[v2] Makefile: add OPEN_RETURNS_EINTR knob

On Wed, Feb 24, 2021 at 01:20:44PM -0500, Jeff King wrote:

> > Hmph, just like other workarounds, shouldn't this be "if your
> > platform screws this up, define this knob to work it around"?  That
> > would make it fit better with the rest of compat/.
> 
> I actually started that way, but then I got stuck deciding which
> platforms in config.mak.uname to enable it for. We've seen it on Linux
> and on macOS. I don't know how prevalent it is on those platforms (or
> whether it is indeed a bug that may even get fixed). Since the check is
> basically zero-cost at run-time, it seemed like it was worth just being
> on guard for it so that nobody ever had to worry about it again.
> 
> But I don't feel that strongly. I'd be happy to do it with a Makefile
> knob if you prefer.

So here's a v2 that turns it into a Makefile knob.

This was motivated by two things:

  - it must not be enabled on Windows, where it overrides the existing
    mingw_open()

  - I couldn't replicate it on a Big Sur machine, using the same
    sequence that Aleksey did (basically just cloning and checking out
    dotnet/runtime.git from scratch).

    So it's not entirely clear to me how widespread the problem is. A
    conservative approach (at least in terms of change from the status
    quo) is to introduce this knob but not enable it automatically
    (which this patch does). And then if somebody runs into it, they can
    try turning the knob.

    It's less conservative in the sense that we won't be preemptively
    protecting people. I dunno. Once we have the knob, it would be
    pretty easy to just flip the default.

-- >8 --
Subject: [PATCH] Makefile: add OPEN_RETURNS_EINTR knob

On some platforms, open() reportedly returns EINTR when opening regular
files and we receive a signal (usually SIGALRM from our progress meter).
This shouldn't happen, as open() should be a restartable syscall, and we
specify SA_RESTART when setting up the alarm handler. So it may actually
be a kernel or libc bug for this to happen. But it has been reported on
at least one version of Linux (on a network filesystem):

  https://lore.kernel.org/git/c8061cce-71e4-17bd-a56a-a5fed93804da@neanderfunk.de/

as well as on macOS starting with Big Sur even on a regular filesystem.

We can work around it by retrying open() calls that get EINTR, just as
we do for read(), etc. Since we don't ever _want_ to interrupt an open()
call, we can get away with just redefining open, rather than insisting
all callsites use xopen().

We actually do have an xopen() wrapper already (and it even does this
retry, though there's no indication of it being an observed problem back
then; it seems simply to have been lifted from xread(), etc). But it is
used hardly anywhere, and isn't suitable for general use because it will
die() on error. In theory we could combine the two, but it's awkward to
do so because of the variable-args interface of open().

This patch adds a Makefile knob for enabling the workaround. It's not
enabled by default for any platforms in config.mak.uname yet, as we
don't have enough data to decide how common this is (I have not been
able to reproduce on either Linux or Big Sur myself). It may be worth
enabling preemptively anyway, since the cost is pretty low (if we don't
see an EINTR, it's just an extra conditional).

However, note that we must not enable this on Windows. It doesn't do
anything there, and the macro overrides the existing mingw_open()
redirection. I've added a preemptive #undef here in the mingw header
(which is processed first) to just quietly disable it (we could also
make it an #error, but there is little point in being so aggressive).

Reported-by: Aleksey Kliger <alklig@microsoft.com>
Signed-off-by: Jeff King <peff@peff.net>
---
 Makefile          |  7 +++++++
 compat/mingw.h    |  1 +
 compat/open.c     | 25 +++++++++++++++++++++++++
 git-compat-util.h |  6 ++++++
 4 files changed, 39 insertions(+)
 create mode 100644 compat/open.c

Jeff King <peff@peff.net> writes:

> However, note that we must not enable this on Windows. It doesn't do
> anything there, and the macro overrides the existing mingw_open()
> redirection. I've added a preemptive #undef here in the mingw header
> (which is processed first) to just quietly disable it (we could also
> make it an #error, but there is little point in being so aggressive).
> ...
> diff --git a/compat/open.c b/compat/open.c
> new file mode 100644
> index 0000000000..eb3754a23b
> --- /dev/null
> +++ b/compat/open.c
> @@ -0,0 +1,25 @@
> +#include "git-compat-util.h"
> +
> +#undef open
> +int git_open_with_retry(const char *path, int flags, ...)
> +{
> +	mode_t mode = 0;
> +	int ret;
> +
> +	/*
> +	 * Also O_TMPFILE would take a mode, but it isn't defined everywhere.
> +	 * And anyway, we don't use it in our code base.
> +	 */

That is being extra careful---I like it very much.

> +	if (flags & O_CREAT) {
> +		va_list ap;
> +		va_start(ap, flags);
> +		mode = va_arg(ap, int);
> +		va_end(ap);
> +	}
> +
> +	do {
> +		ret = open(path, flags, mode);
> +	} while (ret < 0 && errno == EINTR);
> +
> +	return ret;
> +}

Thanks.

> diff --git a/git-compat-util.h b/git-compat-util.h
> index 838246289c..551cc9f22f 100644
> --- a/git-compat-util.h
> +++ b/git-compat-util.h
> @@ -788,6 +788,12 @@ int git_vsnprintf(char *str, size_t maxsize,
>  		  const char *format, va_list ap);
>  #endif
>  
> +#ifdef OPEN_RETURNS_EINTR
> +#undef open
> +#define open git_open_with_retry
> +int git_open_with_retry(const char *path, int flag, ...);
> +#endif
> +
>  #ifdef __GLIBC_PREREQ
>  #if __GLIBC_PREREQ(2, 1)
>  #define HAVE_STRCHRNUL