| blob | ce0a35216bad6d0171120e286f8a43076818d3f8 |
1 /*
2 Copyright 2020 Google LLC
4 Use of this source code is governed by a BSD-style
5 license that can be found in the LICENSE file or at
6 https://developers.google.com/open-source/licenses/bsd
7 */
36 {
41 }
44 {
47 }
50 {
54 }
58 {
85 }
87 }
90 {
97 }
102 }
108 }
113 done:
116 }
119 {
126 }
129 }
133 }
137 {
140 }
144 {
147 }
151 {
153 }
156 {
160 names++;
161 }
163 }
165 /* Close and free the stack */
167 {
173 }
178 }
188 }
192 /* On Windows, can only unlink after closing. */
194 }
195 }
199 }
204 }
210 }
214 {
219 }
221 }
226 {
244 /* this is linear; we assume compaction keeps the number of
245 tables under control so this is not quadratic. */
251 /*
252 * When reloading the stack fails, we end up
253 * releasing all new readers. This also
254 * includes the reused readers, even though
255 * they are still in used by the old stack. We
256 * thus need to keep them alive here, which we
257 * do by bumping their refcount.
258 */
263 }
264 }
278 }
281 new_readers_len++;
282 }
284 /* success! */
290 /*
291 * Close the old, non-reused readers and proactively try to unlink
292 * them. This is done for systems like Windows, where the underlying
293 * file of such an open reader wouldn't have been possible to be
294 * unlinked by the compacting process.
295 */
302 }
303 }
305 /* Update the stack to point to the new tables. */
318 /*
319 * Decrement the refcount of reused readers again. This only needs to
320 * happen on the successful case, because on the unsuccessful one we
321 * decrement their refcount via `new_readers`.
322 */
326 done:
334 }
336 /* return negative if a before b. */
338 {
346 }
350 {
369 /*
370 * Only look at deadlines after the first few times. This
371 * simplifies debugging in GDB.
372 */
373 tries++;
382 }
389 }
397 /*
398 * REFTABLE_NOT_EXIST_ERROR can be caused by a concurrent
399 * writer. Check if there was one by checking if the name list
400 * changed.
401 */
409 }
420 }
422 out:
423 /*
424 * Invalidate the stat cache. It is sufficient to only close the file
425 * descriptor and keep the cached stat info because we never use the
426 * latter when the former is negative.
427 */
431 }
433 /*
434 * Cache stat information in case it provides a useful signal to us.
435 * According to POSIX, "The st_ino and st_dev fields taken together
436 * uniquely identify the file within the system." That being said,
437 * Windows is not POSIX compliant and we do not have these fields
438 * available. So the information we have there is insufficient to
439 * determine whether two file descriptors point to the same file.
440 *
441 * While we could fall back to using other signals like the file's
442 * mtime, those are not sufficient to avoid races. We thus refrain from
443 * using the stat cache on such systems and fall back to the secondary
444 * caching mechanism, which is to check whether contents of the file
445 * have changed.
446 *
447 * On other systems which are POSIX compliant we must keep the file
448 * descriptor open. This is to avoid a race condition where two
449 * processes access the reftable stack at the same point in time:
450 *
451 * 1. A reads the reftable stack and caches its stat info.
452 *
453 * 2. B updates the stack, appending a new table to "tables.list".
454 * This will both use a new inode and result in a different file
455 * size, thus invalidating A's cache in theory.
456 *
457 * 3. B decides to auto-compact the stack and merges two tables. The
458 * file size now matches what A has cached again. Furthermore, the
459 * filesystem may decide to recycle the inode number of the file
460 * we have replaced in (2) because it is not in use anymore.
461 *
462 * 4. A reloads the reftable stack. Neither the inode number nor the
463 * file size changed. If the timestamps did not change either then
464 * we think the cached copy of our stack is up-to-date.
465 *
466 * By keeping the file descriptor open the inode number cannot be
467 * recycled, mitigating the race.
468 */
473 }
480 }
482 /* -1 = error
483 0 = up to date
484 1 = changed. */
486 {
491 /*
492 * When we have cached stat information available then we use it to
493 * verify whether the file has been rewritten.
494 *
495 * Note that we explicitly do not want to use `stat_validity_check()`
496 * and friends here because they may end up not comparing the `st_dev`
497 * and `st_ino` fields. These functions thus cannot guarantee that we
498 * indeed still have the same file.
499 */
504 /*
505 * It's fine for "tables.list" to not exist. In that
506 * case, we have to refresh when the loaded stack has
507 * any readers.
