run git-repack or git-prune from older
versions of git can have reflog entries that point at a commit
that still exist but lack commits (or trees and blobs needed for
that commit) between it and some commit that is reachable from
one of the refs.
This revamps the logic -- the definition of "broken commit"
becomes: a commit that is not reachable from any of the refs and
there is a missing object among the commit, tree, or blob
objects reachable from it that is not reachable from any of the
refs. Entries in the reflog that refer to such a commit are
expired.
Since this computation involves traversing all the reachable
objects, i.e. it has the same cost as 'git prune', it is enabled
only when a new option --fix-stale. Fortunately, once this is
run, we should not have to ever worry about missing objects,
because the current prune and pack-objects know about reflogs
and protect objects referred by them.
Unfortunately, this will be absolutely necessary to help people
migrate to the newer prune and repack.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-01-06 11:16:19 +01:00
|
|
|
putchar('\n');
|
|
|
|
}
|
|
|
|
|
2008-01-26 08:53:05 +01:00
|
|
|
if (do_all) {
|
|
|
|
struct collect_reflog_cb collected;
|
2018-10-21 10:08:59 +02:00
|
|
|
struct worktree **worktrees, **p;
|
2008-01-26 08:53:05 +01:00
|
|
|
int i;
|
|
|
|
|
|
|
|
memset(&collected, 0, sizeof(collected));
|
2020-06-20 01:35:44 +02:00
|
|
|
worktrees = get_worktrees();
|
2018-10-21 10:08:59 +02:00
|
|
|
for (p = worktrees; *p; p++) {
|
|
|
|
if (!all_worktrees && !(*p)->is_current)
|
|
|
|
continue;
|
|
|
|
collected.wt = *p;
|
|
|
|
refs_for_each_reflog(get_worktree_ref_store(*p),
|
|
|
|
collect_reflog, &collected);
|
|
|
|
}
|
|
|
|
free_worktrees(worktrees);
|
2008-01-26 08:53:05 +01:00
|
|
|
for (i = 0; i < collected.nr; i++) {
|
|
|
|
struct collected_reflog *e = collected.e[i];
|
reflog expire: don't lock reflogs using previously seen OID
During reflog expiry, the cmd_reflog_expire() function first iterates
over all reflogs in logs/*, and then one-by-one acquires the lock for
each one and expires it. This behavior has been with us since this
command was implemented in 4264dc15e1 ("git reflog expire",
2006-12-19).
Change this to stop calling lock_ref_oid_basic() with the OID we saw
when we looped over the logs, instead have it pass the OID it managed
to lock.
This mostly mitigates a race condition where e.g. "git gc" will fail
in a concurrently updated repository because the branch moved since
"git reflog expire --all" was started. I.e. with:
error: cannot lock ref '<refname>': ref '<refname>' is at <OID-A> but expected <OID-B>
This behavior of passing in an "oid" was needed for an edge-case that
I've untangled in this and preceding commits though, namely that we
needed this OID because we'd:
1. Lookup the reflog name/OID via dwim_log()
2. With that OID, lock the reflog
3. Later in builtin/reflog.c we use the OID we looked as input to
lookup_commit_reference_gently(), assured that it's equal to the
OID we got from dwim_log().
We can be sure that this change is safe to make because between
dwim_log (step #1) and lock_ref_oid_basic (step #2) there was no other
logic relevant to the OID or expiry run in the cmd_reflog_expire()
caller.
We can thus treat that code as a black box, before and after this
change it would get an OID that's been locked, the only difference is
that now we mostly won't be failing to get the lock due to the TOCTOU
race[0]. That failure was purely an implementation detail in how the
"current OID" was looked up, it was divorced from the locking
mechanism.
What do we mean with "mostly"? It mostly mitigates it because we'll
still run into cases where the ref is locked and being updated as we
want to expire it, and other git processes wanting to update the refs
will in turn race with us as we expire the reflog.
