1
# Copyright (C) 2006-2010 Canonical Ltd
3
# This program is free software; you can redistribute it and/or modify
4
# it under the terms of the GNU General Public License as published by
5
# the Free Software Foundation; either version 2 of the License, or
6
# (at your option) any later version.
8
# This program is distributed in the hope that it will be useful,
9
# but WITHOUT ANY WARRANTY; without even the implied warranty of
10
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11
# GNU General Public License for more details.
13
# You should have received a copy of the GNU General Public License
14
# along with this program; if not, write to the Free Software
15
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17
"""On-disk mutex protecting a resource
19
bzr on-disk objects are locked by the existence of a directory with a
20
particular name within the control directory. We use this rather than OS
21
internal locks (such as flock etc) because they can be seen across all
22
transports, including http.
24
Objects can be read if there is only physical read access; therefore
25
readers can never be required to create a lock, though they will
26
check whether a writer is using the lock. Writers can't detect
27
whether anyone else is reading from the resource as they write.
28
This works because of ordering constraints that make sure readers
29
see a consistent view of existing data.
31
Waiting for a lock must be done by polling; this can be aborted after
34
Locks must always be explicitly released, typically from a try/finally
35
block -- they are not released from a finalizer or when Python
38
Locks may fail to be released if the process is abruptly terminated
39
(machine stop, SIGKILL) or if a remote transport becomes permanently
40
disconnected. There is therefore a method to break an existing lock.
41
This should rarely be used, and generally only with user approval.
42
Locks contain some information on when the lock was taken and by who
43
which may guide in deciding whether it can safely be broken. (This is
44
similar to the messages displayed by emacs and vim.) Note that if the
45
lock holder is still alive they will get no notification that the lock
46
has been broken and will continue their work -- so it is important to be
47
sure they are actually dead.
49
A lock is represented on disk by a directory of a particular name,
50
containing an information file. Taking a lock is done by renaming a
51
temporary directory into place. We use temporary directories because
52
for all known transports and filesystems we believe that exactly one
53
attempt to claim the lock will succeed and the others will fail. (Files
54
won't do because some filesystems or transports only have
55
rename-and-overwrite, making it hard to tell who won.)
57
The desired characteristics are:
59
* Locks are not reentrant. (That is, a client that tries to take a
60
lock it already holds may deadlock or fail.)
61
* Stale locks can be guessed at by a heuristic
62
* Lost locks can be broken by any client
63
* Failed lock operations leave little or no mess
64
* Deadlocks are avoided by having a timeout always in use, clients
65
desiring indefinite waits can retry or set a silly big timeout.
67
Storage formats use the locks, and also need to consider concurrency
68
issues underneath the lock. A format may choose not to use a lock
69
at all for some operations.
71
LockDirs always operate over a Transport. The transport may be readonly, in
72
which case the lock can be queried but not acquired.
74
Locks are identified by a path name, relative to a base transport.
76
Calling code will typically want to make sure there is exactly one LockDir
77
object per actual lock on disk. This module does nothing to prevent aliasing
78
and deadlocks will likely occur if the locks are aliased.
80
In the future we may add a "freshen" method which can be called
81
by a lock holder to check that their lock has not been broken, and to
82
update the timestamp within it.
86
>>> from bzrlib.transport.memory import MemoryTransport
87
>>> # typically will be obtained from a BzrDir, Branch, etc
88
>>> t = MemoryTransport()
89
>>> l = LockDir(t, 'sample-lock')
91
>>> token = l.wait_lock()
92
>>> # do something here
98
# TODO: We sometimes have the problem that our attempt to rename '1234' to
99
# 'held' fails because the transport server moves into an existing directory,
100
# rather than failing the rename. If we made the info file name the same as
101
# the locked directory name we would avoid this problem because moving into
102
# the held directory would implicitly clash. However this would not mesh with
103
# the existing locking code and needs a new format of the containing object.
104
# -- robertc, mbp 20070628
116
from bzrlib.decorators import only_raises
117
from bzrlib.errors import (
131
from bzrlib.trace import mutter, note
132
from bzrlib.osutils import format_delta, rand_chars, get_host_name
135
from bzrlib.lazy_import import lazy_import
136
lazy_import(globals(), """
137
from bzrlib import rio
140
# XXX: At the moment there is no consideration of thread safety on LockDir
141
# objects. This should perhaps be updated - e.g. if two threads try to take a
142
# lock at the same time they should *both* get it. But then that's unlikely
145
# TODO: Perhaps store some kind of note like the bzr command line in the lock
148
# TODO: Some kind of callback run while polling a lock to show progress
151
# TODO: Make sure to pass the right file and directory mode bits to all
152
# files/dirs created.
155
_DEFAULT_TIMEOUT_SECONDS = 30
156
_DEFAULT_POLL_SECONDS = 1.0
159
class LockDir(lock.Lock):
160
"""Write-lock guarding access to data.