508 */
512 }
514 /*
515 * When "tables.list" refers to the same file we can assume
516 * that it didn't change. This is because we always use
517 * rename(3P) to update the file and never write to it
518 * directly.
519 */
523 }
533 }
538 }
539 }
544 }
546 done:
549 }
552 {
557 }
562 {
566 /* Ignore error return, we want to propagate
567 REFTABLE_OUTDATED_ERROR.
568 */
570 }
572 }
575 }
578 {
585 }
594 };
596 #define REFTABLE_ADDITION_INIT {0}
600 {
607 LOCK_NO_DEREF);
613 }
615 }
621 }
622 }
630 }
633 done:
636 }
639 }
642 {
651 }
659 }
662 {
665 }
668 }
671 {
683 }
687 }
694 }
700 }
706 }
708 /* success, no more state to clean up. */
721 /*
722 * Auto-compact the stack to keep the number of tables in
723 * control. It is possible that a concurrent writer is already
724 * trying to compact parts of the stack, which would lead to a
725 * `REFTABLE_LOCK_ERROR` because parts of the stack are locked
726 * already. This is a benign error though, so we ignore it.
727 */
732 }
734 done:
737 }
741 {
750 }
752 }
758 {
769 done:
772 }
778 {
797 }
803 }
804 }
817 }
825 }
830 }
836 /*
837 On windows, this relies on rand() picking a unique destination name.
838 Maybe we should do retry loop as well?
839 */
844 }
849 done:
856 }
859 {
865 }
871 {
888 }
895 }
914 done:
920 }
926 {
955 }
961 }
966 entries++;
967 }
980 }
985 }
990 }
995 }
1000 entries++;
1001 }
1003 done:
1011 }
1014 /*
1015 * Perform a best-effort compaction. That is, even if we cannot lock
1016 * all tables in the specified range, we will try to compact the
1017 * remaining slice.
1018 */
1020 };
1022 /*
1023 * Compact all tables in the range `[first, last)` into a single new table.
1024 *
1025 * This function returns `0` on success or a code `< 0` on failure. When the
1026 * stack or any of the tables in the specified range are already locked then
1027 * this function returns `REFTABLE_LOCK_ERROR`. This is a benign error that
1028 * callers can either ignore, or they may choose to retry compaction after some
1029 * amount of time.
1030 */
1035 {
1051 }
1055 /*
1056 * Hold the lock so that we can read "tables.list" and lock all tables
1057 * which are part of the user-specified range.
1058 */
1060 LOCK_NO_DEREF);
1064 else
1067 }
1073 /*
1074 * Lock all tables in the user-provided range. This is the slice of our
1075 * stack which we'll compact.
1076 *
1077 * Note that we lock tables in reverse order from last to first. The
1078 * intent behind this is to allow a newer process to perform best
1079 * effort compaction of tables that it has added in the case where an
1080 * older process is still busy compacting tables which are preexisting
1081 * from the point of view of the newer process.
1082 */
1090 /*
1091 * When the table is locked already we may do a
1092 * best-effort compaction and compact only the tables
1093 * that we have managed to lock so far. This of course
1094 * requires that we have been able to lock at least two
1095 * tables, otherwise there would be nothing to compact.
1096 * In that case, we return a lock error to our caller.
1097 */
1101 /*
1102 * The subtraction is to offset the index, the
1103 * addition is to only compact up to the table
1104 * of the preceding iteration. They obviously
1105 * cancel each other out, but that may be
1106 * non-obvious when it was omitted.
1107 */
1116 }
1117 }
1119 /*
1120 * We need to close the lockfiles as we might otherwise easily
1121 * run into file descriptor exhaustion when we compress a lot
1122 * of tables.
1123 */
1128 }
1129 }
1131 /*
1132 * We have locked all tables in our range and can thus release the
1133 * "tables.list" lock while compacting the locked tables. This allows
1134 * concurrent updates to the stack to proceed.
1135 */
1140 }
1142 /*
1143 * Compact the now-locked tables into a new table. Note that compacting
1144 * these tables may end up with an empty new table in case tombstones
1145 * end up cancelling out all refs in that range.
1146 */
1152 }
1154 /*
1155 * Now that we have written the new, compacted table we need to re-lock
1156 * "tables.list". We'll then replace the compacted range of tables with
1157 * the new table.
1158 */
1160 LOCK_NO_DEREF);
1164 else
1167 }
1174 }
1175 }
1177 /*
1178 * As we have unlocked the stack while compacting our slice of tables
1179 * it may have happened that a concurrently running process has updated
1180 * the stack while we were compacting. In that case, we need to check
1181 * whether the tables that we have just compacted still exist in the
1182 * stack in the exact same order as we have compacted them.