That remaining race can in turn be mitigated with the
core.filesRefLockTimeout setting, see 4ff0f01cb7 ("refs: retry
acquiring reference locks for 100ms", 2017-08-21). In practice if that
value is high enough we'll probably never have ref updates or reflog
expiry failing, since the clients involved will retry for far longer
than the time any of those operations could take.
See [1] for an initial report of how this impacted "git gc" and a
large discussion about this change in early 2019. In particular patch
looked good to Michael Haggerty, see his[2]. That message seems to not
have made it to the ML archive, its content is quoted in full in my
[3].
I'm leaving behind now-unused code the refs API etc. that takes the
now-NULL "unused_oid" argument, and other code that can be simplified now
that we never have on OID in that context, that'll be cleaned up in
subsequent commits, but for now let's narrowly focus on fixing the
"git gc" issue. As the modified assert() shows we always pass a NULL
oid to reflog_expire() now.
Unfortunately this sort of probabilistic contention is hard to turn
into a test. I've tested this by running the following three subshells
in concurrent terminals:
(
rm -rf /tmp/git &&
git init /tmp/git &&
while true
do
head -c 10 /dev/urandom | hexdump >/tmp/git/out &&
git -C /tmp/git add out &&
git -C /tmp/git commit -m"out"
done
)
(
rm -rf /tmp/git-clone &&
git clone file:///tmp/git /tmp/git-clone &&
while git -C /tmp/git-clone pull
do
date
done
)
(
while git -C /tmp/git-clone reflog expire --all
do
date
done
)
Before this change the "reflog expire" would fail really quickly with
the "but expected" error noted above.
After this change both the "pull" and "reflog expire" will run for a
while, but eventually fail because I get unlucky with
core.filesRefLockTimeout (the "reflog expire" is in a really tight
loop). As noted above that can in turn be mitigated with higher values
of core.filesRefLockTimeout than the 100ms default.
As noted in the commentary added in the preceding commit there's also
the case of branches being racily deleted, that can be tested by
adding this to the above:
(
while git -C /tmp/git-clone branch topic master &&
git -C /tmp/git-clone branch -D topic
do
date
done
)
With core.filesRefLockTimeout set to 10 seconds (it can probably be a
lot lower) I managed to run all four of these concurrently for about
an hour, and accumulated ~125k commits, auto-gc's and all, and didn't
have a single failure. The loops visibly stall while waiting for the
lock, but that's expected and desired behavior.
0. https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use
1. https://lore.kernel.org/git/87tvg7brlm.fsf@evledraar.gmail.com/
2. http://lore.kernel.org/git/b870a17d-2103-41b8-3cbc-7389d5fff33a@alum.mit.edu
3. https://lore.kernel.org/git/87pnqkco8v.fsf@evledraar.gmail.com/
Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2021-08-23 13:36:10 +02:00
|
|
|
|
2014-12-12 09:56:58 +01:00
|
|
|
set_reflog_expiry_param(&cb.cmd, explicit_expiry, e->reflog);
|
2021-08-23 13:36:11 +02:00
|
|
|
status |= reflog_expire(e->reflog, flags,
|
2014-12-12 09:56:59 +01:00
|
|
|
reflog_expiry_prepare,
|
|
|
|
should_expire_reflog_ent,
|
|
|
|
reflog_expiry_cleanup,
|
|
|
|
&cb);
|
2008-01-26 08:53:05 +01:00
|
|
|
free(e);
|
|
|
|
}
|
|
|
|
free(collected.e);
|
|
|
|
}
|
|
|
|
|
2008-08-10 22:22:21 +02:00
|
|
|
for (; i < argc; i++) {
|
|
|
|
char *ref;
|
reflog expire: don't lock reflogs using previously seen OID
During reflog expiry, the cmd_reflog_expire() function first iterates
over all reflogs in logs/*, and then one-by-one acquires the lock for
each one and expires it. This behavior has been with us since this
command was implemented in 4264dc15e1 ("git reflog expire",
2006-12-19).
