commit-graph: introduce envvar to disable commit existence checks

Our `lookup_commit_in_graph()` helper tries to look up commits from the
commit graph and, if it doesn't exist there, falls back to parsing it
from the object database instead. This is intended to speed up the
lookup of any such commit that exists in the database. There is an edge
case though where the commit exists in the graph, but not in the object
database. To avoid returning such stale commits the helper function thus
double checks that any such commit parsed from the graph also exists in
the object database. This makes the function safe to use even when
commit graphs aren't updated regularly.

We're about to introduce the same pattern into other parts of our code
base though, namely `repo_parse_commit_internal()`. Here the extra
sanity check is a bit of a tougher sell: `lookup_commit_in_graph()` was
a newly introduced helper, and as such there was no performance hit by
adding this sanity check. If we added `repo_parse_commit_internal()`
with that sanity check right from the beginning as well, this would
probably never have been an issue to begin with. But by retrofitting it
with this sanity check now we do add a performance regression to
preexisting code, and thus there is a desire to avoid this or at least
give an escape hatch.

In practice, there is no inherent reason why either of those functions
should have the sanity check whereas the other one does not: either both
of them are able to detect this issue or none of them should be. This
also means that the default of whether we do the check should likely be
the same for both. To err on the side of caution, we thus rather want to
make `repo_parse_commit_internal()` stricter than to loosen the checks
that we already have in `lookup_commit_in_graph()`.

The escape hatch is added in the form of a new GIT_COMMIT_GRAPH_PARANOIA
environment variable that mirrors GIT_REF_PARANOIA. If enabled, which is
the default, we will double check that commits looked up in the commit
graph via `lookup_commit_in_graph()` also exist in the object database.
This same check will also be added in `repo_parse_commit_internal()`.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/Documentation/git.txt b/Documentation/git.txt
index 11228956cd5ec400b498d7483b8a4f71ec433ab2..3bac24cf8a2f8e9a4e0459105a0d662e3e8f73fa 100644 (file)
--- a/Documentation/git.txt
+++ b/Documentation/git.txt
@@ -911,6 +911,16 @@ for full details.
        should not normally need to set this to `0`, but it may be
        useful when trying to salvage data from a corrupted repository.
 
+`GIT_COMMIT_GRAPH_PARANOIA`::
+       When loading a commit object from the commit-graph, Git performs an
+       existence check on the object in the object database. This is done to
+       avoid issues with stale commit-graphs that contain references to
+       already-deleted commits, but comes with a performance penalty.
++
+The default is "true", which enables the aforementioned behavior.
+Setting this to "false" disables the existence check. This can lead to
+a performance improvement at the cost of consistency.
+
 `GIT_ALLOW_PROTOCOL`::
        If set to a colon-separated list of protocols, behave as if
        `protocol.allow` is set to `never`, and each of the listed

diff --git a/commit-graph.c b/commit-graph.c
index 0aa1640d15aca59b90617677afd30ef7c8d247c1..b37fdcb214b5df331b82c185401a3f8928b25371 100644 (file)
--- a/commit-graph.c
+++ b/commit-graph.c
@@ -907,14 +907,18 @@ int repo_find_commit_pos_in_graph(struct repository *r, struct commit *c,
 
 struct commit *lookup_commit_in_graph(struct repository *repo, const struct object_id *id)
 {
+       static int commit_graph_paranoia = -1;
        struct commit *commit;
        uint32_t pos;
 
+       if (commit_graph_paranoia == -1)
+               commit_graph_paranoia = git_env_bool(GIT_COMMIT_GRAPH_PARANOIA, 1);
+
        if (!prepare_commit_graph(repo))
                return NULL;
        if (!search_commit_pos_in_graph(id, repo->objects->commit_graph, &pos))
                return NULL;
-       if (!has_object(repo, id, 0))
+       if (commit_graph_paranoia && !has_object(repo, id, 0))
                return NULL;
 
        commit = lookup_commit(repo, id);

diff --git a/commit-graph.h b/commit-graph.h
index 5e534f0fcc8d131a6e759ed1658b0e0984123a6e..3c86e8b05f49785f4865d148e241d09fa43b130d 100644 (file)
--- a/commit-graph.h
+++ b/commit-graph.h
@@ -8,6 +8,12 @@
 #define GIT_TEST_COMMIT_GRAPH_DIE_ON_PARSE "GIT_TEST_COMMIT_GRAPH_DIE_ON_PARSE"
 #define GIT_TEST_COMMIT_GRAPH_CHANGED_PATHS "GIT_TEST_COMMIT_GRAPH_CHANGED_PATHS"
 
+/*
+ * This environment variable controls whether commits looked up via the
+ * commit graph will be double checked to exist in the object database.
+ */
+#define GIT_COMMIT_GRAPH_PARANOIA "GIT_COMMIT_GRAPH_PARANOIA"
+
 /*
  * This method is only used to enhance coverage of the commit-graph
  * feature in the test suite with the GIT_TEST_COMMIT_GRAPH and

diff --git a/t/t5318-commit-graph.sh b/t/t5318-commit-graph.sh
index 4df76173a8d774b56f60f12c7ee23372d11b7143..087e6ac3b84830f34f1fdc1093cad1fc2b9807aa 100755 (executable)
--- a/t/t5318-commit-graph.sh
+++ b/t/t5318-commit-graph.sh
@@ -815,4 +815,25 @@ test_expect_success 'overflow during generation version upgrade' '
        )
 '
 
+test_expect_success 'stale commit cannot be parsed when given directly' '
+       test_when_finished "rm -rf repo" &&
+       git init repo &&
+       (
+               cd repo &&
+               test_commit A &&
+               test_commit B &&
+               git commit-graph write --reachable &&
+
+               oid=$(git rev-parse B) &&
+               rm .git/objects/"$(test_oid_to_path "$oid")" &&
+
+               # Verify that it is possible to read the commit from the
+               # commit graph when not being paranoid, ...
+               GIT_COMMIT_GRAPH_PARANOIA=false git rev-list B &&
+               # ... but parsing the commit when double checking that
+               # it actually exists in the object database should fail.
+               test_must_fail git rev-list -1 B
+       )
+'
+
 test_done