recovery.c revision 362181
1/* recovery.c --- FSFS recovery functionality 2* 3 * ==================================================================== 4 * Licensed to the Apache Software Foundation (ASF) under one 5 * or more contributor license agreements. See the NOTICE file 6 * distributed with this work for additional information 7 * regarding copyright ownership. The ASF licenses this file 8 * to you under the Apache License, Version 2.0 (the 9 * "License"); you may not use this file except in compliance 10 * with the License. You may obtain a copy of the License at 11 * 12 * http://www.apache.org/licenses/LICENSE-2.0 13 * 14 * Unless required by applicable law or agreed to in writing, 15 * software distributed under the License is distributed on an 16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 17 * KIND, either express or implied. See the License for the 18 * specific language governing permissions and limitations 19 * under the License. 20 * ==================================================================== 21 */ 22 23#include "recovery.h" 24 25#include "svn_hash.h" 26#include "svn_pools.h" 27#include "private/svn_string_private.h" 28 29#include "index.h" 30#include "low_level.h" 31#include "rep-cache.h" 32#include "revprops.h" 33#include "util.h" 34#include "cached_data.h" 35 36#include "../libsvn_fs/fs-loader.h" 37 38#include "svn_private_config.h" 39 40/* Part of the recovery procedure. Return the largest revision *REV in 41 filesystem FS. Use POOL for temporary allocation. */ 42static svn_error_t * 43recover_get_largest_revision(svn_fs_t *fs, svn_revnum_t *rev, apr_pool_t *pool) 44{ 45 /* Discovering the largest revision in the filesystem would be an 46 expensive operation if we did a readdir() or searched linearly, 47 so we'll do a form of binary search. left is a revision that we 48 know exists, right a revision that we know does not exist. */ 49 apr_pool_t *iterpool; 50 svn_revnum_t left, right = 1; 51 52 iterpool = svn_pool_create(pool); 53 /* Keep doubling right, until we find a revision that doesn't exist. */ 54 while (1) 55 { 56 svn_error_t *err; 57 svn_fs_fs__revision_file_t *file; 58 svn_pool_clear(iterpool); 59 60 err = svn_fs_fs__open_pack_or_rev_file(&file, fs, right, iterpool, 61 iterpool); 62 if (err && err->apr_err == SVN_ERR_FS_NO_SUCH_REVISION) 63 { 64 svn_error_clear(err); 65 break; 66 } 67 else 68 SVN_ERR(err); 69 70 right <<= 1; 71 } 72 73 left = right >> 1; 74 75 /* We know that left exists and right doesn't. Do a normal bsearch to find 76 the last revision. */ 77 while (left + 1 < right) 78 { 79 svn_revnum_t probe = left + ((right - left) / 2); 80 svn_error_t *err; 81 svn_fs_fs__revision_file_t *file; 82 svn_pool_clear(iterpool); 83 84 err = svn_fs_fs__open_pack_or_rev_file(&file, fs, probe, iterpool, 85 iterpool); 86 if (err && err->apr_err == SVN_ERR_FS_NO_SUCH_REVISION) 87 { 88 svn_error_clear(err); 89 right = probe; 90 } 91 else 92 { 93 SVN_ERR(err); 94 left = probe; 95 } 96 } 97 98 svn_pool_destroy(iterpool); 99 100 /* left is now the largest revision that exists. */ 101 *rev = left; 102 return SVN_NO_ERROR; 103} 104 105/* A baton for reading a fixed amount from an open file. For 106 recover_find_max_ids() below. */ 107struct recover_read_from_file_baton 108{ 109 svn_stream_t *stream; 110 apr_pool_t *pool; 111 apr_off_t remaining; 112}; 113 114/* A stream read handler used by recover_find_max_ids() below. 