Change this to stop calling lock_ref_oid_basic() with the OID we saw
when we looped over the logs, instead have it pass the OID it managed
to lock.
This mostly mitigates a race condition where e.g. "git gc" will fail
in a concurrently updated repository because the branch moved since
"git reflog expire --all" was started. I.e. with:
error: cannot lock ref '<refname>': ref '<refname>' is at <OID-A> but expected <OID-B>
This behavior of passing in an "oid" was needed for an edge-case that
I've untangled in this and preceding commits though, namely that we
needed this OID because we'd:
1. Lookup the reflog name/OID via dwim_log()
2. With that OID, lock the reflog
3. Later in builtin/reflog.c we use the OID we looked as input to
lookup_commit_reference_gently(), assured that it's equal to the
OID we got from dwim_log().
We can be sure that this change is safe to make because between
dwim_log (step #1) and lock_ref_oid_basic (step #2) there was no other
logic relevant to the OID or expiry run in the cmd_reflog_expire()
caller.
We can thus treat that code as a black box, before and after this
change it would get an OID that's been locked, the only difference is
that now we mostly won't be failing to get the lock due to the TOCTOU
race[0]. That failure was purely an implementation detail in how the
"current OID" was looked up, it was divorced from the locking
mechanism.
What do we mean with "mostly"? It mostly mitigates it because we'll
still run into cases where the ref is locked and being updated as we
want to expire it, and other git processes wanting to update the refs
will in turn race with us as we expire the reflog.
That remaining race can in turn be mitigated with the
core.filesRefLockTimeout setting, see 4ff0f01cb7 ("refs: retry
acquiring reference locks for 100ms", 2017-08-21). In practice if that
value is high enough we'll probably never have ref updates or reflog
expiry failing, since the clients involved will retry for far longer
than the time any of those operations could take.
See [1] for an initial report of how this impacted "git gc" and a
large discussion about this change in early 2019. In particular patch
looked good to Michael Haggerty, see his[2]. That message seems to not
have made it to the ML archive, its content is quoted in full in my
[3].
I'm leaving behind now-unused code the refs API etc. that takes the
now-NULL "unused_oid" argument, and other code that can be simplified now
that we never have on OID in that context, that'll be cleaned up in
subsequent commits, but for now let's narrowly focus on fixing the
"git gc" issue. As the modified assert() shows we always pass a NULL
oid to reflog_expire() now.
Unfortunately this sort of probabilistic contention is hard to turn
into a test. I've tested this by running the following three subshells
in concurrent terminals:
(
rm -rf /tmp/git &&
git init /tmp/git &&
while true
do
head -c 10 /dev/urandom | hexdump >/tmp/git/out &&
git -C /tmp/git add out &&
git -C /tmp/git commit -m"out"
done
)
(
rm -rf /tmp/git-clone &&
git clone file:///tmp/git /tmp/git-clone &&
while git -C /tmp/git-clone pull
do
date
done
)
(
while git -C /tmp/git-clone reflog expire --all
do
date
done
)
Before this change the "reflog expire" would fail really quickly with
the "but expected" error noted above.
After this change both the "pull" and "reflog expire" will run for a
while, but eventually fail because I get unlucky with
core.filesRefLockTimeout (the "reflog expire" is in a really tight
loop). As noted above that can in turn be mitigated with higher values
of core.filesRefLockTimeout than the 100ms default.
As noted in the commentary added in the preceding commit there's also
the case of branches being racily deleted, that can be tested by
adding this to the above:
(
while git -C /tmp/git-clone branch topic master &&
git -C /tmp/git-clone branch -D topic
do
date
done
)
With core.filesRefLockTimeout set to 10 seconds (it can probably be a
lot lower) I managed to run all four of these concurrently for about
an hour, and accumulated ~125k commits, auto-gc's and all, and didn't
have a single failure. The loops visibly stall while waiting for the
lock, but that's expected and desired behavior.
