Re: [PATCH 4/5] builtin/repack.c: be more conservative with unsigned overflows

From: Junio C Hamano <gitster@pobox.com>
To: Taylor Blau <me@ttaylorr.com>
Cc: git@vger.kernel.org, peff@peff.net
Subject: Re: [PATCH 4/5] builtin/repack.c: be more conservative with unsigned overflows
Date: Fri, 05 Mar 2021 11:32:57 -0800	[thread overview]
Message-ID: <xmqqr1kt9z12.fsf@gitster.c.googlers.com> (raw)
In-Reply-To: <d55324f7a256fce491a29a1debf142f817eb01d3.1614957681.git.me@ttaylorr.com> (Taylor Blau's message of "Fri, 5 Mar 2021 10:21:56 -0500")

Taylor Blau <me@ttaylorr.com> writes:

> There are a number of places in the geometric repack code where we
> multiply the number of objects in a pack by another unsigned value. We
> trust that the number of objects in a pack is always representable by a
> uint32_t, but we don't necessarily trust that that number can be
> multiplied without overflow.
>
> Sprinkle some unsigned_add_overflows() and unsigned_mult_overflows() in
> split_pack_geometry() to check that we never overflow any unsigned types
> when adding or multiplying them.
>
> Arguably these checks are a little too conservative, and certainly they
> do not help the readability of this function. But they are serving a
> useful purpose, so I think they are worthwhile overall.
>
> Suggested-by: Junio C Hamano <gitster@pobox.com>

I do not deserve this for my idle thinking-out-aloud speculation.
You did all the thinking and work.

I do not know if just dying is a useful thing to do, though.  These
all happen in the "discover where the split point is, to figure out
which packs to coalesce" phase where we haven't touched anything on
disk, so in that sense it is safe to die, but what recourse do users
have after seeing these errors?

For example, in the first overflow check in hunk -388,11, presumably
when total_size for a given set of packfiles does not fit in
int32_t, it won't be fruitful to attempt to coalesce such a set of
packs into one, so perhaps a better fix may be to shift the split
point earlier to find a point that lets us to pack as many as we
could?

I do not offhand know what a sensible and gentler fallback position
would be for the factor multiplication, but presumably, if the right
hand side of this ...

>  		if (geometry_pack_weight(ours) < factor * total_size) {

... overflows, we can say it would definitely be larger than our
weight and continue, instead of "no, we cannot multiply total with
factor, as that would give us too big a number", I guess.

I am OK to either (1) leave the code as-is without this patch, because
the overflow would only affect the largest of packs and would be rare,
and people who would notice when they hit it would probably are the ones
with enough resource to diagnose, report and even give us a fix ;-)
or (2) apply this patch as-is, because the only people who will see
the die() would be the same ones affected by (1) above anyway.

And applying this patch as-is would give better chance than (1) for
the overflow to be noticed.

So, let's queue the patch as-is.

Thanks.