1183 *
1184 * If they do exist, then it is fine to continue and replace those
1185 * tables with our compacted version. If they don't, then we need to
1186 * abort.
1187 */
1199 }
1206 /*
1207 * Search for the offset of the first table that we have
1208 * compacted in the updated "tables.list" file.
1209 */
1214 /*
1215 * We have found the first entry. Verify that all the
1216 * subsequent tables we have compacted still exist in
1217 * the modified stack in the exact same order as we
1218 * have compacted them.
1219 */
1225 /*
1226 * If some entries are missing or in case the tables
1227 * have changed then we need to bail out. Again, this
1228 * shouldn't ever happen because we have locked the
1229 * tables we are compacting.
1230 */
1234 }
1235 }
1239 }
1241 /*
1242 * In case we didn't find our compacted tables in the stack we
1243 * need to bail out. In theory, this should have never happened
1244 * because we locked the tables we are compacting.
1245 */
1249 }
1251 /*
1252 * We have found the new range that we want to replace, so
1253 * let's update the range of tables that we want to replace.
1254 */
1258 /*
1259 * `fd_read_lines()` uses a `NULL` sentinel to indicate that
1260 * the array is at its end. As we use `free_names()` to free
1261 * the array, we need to include this sentinel value here and
1262 * thus have to allocate `readers_len + 1` many entries.
1263 */
1269 }
1271 /*
1272 * If the resulting compacted table is not empty, then we need to move
1273 * it into place now.
1274 */
1285 }
1286 }
1288 /*
1289 * Write the new "tables.list" contents with the compacted table we
1290 * have just written. In case the compacted table became empty we
1291 * simply skip writing it.
1292 */
1306 }
1313 }
1320 }
1322 /*
1323 * Reload the stack before deleting the compacted tables. We can only
1324 * delete the files after we closed them on Windows, so this needs to
1325 * happen first.
1326 */
1331 /*
1332 * Delete the old tables. They may still be in use by concurrent
1333 * readers, so it is expected that unlinking tables may fail.
1334 */
1340 }
1342 done:
1359 }
1363 {
1366 }
1369 {
1371 }
1375 {
1383 /*
1384 * If there are no tables or only a single one then we don't have to
1385 * compact anything. The sequence is geometric by definition already.
1386 */
1390 /*
1391 * Find the ending table of the compaction segment needed to restore the
1392 * geometric sequence. Note that the segment end is exclusive.
1393 *
1394 * To do so, we iterate backwards starting from the most recent table
1395 * until a valid segment end is found. If the preceding table is smaller
1396 * than the current table multiplied by the geometric factor (2), the
1397 * compaction segment end has been identified.
1398 *
1399 * Tables after the ending point are not added to the byte count because
1400 * they are already valid members of the geometric sequence. Due to the
1401 * properties of a geometric sequence, it is not possible for the sum of
1402 * these tables to exceed the value of the ending point table.
1403 *
1404 * Example table size sequence requiring no compaction:
1405 * 64, 32, 16, 8, 4, 2, 1
1406 *
1407 * Example table size sequence where compaction segment end is set to
1408 * the last table. Since the segment end is exclusive, the last table is
1409 * excluded during subsequent compaction and the table with size 3 is
1410 * the final table included:
1411 * 64, 32, 16, 8, 4, 3, 1
1412 */
1418 }
1419 }
1421 /*
1422 * Find the starting table of the compaction segment by iterating
1423 * through the remaining tables and keeping track of the accumulated
1424 * size of all tables seen from the segment end table. The previous
1425 * table is compared to the accumulated size because the tables from the
1426 * segment end are merged backwards recursively.
1427 *
1428 * Note that we keep iterating even after we have found the first
1429 * starting point. This is because there may be tables in the stack
1430 * preceding that first starting point which violate the geometric
1431 * sequence.
1432 *
1433 * Example compaction segment start set to table with size 32:
1434 * 128, 32, 16, 8, 4, 3, 1
1435 */
1443 }
1444 }
1447 }
1450 {
1461 }
1464 {
1475 }
1479 {
1481 }
1485 {
1503 }
1505 out:
1508 }
1512 {
1529 }
1531 done:
1534 }
1537 }
1540 {
1543 }
1547 {
1568 }
1569 done:
1571 }
1574 {
1581 }
1591 }
1596 }
1600 }
1603 {
1608 }
1613 }
1617 done:
1620 }