0. https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use
1. https://lore.kernel.org/git/87tvg7brlm.fsf@evledraar.gmail.com/
2. http://lore.kernel.org/git/b870a17d-2103-41b8-3cbc-7389d5fff33a@alum.mit.edu
3. https://lore.kernel.org/git/87pnqkco8v.fsf@evledraar.gmail.com/
Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2021-08-23 13:36:10 +02:00
|
|
|
if (!dwim_log(argv[i], strlen(argv[i]), NULL, &ref)) {
|
2018-11-10 06:16:07 +01:00
|
|
|
status |= error(_("%s points nowhere!"), argv[i]);
|
2006-12-19 09:23:12 +01:00
|
|
|
continue;
|
|
|
|
}
|
2014-12-12 09:56:58 +01:00
|
|
|
set_reflog_expiry_param(&cb.cmd, explicit_expiry, ref);
|
2021-08-23 13:36:11 +02:00
|
|
|
status |= reflog_expire(ref, flags,
|
2014-12-12 09:56:59 +01:00
|
|
|
reflog_expiry_prepare,
|
|
|
|
should_expire_reflog_ent,
|
|
|
|
reflog_expiry_cleanup,
|
|
|
|
&cb);
|
2006-12-19 09:23:12 +01:00
|
|
|
}
|
|
|
|
return status;
|
|
|
|
}
|
|
|
|
|
2017-02-22 00:47:32 +01:00
|
|
|
static int count_reflog_ent(struct object_id *ooid, struct object_id *noid,
|
2017-04-26 21:29:31 +02:00
|
|
|
const char *email, timestamp_t timestamp, int tz,
|
2007-10-17 03:50:45 +02:00
|
|
|
const char *message, void *cb_data)
|
|
|
|
{
|
2014-12-12 09:56:58 +01:00
|
|
|
struct expire_reflog_policy_cb *cb = cb_data;
|
|
|
|
if (!cb->cmd.expire_total || timestamp < cb->cmd.expire_total)
|
|
|
|
cb->cmd.recno++;
|
2007-10-17 03:50:45 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int cmd_reflog_delete(int argc, const char **argv, const char *prefix)
|
|
|
|
{
|
2014-12-12 09:56:58 +01:00
|
|
|
struct expire_reflog_policy_cb cb;
|
2007-10-17 03:50:45 +02:00
|
|
|
int i, status = 0;
|
2014-12-12 09:56:49 +01:00
|
|
|
unsigned int flags = 0;
|
2007-10-17 03:50:45 +02:00
|
|
|
|
|
|
|
memset(&cb, 0, sizeof(cb));
|
|
|
|
|
|
|
|
for (i = 1; i < argc; i++) {
|
2008-02-22 22:08:59 +01:00
|
|
|
const char *arg = argv[i];
|
|
|
|
if (!strcmp(arg, "--dry-run") || !strcmp(arg, "-n"))
|
2014-12-12 09:56:50 +01:00
|
|
|
flags |= EXPIRE_REFLOGS_DRY_RUN;
|
2008-02-22 19:56:50 +01:00
|
|
|
else if (!strcmp(arg, "--rewrite"))
|
2014-12-12 09:56:56 +01:00
|
|
|
flags |= EXPIRE_REFLOGS_REWRITE;
|
2008-02-22 20:04:12 +01:00
|
|
|
else if (!strcmp(arg, "--updateref"))
|
2014-12-12 09:56:51 +01:00
|
|
|
flags |= EXPIRE_REFLOGS_UPDATE_REF;
|
2008-02-22 22:08:59 +01:00
|
|
|
else if (!strcmp(arg, "--verbose"))
|
2014-12-12 09:56:55 +01:00
|
|
|
flags |= EXPIRE_REFLOGS_VERBOSE;
|
2008-02-22 22:08:59 +01:00
|
|
|
else if (!strcmp(arg, "--")) {
|
|
|
|
i++;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
else if (arg[0] == '-')
|
2018-11-10 06:16:07 +01:00
|
|
|
usage(_(reflog_delete_usage));
|
2008-02-22 22:08:59 +01:00
|
|
|
else
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (argc - i < 1)
|
2018-11-10 06:16:07 +01:00
|
|
|
return error(_("no reflog specified to delete"));
|
2008-02-22 22:08:59 +01:00
|
|
|
|
|
|
|
for ( ; i < argc; i++) {
|
2007-10-17 03:50:45 +02:00
|
|
|
const char *spec = strstr(argv[i], "@{");
|
|
|
|
char *ep, *ref;
|
|
|
|
int recno;
|
|
|
|
|
|
|
|
if (!spec) {
|
2018-11-10 06:16:07 +01:00
|
|
|