163
__INFO_NAME = '/info'
165
def __init__(self, transport, path, file_modebits=0644, dir_modebits=0755):
166
"""Create a new LockDir object.
168
The LockDir is initially unlocked - this just creates the object.
170
:param transport: Transport which will contain the lock
172
:param path: Path to the lock within the base directory of the
175
self.transport = transport
177
self._lock_held = False
178
self._locked_via_token = False
179
self._fake_read_lock = False
180
self._held_dir = path + '/held'
181
self._held_info_path = self._held_dir + self.__INFO_NAME
182
self._file_modebits = file_modebits
183
self._dir_modebits = dir_modebits
185
self._report_function = note
188
return '%s(%s%s)' % (self.__class__.__name__,
192
is_held = property(lambda self: self._lock_held)
194
def create(self, mode=None):
195
"""Create the on-disk lock.
197
This is typically only called when the object/directory containing the
198
directory is first created. The lock is not held when it's created.
200
self._trace("create lock directory")
202
self.transport.mkdir(self.path, mode=mode)
203
except (TransportError, PathError), e:
204
raise LockFailed(self, e)
207
def _attempt_lock(self):
208
"""Make the pending directory and attempt to rename into place.
210
If the rename succeeds, we read back the info file to check that we
213
If we fail to acquire the lock, this method is responsible for
214
cleaning up the pending directory if possible. (But it doesn't do
217
:returns: The nonce of the lock, if it was successfully acquired.
219
:raises LockContention: If the lock is held by someone else. The exception
220
contains the info of the current holder of the lock.
222
self._trace("lock_write...")
223
start_time = time.time()
225
tmpname = self._create_pending_dir()
226
except (errors.TransportError, PathError), e:
227
self._trace("... failed to create pending dir, %s", e)
228
raise LockFailed(self, e)
230
self.transport.rename(tmpname, self._held_dir)
231
except (errors.TransportError, PathError, DirectoryNotEmpty,
232
FileExists, ResourceBusy), e:
233
self._trace("... contention, %s", e)
234
self._remove_pending_dir(tmpname)
235
raise LockContention(self)
237
self._trace("... lock failed, %s", e)
238
self._remove_pending_dir(tmpname)
240
# We must check we really got the lock, because Launchpad's sftp
241
# server at one time had a bug were the rename would successfully
242
# move the new directory into the existing directory, which was
243
# incorrect. It's possible some other servers or filesystems will
244
# have a similar bug allowing someone to think they got the lock
245
# when it's already held.
247
# See <https://bugs.launchpad.net/bzr/+bug/498378> for one case.
249
# Strictly the check is unnecessary and a waste of time for most
250
# people, but probably worth trapping if something is wrong.
252
self._trace("after locking, info=%r", info)
254
raise LockFailed(self, "lock was renamed into place, but "
256
if info.get('nonce') != self.nonce:
257
self._trace("rename succeeded, "
258
"but lock is still held by someone else")
259
raise LockContention(self)
260
self._lock_held = True
261
self._trace("... lock succeeded after %dms",
262
(time.time() - start_time) * 1000)
265
def _remove_pending_dir(self, tmpname):
266
"""Remove the pending directory
268
This is called if we failed to rename into place, so that the pending
269
dirs don't clutter up the lockdir.