115 Read and return at most BATON->REMAINING bytes from the stream, 116 returning nothing after that to indicate EOF. */ 117static svn_error_t * 118read_handler_recover(void *baton, char *buffer, apr_size_t *len) 119{ 120 struct recover_read_from_file_baton *b = baton; 121 apr_size_t bytes_to_read = *len; 122 123 if (b->remaining == 0) 124 { 125 /* Return a successful read of zero bytes to signal EOF. */ 126 *len = 0; 127 return SVN_NO_ERROR; 128 } 129 130 if ((apr_int64_t)bytes_to_read > (apr_int64_t)b->remaining) 131 bytes_to_read = (apr_size_t)b->remaining; 132 b->remaining -= bytes_to_read; 133 134 return svn_stream_read_full(b->stream, buffer, &bytes_to_read); 135} 136 137/* Part of the recovery procedure. Read the directory noderev at offset 138 OFFSET of file REV_FILE (the revision file of revision REV of 139 filesystem FS), and set MAX_NODE_ID and MAX_COPY_ID to be the node-id 140 and copy-id of that node, if greater than the current value stored 141 in either. Recurse into any child directories that were modified in 142 this revision. 143 144 MAX_NODE_ID and MAX_COPY_ID must be arrays of at least MAX_KEY_SIZE. 145 146 Perform temporary allocation in POOL. */ 147static svn_error_t * 148recover_find_max_ids(svn_fs_t *fs, 149 svn_revnum_t rev, 150 svn_fs_fs__revision_file_t *rev_file, 151 apr_off_t offset, 152 apr_uint64_t *max_node_id, 153 apr_uint64_t *max_copy_id, 154 apr_pool_t *pool) 155{ 156 svn_fs_fs__rep_header_t *header; 157 struct recover_read_from_file_baton baton; 158 svn_stream_t *stream; 159 apr_hash_t *entries; 160 apr_hash_index_t *hi; 161 apr_pool_t *iterpool; 162 node_revision_t *noderev; 163 svn_error_t *err; 164 165 baton.stream = rev_file->stream; 166 SVN_ERR(svn_io_file_seek(rev_file->file, APR_SET, &offset, pool)); 167 SVN_ERR(svn_fs_fs__read_noderev(&noderev, baton.stream, pool, pool)); 168 169 /* Check that this is a directory. It should be. */ 170 if (noderev->kind != svn_node_dir) 171 return svn_error_create(SVN_ERR_FS_CORRUPT, NULL, 172 _("Recovery encountered a non-directory node")); 173 174 /* Get the data location. No data location indicates an empty directory. */ 175 if (!noderev->data_rep) 176 return SVN_NO_ERROR; 177 178 /* If the directory's data representation wasn't changed in this revision, 179 we've already scanned the directory's contents for noderevs, so we don't 180 need to again. This will occur if a property is changed on a directory 181 without changing the directory's contents. */ 182 if (noderev->data_rep->revision != rev) 183 return SVN_NO_ERROR; 184 185 /* We could use get_dir_contents(), but this is much cheaper. It does 186 rely on directory entries being stored as PLAIN reps, though. */ 187 SVN_ERR(svn_fs_fs__item_offset(&offset, fs, rev_file, rev, NULL, 188 noderev->data_rep->item_index, pool)); 189 SVN_ERR(svn_io_file_seek(rev_file->file, APR_SET, &offset, pool)); 190 SVN_ERR(svn_fs_fs__read_rep_header(&header, baton.stream, pool, pool)); 191 if (header->type != svn_fs_fs__rep_plain) 192 return svn_error_create(SVN_ERR_FS_CORRUPT, NULL, 193 _("Recovery encountered a deltified directory " 194 "representation")); 195 196 /* Now create a stream that's allowed to read only as much data as is 197 stored in the representation. Note that this is a directory, i.e. 198 represented using the hash format on disk and can never have 0 length. */ 199 baton.pool = pool; 200 baton.remaining = noderev->data_rep->expanded_size; 201 stream = svn_stream_create(&baton, pool); 202 svn_stream_set_read2(stream, NULL /* only full read support */, 203 read_handler_recover); 204 205 /* Now read the entries from that stream. */ 206 entries = apr_hash_make(pool); 207 err = svn_hash_read2(entries, stream, SVN_HASH_TERMINATOR, pool); 