status |= error(_("not a reflog: %s"), argv[i]);
|
2007-10-17 03:50:45 +02:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
reflog expire: don't lock reflogs using previously seen OID
During reflog expiry, the cmd_reflog_expire() function first iterates
over all reflogs in logs/*, and then one-by-one acquires the lock for
each one and expires it. This behavior has been with us since this
command was implemented in 4264dc15e1 ("git reflog expire",
2006-12-19).
Change this to stop calling lock_ref_oid_basic() with the OID we saw
when we looped over the logs, instead have it pass the OID it managed
to lock.
This mostly mitigates a race condition where e.g. "git gc" will fail
in a concurrently updated repository because the branch moved since
"git reflog expire --all" was started. I.e. with:
error: cannot lock ref '<refname>': ref '<refname>' is at <OID-A> but expected <OID-B>
This behavior of passing in an "oid" was needed for an edge-case that
I've untangled in this and preceding commits though, namely that we
needed this OID because we'd:
1. Lookup the reflog name/OID via dwim_log()
2. With that OID, lock the reflog
3. Later in builtin/reflog.c we use the OID we looked as input to
lookup_commit_reference_gently(), assured that it's equal to the
OID we got from dwim_log().
We can be sure that this change is safe to make because between
dwim_log (step #1) and lock_ref_oid_basic (step #2) there was no other
logic relevant to the OID or expiry run in the cmd_reflog_expire()
caller.
We can thus treat that code as a black box, before and after this
change it would get an OID that's been locked, the only difference is
that now we mostly won't be failing to get the lock due to the TOCTOU
race[0]. That failure was purely an implementation detail in how the
"current OID" was looked up, it was divorced from the locking
mechanism.
What do we mean with "mostly"? It mostly mitigates it because we'll
still run into cases where the ref is locked and being updated as we
want to expire it, and other git processes wanting to update the refs
will in turn race with us as we expire the reflog.
That remaining race can in turn be mitigated with the
core.filesRefLockTimeout setting, see 4ff0f01cb7 ("refs: retry
acquiring reference locks for 100ms", 2017-08-21). In practice if that
value is high enough we'll probably never have ref updates or reflog
expiry failing, since the clients involved will retry for far longer
than the time any of those operations could take.
See [1] for an initial report of how this impacted "git gc" and a
large discussion about this change in early 2019. In particular patch
looked good to Michael Haggerty, see his[2]. That message seems to not
have made it to the ML archive, its content is quoted in full in my
[3].
I'm leaving behind now-unused code the refs API etc. that takes the
now-NULL "unused_oid" argument, and other code that can be simplified now
that we never have on OID in that context, that'll be cleaned up in
subsequent commits, but for now let's narrowly focus on fixing the
"git gc" issue. As the modified assert() shows we always pass a NULL
oid to reflog_expire() now.