271
self._trace("remove %s", tmpname)
273
self.transport.delete(tmpname + self.__INFO_NAME)
274
self.transport.rmdir(tmpname)
276
note("error removing pending lock: %s", e)
278
def _create_pending_dir(self):
279
tmpname = '%s/%s.tmp' % (self.path, rand_chars(10))
281
self.transport.mkdir(tmpname)
283
# This may raise a FileExists exception
284
# which is okay, it will be caught later and determined
285
# to be a LockContention.
286
self._trace("lock directory does not exist, creating it")
287
self.create(mode=self._dir_modebits)
288
# After creating the lock directory, try again
289
self.transport.mkdir(tmpname)
290
self.nonce = rand_chars(20)
291
info_bytes = self._prepare_info()
292
# We use put_file_non_atomic because we just created a new unique
293
# directory so we don't have to worry about files existing there.
294
# We'll rename the whole directory into place to get atomic
296
self.transport.put_bytes_non_atomic(tmpname + self.__INFO_NAME,
300
@only_raises(LockNotHeld, LockBroken)
302
"""Release a held lock
304
if self._fake_read_lock:
305
self._fake_read_lock = False
307
if not self._lock_held:
308
return lock.cant_unlock_not_held(self)
309
if self._locked_via_token:
310
self._locked_via_token = False
311
self._lock_held = False
313
old_nonce = self.nonce
314
# rename before deleting, because we can't atomically remove the
316
start_time = time.time()
317
self._trace("unlocking")
318
tmpname = '%s/releasing.%s.tmp' % (self.path, rand_chars(20))
319
# gotta own it to unlock
321
self.transport.rename(self._held_dir, tmpname)
322
self._lock_held = False
323
self.transport.delete(tmpname + self.__INFO_NAME)
325
self.transport.rmdir(tmpname)
326
except DirectoryNotEmpty, e:
327
# There might have been junk left over by a rename that moved
328
# another locker within the 'held' directory. do a slower
329
# deletion where we list the directory and remove everything
332
# Maybe this should be broader to allow for ftp servers with
333
# non-specific error messages?
334
self._trace("doing recursive deletion of non-empty directory "
336
self.transport.delete_tree(tmpname)
337
self._trace("... unlock succeeded after %dms",
338
(time.time() - start_time) * 1000)
339
result = lock.LockResult(self.transport.abspath(self.path),
341
for hook in self.hooks['lock_released']:
344
def break_lock(self):
345
"""Break a lock not held by this instance of LockDir.
347
This is a UI centric function: it uses the bzrlib.ui.ui_factory to
348
prompt for input if a lock is detected and there is any doubt about
349
it possibly being still active.
351
self._check_not_locked()
353
holder_info = self.peek()
354
except LockCorrupt, e:
355
# The lock info is corrupt.
356
if bzrlib.ui.ui_factory.get_boolean("Break (corrupt %r)" % (self,)):
357
self.force_break_corrupt(e.file_data)
359
if holder_info is not None:
360
lock_info = '\n'.join(self._format_lock_info(holder_info))
361
if bzrlib.ui.ui_factory.confirm_action(
362
"Break %(lock_info)s", 'bzrlib.lockdir.break',
363
dict(lock_info=lock_info)):
364
self.force_break(holder_info)
366
def force_break(self, dead_holder_info):
367
"""Release a lock held by another process.
369
WARNING: This should only be used when the other process is dead; if
370
it still thinks it has the lock there will be two concurrent writers.
371
In general the user's approval should be sought for lock breaks.
373
dead_holder_info must be the result of a previous LockDir.peek() call;
374
this is used to check that it's still held by the same process that
375
the user decided was dead. If this is not the current holder,
376
LockBreakMismatch is raised.
378
After the lock is broken it will not be held by any process.
379
It is possible that another process may sneak in and take the
380
lock before the breaking process acquires it.
382
if not isinstance(dead_holder_info, dict):
383
raise ValueError("dead_holder_info: %r" % dead_holder_info)
384
self._check_not_locked()
385
current_info = self.peek()
386
if current_info is None:
387
# must have been recently released
389
if current_info != dead_holder_info:
390
raise LockBreakMismatch(self, current_info, dead_holder_info)
391
tmpname = '%s/broken.%s.tmp' % (self.path, rand_chars(20))
392
self.transport.rename(self._held_dir, tmpname)
393
# check that we actually broke the right lock, not someone else;
394
# there's a small race window between checking it and doing the
396
broken_info_path = tmpname + self.__INFO_NAME
397
broken_info = self._read_info_file(broken_info_path)
398
if broken_info != dead_holder_info:
399
raise LockBreakMismatch(self, broken_info, dead_holder_info)
400
self.transport.delete(broken_info_path)
401
self.transport.rmdir(tmpname)
402
result = lock.LockResult(self.transport.abspath(self.path),
403
current_info.get('nonce'))
404
for hook in self.hooks['lock_broken']:
407
def force_break_corrupt(self, corrupt_info_lines):
408
"""Release a lock that has been corrupted.
