On Fri, Oct 13, 2023 at 07:53:36AM +0200, Patrick Steinhardt wrote: > On Thu, Oct 12, 2023 at 09:17:09AM -0700, Junio C Hamano wrote: > > Patrick Steinhardt writes: [snip] > > My assumption also has been that there is no point in running > > "rev-list --missing" if we know there is no repository corruption, > > and those who run "rev-list --missing" wants to know if the objects > > are really available, i.e. even if commit-graph that is out of sync > > with reality says it exists, if it is not in the object store, they > > would want to know that. > > > > If you can show me that it is not the case, then I may be pursuaded > > why producing a result that is out of sync with reality _quickly_, > > instead of taking time to produce a result that matches reality, is > > a worthy "optimization" to keep. > > Note that I'm not saying that it's fine to return wrong results -- this > is of course a bug that needs to be addressed somehow. After all, things > working correctly should always trump things working fast. But until now > it felt more like we were going into the direction of disabling commit > graphs without checking whether there is an alternative solution that > allows us to get the best of both worlds, correctness and performance. > > So what I'm looking for in this thread is a reason why we _can't_ have > that, or at least can't have it without unreasonable amounts of work. We > have helpers like `lookup_commit_in_graph()` that are designed to detect > stale commit graphs by double-checking whether a commit that has been > looked up via the commit graph actually exists in the repository. So I'm > wondering whether this could help us address the issue. > > If there is a good reason why all of that is not possible then I'm happy > to carve in. I've had a quick look at this problem so that I can solidify my own train of thought a bit. The issue is `repo_parse_commit_internal()`, which calls `parse_commit_in_graph()` without verifying that the object actually exists in the object database. It's the only callsite of that function outside of "commit-graph.c", as all other external callers would call `lookup_commit_in_graph()` which _does_ perform the object existence check. So I think that the proper way to address the regression would be a patch similar to the following: diff --git a/commit.c b/commit.c index b3223478bc..109e9217e3 100644 --- a/commit.c +++ b/commit.c @@ -572,8 +572,13 @@ int repo_parse_commit_internal(struct repository *r, return -1; if (item->object.parsed) return 0; - if (use_commit_graph && parse_commit_in_graph(r, item)) + if (use_commit_graph && parse_commit_in_graph(r, item)) { + if (!has_object(r, &item->object.oid, 0)) + return quiet_on_missing ? -1 : + error(_("commit %s exists in commit-graph but not in the object database"), + oid_to_hex(&item->object.oid)); return 0; + } if (oid_object_info_extended(r, &item->object.oid, &oi, flags) < 0) return quiet_on_missing ? -1 : I wouldn't be surprised if there are other edge cases where this can lead to buggy behaviour. Also, this issue may not necessarily stem from repository corruption. It could for example happen that commits are getting garbage collected without the commit graph having been updated, whatever the reason may be for this. In that case we would happily continue to return these commits from the commit graph even though the underlying object has since been deleted. The repository itself is not corrupt though, we merely look at an out-of-date commit graph. And for what it's worth, I think that we should always gracefully handle that case or otherwise the commit graph becomes less useful overall. I didn't dig much deeper yet. And while the above patch fixes some of the test failures, it doesn't fix them all. If we agree that this is the way to go then I'd be happy to turn this into a proper patch. Patrick