Unfortunately this sort of probabilistic contention is hard to turn
into a test. I've tested this by running the following three subshells
in concurrent terminals:
(
rm -rf /tmp/git &&
git init /tmp/git &&
while true
do
head -c 10 /dev/urandom | hexdump >/tmp/git/out &&
git -C /tmp/git add out &&
git -C /tmp/git commit -m"out"
done
)
(
rm -rf /tmp/git-clone &&
git clone file:///tmp/git /tmp/git-clone &&
while git -C /tmp/git-clone pull
do
date
done
)
(
while git -C /tmp/git-clone reflog expire --all
do
date
done
)
Before this change the "reflog expire" would fail really quickly with
the "but expected" error noted above.
After this change both the "pull" and "reflog expire" will run for a
while, but eventually fail because I get unlucky with
core.filesRefLockTimeout (the "reflog expire" is in a really tight
loop). As noted above that can in turn be mitigated with higher values
of core.filesRefLockTimeout than the 100ms default.
As noted in the commentary added in the preceding commit there's also
the case of branches being racily deleted, that can be tested by
adding this to the above:
(
while git -C /tmp/git-clone branch topic master &&
git -C /tmp/git-clone branch -D topic
do
date
done
)
With core.filesRefLockTimeout set to 10 seconds (it can probably be a
lot lower) I managed to run all four of these concurrently for about
an hour, and accumulated ~125k commits, auto-gc's and all, and didn't
have a single failure. The loops visibly stall while waiting for the
lock, but that's expected and desired behavior.
0. https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use
1. https://lore.kernel.org/git/87tvg7brlm.fsf@evledraar.gmail.com/
2. http://lore.kernel.org/git/b870a17d-2103-41b8-3cbc-7389d5fff33a@alum.mit.edu
3. https://lore.kernel.org/git/87pnqkco8v.fsf@evledraar.gmail.com/
Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2021-08-23 13:36:10 +02:00
|
|
|
if (!dwim_log(argv[i], spec - argv[i], NULL, &ref)) {
|
2018-11-10 06:16:07 +01:00
|
|
|
status |= error(_("no reflog for '%s'"), argv[i]);
|
2007-10-17 03:50:45 +02:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
recno = strtoul(spec + 2, &ep, 10);
|
|
|
|
if (*ep == '}') {
|
2014-12-12 09:56:58 +01:00
|
|
|
cb.cmd.recno = -recno;
|
2007-10-17 03:50:45 +02:00
|
|
|
for_each_reflog_ent(ref, count_reflog_ent, &cb);
|
|
|
|
} else {
|
2014-12-12 09:56:58 +01:00
|
|
|
cb.cmd.expire_total = approxidate(spec + 2);
|
2007-10-17 03:50:45 +02:00
|
|
|
for_each_reflog_ent(ref, count_reflog_ent, &cb);
|
2014-12-12 09:56:58 +01:00
|
|
|
cb.cmd.expire_total = 0;
|
2007-10-17 03:50:45 +02:00
|
|
|
}
|
|
|
|
|
2021-08-23 13:36:11 +02:00
|
|
|
status |= reflog_expire(ref, flags,
|
2014-12-12 09:56:59 +01:00
|
|
|
reflog_expiry_prepare,
|
|
|
|
should_expire_reflog_ent,
|
|
|
|
reflog_expiry_cleanup,
|
|
|
|
&cb);
|
2007-10-17 03:50:45 +02:00
|
|
|
free(ref);
|
|
|
|
}
|
|
|
|
return status;
|
|
|
|
}
|
|
|
|
|
2015-07-21 23:04:53 +02:00
|
|
|
static int cmd_reflog_exists(int argc, const char **argv, const char *prefix)
|
|
|
|
{
|
|
|
|
int i, start = 0;
|
|
|
|
|
|
|
|
for (i = 1; i < argc; i++) {
|
|
|
|
const char *arg = argv[i];
|
|
|
|
if (!strcmp(arg, "--")) {
|
|
|
|
i++;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
else if (arg[0] == '-')
|
2018-11-10 06:16:07 +01:00
|
|
|
usage(_(reflog_exists_usage));
|
2015-07-21 23:04:53 +02:00
|
|
|
else
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
start = i;
|
|
|
|
|
|
|
|
if (argc - start != 1)
|
2018-11-10 06:16:07 +01:00
|
|
|
usage(_(reflog_exists_usage));
|
2015-07-21 23:04:53 +02:00
|
|
|
|
|
|
|
if (check_refname_format(argv[start], REFNAME_ALLOW_ONELEVEL))
|
2018-11-10 06:16:07 +01:00
|
|
|
die(_("invalid ref format: %s"), argv[start]);
|
2015-07-21 23:04:53 +02:00
|
|
|
return !reflog_exists(argv[start]);
|
|
|
|
}
|
|
|
|
|
reflog expire --fix-stale
The logic in an earlier round to detect reflog entries that
point at a broken commit was not sufficient. Just like we do
not trust presense of a commit during pack transfer (we trust
only our refs), we should not trust a commit's presense, even if
the tree of that commit is complete.
