# HG changeset patch # User Matt Harbison # Date 1558662864 14400 # Node ID 0546ead39a7ee2b89f3bcf2567d4e3778a4c50c3 # Parent 89c0c8edc9d40ccb707acbeccff25891c5456521 manifest: avoid corruption by dropping removed files with pure (issue5801) Previously, removed files would simply be marked by overwriting the first byte with NUL and dropping their entry in `self.position`. But no effort was made to ignore them when compacting the dictionary into text form. This allowed them to slip into the manifest revision, since the code seems to be trying to minimize the string operations by copying as large a chunk as possible. As part of this, compact() walks the existing text based on entries in the `positions` list, and consumed everything up to the next position entry. This typically resulted in a ValueError complaining about unsorted manifest entries. Sometimes it seems that files do get dropped in large repos- it seems to correspond to there being a new entry that would take the same slot. A much more trivial problem is that if the only changes were removals, `_compact()` didn't even run because `__delitem__` doesn't add anything to `self.extradata`. Now there's an explicit variable to flag this, both to allow `_compact()` to run, and to avoid searching the manifest in cases where there are no removals. In practice, this behavior was mostly obscured by the check in fastdelta() which takes a different path that explicitly drops removed files if there are fewer than 1000 changes. However, timeless has a repo where after rebasing tens of commits, a totally different path[1] is taken that bypasses the change count check and hits this problem. [1] https://www.mercurial-scm.org/repo/hg/file/2338bdea4474/mercurial/manifest.py#l1511 diff -r 89c0c8edc9d4 -r 0546ead39a7e mercurial/manifest.py --- a/mercurial/manifest.py Thu May 23 21:39:19 2019 -0400 +++ b/mercurial/manifest.py Thu May 23 21:54:24 2019 -0400 @@ -126,17 +126,20 @@ return (a > b) - (a < b) class _lazymanifest(object): - def __init__(self, data, positions=None, extrainfo=None, extradata=None): + def __init__(self, data, positions=None, extrainfo=None, extradata=None, + hasremovals=False): if positions is None: self.positions = self.findlines(data) self.extrainfo = [0] * len(self.positions) self.data = data self.extradata = [] + self.hasremovals = False else: self.positions = positions[:] self.extrainfo = extrainfo[:] self.extradata = extradata[:] self.data = data + self.hasremovals = hasremovals def findlines(self, data): if not data: @@ -244,6 +247,7 @@ self.extrainfo = self.extrainfo[:needle] + self.extrainfo[needle + 1:] if cur >= 0: self.data = self.data[:cur] + '\x00' + self.data[cur + 1:] + self.hasremovals = True def __setitem__(self, key, value): if not isinstance(key, bytes): @@ -279,11 +283,11 @@ def copy(self): # XXX call _compact like in C? return _lazymanifest(self.data, self.positions, self.extrainfo, - self.extradata) + self.extradata, self.hasremovals) def _compact(self): # hopefully not called TOO often - if len(self.extradata) == 0: + if len(self.extradata) == 0 and not self.hasremovals: return l = [] i = 0 @@ -298,6 +302,16 @@ i += 1 if i == len(self.positions) or self.positions[i] < 0: break + + # A removed file has no positions[] entry, but does have an + # overwritten first byte. Break out and find the end of the + # current good entry/entries if there is a removed file + # before the next position. + if (self.hasremovals + and self.data.find('\n\x00', cur, + self.positions[i]) != -1): + break + offset += self.positions[i] - cur cur = self.positions[i] end_cut = self.data.find('\n', cur) @@ -316,6 +330,7 @@ offset += len(l[-1]) i += 1 self.data = ''.join(l) + self.hasremovals = False self.extradata = [] def _pack(self, d): diff -r 89c0c8edc9d4 -r 0546ead39a7e tests/test-manifest.t --- a/tests/test-manifest.t Thu May 23 21:39:19 2019 -0400 +++ b/tests/test-manifest.t Thu May 23 21:54:24 2019 -0400 @@ -219,7 +219,7 @@ > manifest = $TESTTMP/manifest.py > EOF -BROKEN: Pure removes should actually remove all dropped entries +Pure removes should actually remove all dropped entries $ hg init repo $ cd repo @@ -239,32 +239,25 @@ $ hg debugdata -m 1 a.txt\x00b789fdd96dc2f3bd229c1dd8eedf0fc60e2b68e3 (esc) aa.txt\x00a4bdc161c8fbb523c9a60409603f8710ff49a571 (esc) - \x00.txt\x001e88685f5ddec574a34c70af492f95b6debc8741 (esc) (pure !) c.txt\x00149da44f2a4e14f488b7bd4157945a9837408c00 (esc) cc.txt\x00149da44f2a4e14f488b7bd4157945a9837408c00 (esc) ccc.txt\x00149da44f2a4e14f488b7bd4157945a9837408c00 (esc) - \x00.txt\x001e88685f5ddec574a34c70af492f95b6debc8741 (esc) (pure !) e.txt\x00149da44f2a4e14f488b7bd4157945a9837408c00 (esc) - $ hg up -C . 2>&1 | grep ValueError || true - raise ValueError("Manifest lines not in sorted order.") (pure !) - ValueError: Manifest lines not in sorted order. (pure !) + $ hg up -qC . - $ hg verify || true + $ hg verify checking changesets checking manifests - manifest@1: reading delta c1f6b2f803ac: Non-hexadecimal digit found (pure !) crosschecking files in changesets and manifests checking files checked 2 changesets with 8 changes to 8 files - 1 integrity errors encountered! (pure !) - (first damaged changeset appears to be 1) (pure !) $ hg rollback -q --config ui.rollback=True $ hg rm b.txt d.txt $ echo bb > bb.txt -BROKEN: A mix of adds and removes should remove all dropped entries. +A mix of adds and removes should remove all dropped entries. $ hg ci -Aqm 'remove b and d; add bb' @@ -275,20 +268,11 @@ c.txt\x00149da44f2a4e14f488b7bd4157945a9837408c00 (esc) cc.txt\x00149da44f2a4e14f488b7bd4157945a9837408c00 (esc) ccc.txt\x00149da44f2a4e14f488b7bd4157945a9837408c00 (esc) - \x00.txt\x001e88685f5ddec574a34c70af492f95b6debc8741 (esc) (pure !) e.txt\x00149da44f2a4e14f488b7bd4157945a9837408c00 (esc) - $ hg up -C . 2>&1 | grep ValueError || true - raise ValueError("Manifest lines not in sorted order.") (pure !) - ValueError: Manifest lines not in sorted order. (pure !) - - $ hg verify || true + $ hg verify checking changesets checking manifests - manifest@1: reading delta 0a0385480090: Manifest lines not in sorted order. (pure !) crosschecking files in changesets and manifests - bb.txt@1: in changeset but not in manifest (pure !) checking files checked 2 changesets with 9 changes to 9 files - 2 integrity errors encountered! (pure !) - (first damaged changeset appears to be 1) (pure !)