Fix race condition in local registry crate unpacking

[hugwijst]

Copy crate and keep exclusive lock to it with local registries. Ensures
that only one instance will try to extract the source of a new package.

Fixes #6588.

[rust-highfive]

Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @dwijnand (or someone else) soon.

If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes.

Please see the contribution instructions for more information.

[hugwijst]

This is directly copied from RemoteRegistry. Probably not necessary, though I'm wondering how necessary it is in the current version of RemoteRegistry anyway.

[dwijnand]

r? @alexcrichton

(Sorry, travelling)

[alexcrichton]

Thanks for the PR! I'm may be confused though as I'm not sure how the original implementation here suffered from a bug. In the original implementation it's just calculating the checksum for a tarball, so I'm not sure where the race is for concurrent builds?

[hugwijst]

The race is in the unpacking, I think. LocalRegistry::download always returned a shared FileLock. If I understand correctly, the unpack logic in RegistrySource::unpack_package assumes though that the lock of the tarball implies that the destination directory that is being unpacked into is being locked exclusively. This holds for remote registries, but not for local registries.

I think a better solution might be to actually lock the unpacking instead of the tarball. This could be fairly easily done by locking the .cargo-ok file, maybe writing "ok" to it when it is correctly unpacked to detect an interrupted unpacking job? The main issue with this solution is upgrading from an older version of Cargo, as I'm not sure if unpacking over existing files would work correctly.

[alexcrichton]

I'm trying to make sense of this, but I don't think this PR as-is is the right solution. It looks like unpacking is actually already racy even for remote downloads because the unpacking step isn't synchronized at all. We do some synchronization to ensure that only one Cargo downloads the crate during remote downloads, but even for remote downloads a shared read lock can be returned (as expected local registries always do).

Looking at the original bug report again it looks like there's a bug in Cargo's error reporting, because there should be an I/O error in the error message as to what actually failed in the underlying system. Currently it just shows that something failed to unpack, but it doesn't say why (or what os error hapened).

Perhaps the locking here could be moved to the unpacking step instead of the downloading step?

[hugwijst]

I've spent some more time on this and I think I understand a lot better what the issue is now.

Imagine two instances trying to use a package that is not yet unpacked:

1. Instance 1 is first and starts unpacking.
2. Instance 2 reaches RegistrySource::unpack_package, sees no .cargo-ok file and also starts unpacking.
3. Instance 2 trying to unpack the same file instance 1 is trying to unpack results in an IO error.
   Alternatively:
4. Instance 1 finishes unpacking an creates the .cargo-ok file.
5. Instance 1 starts compiling the crate that instance 2 is still unpacking. As some files are being unpacked, compilation fails.

This only happens when using a local registry. With a remote registry the registry index gets locked, allowing only one instance at a time to access the registry cache.

I was able to reproduce this by:

1. Create a local registry mirror of the crates needed by Cargo.
2. Set CARGO_HOME to a hard disk or some other slower file system, as this will significantly increase the chance of the race resulting in issues.
3. Create a .cargo/config to point to the local registry mirror.
4. cargo clean
5. Execute two cargo commands in parallel that don't share a build directory, eg cargo check & cargo check --release.
   You might need to execute the last two commands a couple of times, but it fails about 50% of the time on my machine.

My latest commit fixes the issue locally.

[alexcrichton]

That sounds right to me, and the fix looks almost there!

The only other thing I think we need to handle is that open_rw shouldn't happen first. In the fast path we should only use open_ro because this handles cases like:

• Avoids unnecessary contention when the filesystem is actually ready to go (most of the time)
• Avoids failing for already-unpacked packages on readonly filesystems (can happen in docker for example)

I think we'll want to start with an open_ro, and if that succeeds check the size of the file. If the file is zero size or nonexistent then we drop the lock and open_rw. After the open_rw we check the size again before proceeding to handle something else grabbing the lock in the middle.

[alexcrichton]

@bors: r+

Looks great to me, thanks!

[bors]

📌 Commit a23612d has been approved by alexcrichton

[bors]

⌛ Testing commit a23612d with merge cbc159917ec4350853e241d0aa8f52950dfd4ea4...

[bors]

💥 Test timed out

[dwijnand]

@bors retry

[bors]

⌛ Testing commit a23612d with merge a15852c386d9566d242a80cbb58dc94e54f9e764...

[bors]

💥 Test timed out

[hugwijst]

@bors retry

[bors]

@hugwijst: 🔑 Insufficient privileges: not in try users

[dwijnand]

@bors retry

[bors]

⌛ Testing commit a23612d with merge 9f1f786...

[bors]

☀️ Test successful - checks-travis, status-appveyor
Approved by: alexcrichton
Pushing 9f1f786 to master...