A repository that had reflog enabled on some of the refs that
was rewound and then run git-repack or git-prune from older
versions of git can have reflog entries that point at a commit
that still exist but lack commits (or trees and blobs needed for
that commit) between it and some commit that is reachable from
one of the refs.
This revamps the logic -- the definition of "broken commit"
becomes: a commit that is not reachable from any of the refs and
there is a missing object among the commit, tree, or blob
objects reachable from it that is not reachable from any of the
refs. Entries in the reflog that refer to such a commit are
expired.
Since this computation involves traversing all the reachable
objects, i.e. it has the same cost as 'git prune', it is enabled
only when a new option --fix-stale. Fortunately, once this is
run, we should not have to ever worry about missing objects,
because the current prune and pack-objects know about reflogs
and protect objects referred by them.
Unfortunately, this will be absolutely necessary to help people
migrate to the newer prune and repack.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-01-06 11:16:19 +01:00
|
|
|
/*
|
|
|
|
* main "reflog"
|
|
|
|
*/
|
|
|
|
|
2006-12-19 09:23:12 +01:00
|
|
|
static const char reflog_usage[] =
|
2018-11-10 06:16:07 +01:00
|
|
|
N_("git reflog [ show | expire | delete | exists ]");
|
2006-12-19 09:23:12 +01:00
|
|
|
|
|
|
|
int cmd_reflog(int argc, const char **argv, const char *prefix)
|
|
|
|
{
|
2009-11-09 16:05:01 +01:00
|
|
|
if (argc > 1 && !strcmp(argv[1], "-h"))
|
2018-11-10 06:16:07 +01:00
|
|
|
usage(_(reflog_usage));
|
2009-11-09 16:05:01 +01:00
|
|
|
|
2007-02-08 18:51:56 +01:00
|
|
|
/* With no command, we default to showing it. */
|
|
|
|
if (argc < 2 || *argv[1] == '-')
|
|
|
|
return cmd_log_reflog(argc, argv, prefix);
|
|
|
|
|
|
|
|
if (!strcmp(argv[1], "show"))
|
|
|
|
return cmd_log_reflog(argc - 1, argv + 1, prefix);
|
|
|
|
|
|
|
|
if (!strcmp(argv[1], "expire"))
|
2006-12-19 09:23:12 +01:00
|
|
|
return cmd_reflog_expire(argc - 1, argv + 1, prefix);
|
2007-02-08 18:51:56 +01:00
|
|
|
|
2007-10-17 03:50:45 +02:00
|
|
|
if (!strcmp(argv[1], "delete"))
|
|
|
|
return cmd_reflog_delete(argc - 1, argv + 1, prefix);
|
|
|
|
|
2015-07-21 23:04:53 +02:00
|
|
|
if (!strcmp(argv[1], "exists"))
|
|
|
|
return cmd_reflog_exists(argc - 1, argv + 1, prefix);
|
|
|
|
|
2011-08-01 13:20:42 +02:00
|
|
|
return cmd_log_reflog(argc, argv, prefix);
|
2006-12-19 09:23:12 +01:00
|
|
|
}
|