208 if (err) 209 { 210 svn_string_t *id_str = svn_fs_fs__id_unparse(noderev->id, pool); 211 212 err = svn_error_compose_create(err, svn_stream_close(stream)); 213 return svn_error_quick_wrapf(err, 214 _("malformed representation for node-revision '%s'"), 215 id_str->data); 216 } 217 SVN_ERR(svn_stream_close(stream)); 218 219 /* Now check each of the entries in our directory to find new node and 220 copy ids, and recurse into new subdirectories. */ 221 iterpool = svn_pool_create(pool); 222 for (hi = apr_hash_first(pool, entries); hi; hi = apr_hash_next(hi)) 223 { 224 char *str_val; 225 char *str; 226 svn_node_kind_t kind; 227 const svn_fs_id_t *id; 228 const svn_fs_fs__id_part_t *rev_item; 229 apr_uint64_t node_id, copy_id; 230 apr_off_t child_dir_offset; 231 const svn_string_t *path = apr_hash_this_val(hi); 232 233 svn_pool_clear(iterpool); 234 235 str_val = apr_pstrdup(iterpool, path->data); 236 237 str = svn_cstring_tokenize(" ", &str_val); 238 if (str == NULL) 239 return svn_error_create(SVN_ERR_FS_CORRUPT, NULL, 240 _("Directory entry corrupt")); 241 242 if (strcmp(str, SVN_FS_FS__KIND_FILE) == 0) 243 kind = svn_node_file; 244 else if (strcmp(str, SVN_FS_FS__KIND_DIR) == 0) 245 kind = svn_node_dir; 246 else 247 { 248 return svn_error_create(SVN_ERR_FS_CORRUPT, NULL, 249 _("Directory entry corrupt")); 250 } 251 252 str = svn_cstring_tokenize(" ", &str_val); 253 if (str == NULL) 254 return svn_error_create(SVN_ERR_FS_CORRUPT, NULL, 255 _("Directory entry corrupt")); 256 257 SVN_ERR(svn_fs_fs__id_parse(&id, str, iterpool)); 258 259 rev_item = svn_fs_fs__id_rev_item(id); 260 if (rev_item->revision != rev) 261 { 262 /* If the node wasn't modified in this revision, we've already 263 checked the node and copy id. */ 264 continue; 265 } 266 267 node_id = svn_fs_fs__id_node_id(id)->number; 268 copy_id = svn_fs_fs__id_copy_id(id)->number; 269 270 if (node_id > *max_node_id) 271 *max_node_id = node_id; 272 if (copy_id > *max_copy_id) 273 *max_copy_id = copy_id; 274 275 if (kind == svn_node_file) 276 continue; 277 278 SVN_ERR(svn_fs_fs__item_offset(&child_dir_offset, fs, 279 rev_file, rev, NULL, rev_item->number, 280 iterpool)); 281 SVN_ERR(recover_find_max_ids(fs, rev, rev_file, child_dir_offset, 282 max_node_id, max_copy_id, iterpool)); 283 } 284 svn_pool_destroy(iterpool); 285 286 return SVN_NO_ERROR; 287} 288 289/* Part of the recovery procedure. Given an open non-packed revision file 290 REV_FILE for REV, locate the trailer that specifies the offset to the root 291 node-id and store this offset in *ROOT_OFFSET. Do temporary allocations in 292 POOL. */ 293static svn_error_t * 294recover_get_root_offset(apr_off_t *root_offset, 295 svn_revnum_t rev, 296 svn_fs_fs__revision_file_t *rev_file, 297 apr_pool_t *pool) 298{ 299 char buffer[64]; 300 svn_stringbuf_t *trailer; 301 apr_off_t start; 302 apr_off_t end; 303 apr_size_t len; 304 305 SVN_ERR_ASSERT(!rev_file->is_packed); 306 307 /* We will assume that the last line containing the two offsets (to the root 308 node-id and to the changed path information) will never be longer than 64 309 characters. */ 310 end = 0; 311 SVN_ERR(svn_io_file_seek(rev_file->file, APR_END, &end, pool)); 312 313 if (end < sizeof(buffer)) 314 { 315 len = (apr_size_t)end; 316 start = 0; 317 } 318 else 319 { 320 len = sizeof(buffer); 321 start = end - sizeof(buffer); 322 } 323 324 SVN_ERR(svn_io_file_seek(rev_file->file, APR_SET, &start, pool)); 325 SVN_ERR(svn_io_file_read_full2(rev_file->file, buffer, len, 326 NULL, NULL, pool)); 327 328 trailer = svn_stringbuf_ncreate(buffer, len, pool); 329 SVN_ERR(svn_fs_fs__parse_revision_trailer(root_offset, NULL, trailer, rev)); 330 331 return SVN_NO_ERROR; 332} 333 334/* Baton used for recover_body below. */ 335struct recover_baton { 336 svn_fs_t *fs; 337 svn_cancel_func_t cancel_func; 338 void *cancel_baton; 339}; 340 341/* The work-horse for svn_fs_fs__recover, called with the FS 342 write lock. This implements the svn_fs_fs__with_write_lock() 343 'body' callback type. BATON is a 'struct recover_baton *'. */ 344static svn_error_t * 345recover_body(void *baton, apr_pool_t *pool) 346{ 347 struct recover_baton *b = baton; 348 svn_fs_t *fs = b->fs; 349 fs_fs_data_t *ffd = fs->fsap_data; 350 svn_revnum_t max_rev; 351 apr_uint64_t next_node_id = 0; 352 apr_uint64_t next_copy_id = 0; 353 svn_revnum_t youngest_rev; 354 svn_node_kind_t youngest_revprops_kind; 355 356 /* The admin may have created a plain copy of this repo before attempting 357 to recover it (hotcopy may or may not work with corrupted repos). 358 Bump the instance ID. */ 359 SVN_ERR(svn_fs_fs__set_uuid(fs, fs->uuid, NULL, pool)); 360 361 /* We need to know the largest revision in the filesystem. */ 362 SVN_ERR(recover_get_largest_revision(fs, &max_rev, pool)); 363 364 /* Get the expected youngest revision */ 365 SVN_ERR(svn_fs_fs__youngest_rev(&youngest_rev, fs, pool)); 366 367 /* Policy note: 368 369 Since the revprops file is written after the revs file, the true 370 maximum available revision is the youngest one for which both are 371 present. That's probably the same as the max_rev we just found, 372 but if it's not, we could, in theory, repeatedly decrement 373 max_rev until we find a revision that has both a revs and 374 revprops file, then write db/current with that. 375 376 But we choose not to. If a repository is so corrupt that it's 377 missing at least one revprops file, we shouldn't assume that the 378 youngest revision for which both the revs and revprops files are 379 present is healthy. In other words, we're willing to recover 380 from a missing or out-of-date db/current file, because db/current 381 is truly redundant -- it's basically a cache so we don't have to 382 find max_rev each time, albeit a cache with unusual semantics, 383 since it also officially defines when a revision goes live. But 384 if we're missing more than the cache, it's time to back out and 385 let the admin reconstruct things by hand: correctness at that 386 point may depend on external things like checking a commit email 387 list, looking in particular working copies, etc. 388 389 This policy matches well with a typical naive backup scenario. 390 Say you're rsyncing your FSFS repository nightly to the same 391 location. Once revs and revprops are written, you've got the 392 maximum rev; if the backup should bomb before db/current is 393 written, then db/current could stay arbitrarily out-of-date, but 394 we can still recover. It's a small window, but we might as well 395 do what we can. */ 396 397 /* Even if db/current were missing, it would be created with 0 by 398 get_youngest(), so this conditional remains valid. */ 399 if (youngest_rev > max_rev) 400 return svn_error_createf(SVN_ERR_FS_CORRUPT, NULL, 401 _("Expected current rev to be <= %ld " 402 "but found %ld"), max_rev, youngest_rev); 403 404 /* We only need to search for maximum IDs for old FS formats which 405 se global ID counters. */ 406 if (ffd->format < SVN_FS_FS__MIN_NO_GLOBAL_IDS_FORMAT) 407 { 408 /* Next we need to find the maximum node id and copy id in use across the 409 filesystem. Unfortunately, the only way we can get this information 410 is to scan all the noderevs of all the revisions and keep track as 411 we go along. */ 412 svn_revnum_t rev; 413 apr_pool_t *iterpool = svn_pool_create(pool); 414 415 for (rev = 0; rev <= max_rev; rev++) 416 { 417 svn_fs_fs__revision_file_t *rev_file; 418 apr_off_t root_offset; 419 420 svn_pool_clear(iterpool); 421 422 if (b->cancel_func) 423 SVN_ERR(b->cancel_func(b->cancel_baton)); 424 425 SVN_ERR(svn_fs_fs__open_pack_or_rev_file(&rev_file, fs, rev, pool, 426 iterpool)); 427 SVN_ERR(recover_get_root_offset(&root_offset, rev, rev_file, pool)); 428 SVN_ERR(recover_find_max_ids(fs, rev, rev_file, root_offset, 429 &next_node_id, &next_copy_id, pool)); 430 SVN_ERR(svn_fs_fs__close_revision_file(rev_file)); 431 } 432 svn_pool_destroy(iterpool); 433 434 /* Now that we finally have the maximum revision, node-id and copy-id, we 435 can bump the two ids to get the next of each. */ 436 next_node_id++; 437 next_copy_id++; 438 } 439 440 /* Before setting current, verify that there is a revprops file 441 for the youngest revision. (Issue #2992) */ 442 SVN_ERR(svn_io_check_path(svn_fs_fs__path_revprops(fs, max_rev, pool), 443 &youngest_revprops_kind, pool)); 444 if (youngest_revprops_kind == svn_node_none) 445 { 446 svn_boolean_t missing = TRUE; 447 if (!svn_fs_fs__packed_revprop_available(&missing, fs, max_rev, pool)) 448 { 449 if (missing) 450 { 451 return svn_error_createf(SVN_ERR_FS_CORRUPT, NULL, 452 _("Revision %ld has a revs file but no " 453 "revprops file"), 454 max_rev); 455 } 456 else 457 { 458 return svn_error_createf(SVN_ERR_FS_CORRUPT, NULL, 459 _("Revision %ld has a revs file but the " 460 "revprops file is inaccessible"), 461 max_rev); 462 } 463 } 464 } 465 else if (youngest_revprops_kind != svn_node_file) 466 { 467 return svn_error_createf(SVN_ERR_FS_CORRUPT, NULL, 468 _("Revision %ld has a non-file where its " 469 "revprops file should be"), 470 max_rev); 471 } 472 473 /* Prune younger-than-(newfound-youngest) revisions from the rep 474 cache, taking care not to create the cache if it does not exist. 475 476 We do this whenever rep-cache.db exists, whether it's currently enabled 477 or not, to prevent a data loss that could result from having revisions 478 created after this 'recover' operation referring to rep-cache.db rows 479 that were created before the recover and that point to revisions younger- 480 than-(newfound-youngest). 481 */ 482 if (ffd->format >= SVN_FS_FS__MIN_REP_SHARING_FORMAT) 483 { 484 svn_boolean_t rep_cache_exists; 485 486 SVN_ERR(svn_fs_fs__exists_rep_cache(&rep_cache_exists, fs, pool)); 487 if (rep_cache_exists) 488 SVN_ERR(svn_fs_fs__del_rep_reference(fs, max_rev, pool)); 489 } 490 491 /* Now store the discovered youngest revision, and the next IDs if 492 relevant, in a new 'current' file. */ 493 return svn_fs_fs__write_current(fs, max_rev, next_node_id, next_copy_id, 494 pool); 495} 496 497/* This implements the fs_library_vtable_t.recover() API. */ 498svn_error_t * 499svn_fs_fs__recover(svn_fs_t *fs, 500 svn_cancel_func_t cancel_func, void *cancel_baton, 501 apr_pool_t *pool) 502{ 503 struct recover_baton b; 504 505 /* We have no way to take out an exclusive lock in FSFS, so we're 506 restricted as to the types of recovery we can do. Luckily, 507 we just want to recreate the 'current' file, and we can do that just 508 by blocking other writers. */ 509 b.fs = fs; 510 b.cancel_func = cancel_func; 511 b.cancel_baton = cancel_baton; 512 return svn_fs_fs__with_all_locks(fs, recover_body, &b, pool); 513} 514