410
This is very similar to force_break, it except it doesn't assume that
411
self.peek() can work.
413
:param corrupt_info_lines: the lines of the corrupted info file, used
414
to check that the lock hasn't changed between reading the (corrupt)
415
info file and calling force_break_corrupt.
417
# XXX: this copes with unparseable info files, but what about missing
418
# info files? Or missing lock dirs?
419
self._check_not_locked()
420
tmpname = '%s/broken.%s.tmp' % (self.path, rand_chars(20))
421
self.transport.rename(self._held_dir, tmpname)
422
# check that we actually broke the right lock, not someone else;
423
# there's a small race window between checking it and doing the
425
broken_info_path = tmpname + self.__INFO_NAME
426
f = self.transport.get(broken_info_path)
427
broken_lines = f.readlines()
428
if broken_lines != corrupt_info_lines:
429
raise LockBreakMismatch(self, broken_lines, corrupt_info_lines)
430
self.transport.delete(broken_info_path)
431
self.transport.rmdir(tmpname)
432
result = lock.LockResult(self.transport.abspath(self.path))
433
for hook in self.hooks['lock_broken']:
436
def _check_not_locked(self):
437
"""If the lock is held by this instance, raise an error."""
439
raise AssertionError("can't break own lock: %r" % self)
442
"""Make sure that the lock is still held by this locker.
444
This should only fail if the lock was broken by user intervention,
445
or if the lock has been affected by a bug.
447
If the lock is not thought to be held, raises LockNotHeld. If
448
the lock is thought to be held but has been broken, raises
451
if not self._lock_held:
452
raise LockNotHeld(self)
455
# no lock there anymore!
456
raise LockBroken(self)
457
if info.get('nonce') != self.nonce:
458
# there is a lock, but not ours
459
raise LockBroken(self)
461
def _read_info_file(self, path):
462
"""Read one given info file.
464
peek() reads the info file of the lock holder, if any.
466
return self._parse_info(self.transport.get_bytes(path))
469
"""Check if the lock is held by anyone.
471
If it is held, this returns the lock info structure as a dict
472
which contains some information about the current lock holder.
473
Otherwise returns None.
476
info = self._read_info_file(self._held_info_path)
477
self._trace("peek -> held")
479
except NoSuchFile, e:
480
self._trace("peek -> not held")
482
def _prepare_info(self):
483
"""Write information about a pending lock to a temporary file.
485
# XXX: is creating this here inefficient?
486
config = bzrlib.config.GlobalConfig()
488
user = config.username()
489
except errors.NoWhoami:
490
user = osutils.getuser_unicode()
491
s = rio.Stanza(hostname=get_host_name(),
492
pid=str(os.getpid()),
493
start_time=str(int(time.time())),
499
def _parse_info(self, info_bytes):
500
lines = osutils.split_lines(info_bytes)
502
stanza = rio.read_stanza(lines)
503
except ValueError, e:
504
mutter('Corrupt lock info file: %r', lines)
505
raise LockCorrupt("could not parse lock info file: " + str(e),
508
# see bug 185013; we fairly often end up with the info file being
509
# empty after an interruption; we could log a message here but
510
# there may not be much we can say
513
return stanza.as_dict()
515
def attempt_lock(self):
516
"""Take the lock; fail if it's already held.
518
If you wish to block until the lock can be obtained, call wait_lock()
521
:return: The lock token.
522
:raises LockContention: if the lock is held by someone else.
524
if self._fake_read_lock:
525
raise LockContention(self)
526
result = self._attempt_lock()
527
hook_result = lock.LockResult(self.transport.abspath(self.path),
529
for hook in self.hooks['lock_acquired']:
533
def wait_lock(self, timeout=None, poll=None, max_attempts=None):
534
"""Wait a certain period for a lock.
536
If the lock can be acquired within the bounded time, it
537
is taken and this returns. Otherwise, LockContention
538
is raised. Either way, this function should return within
539
approximately `timeout` seconds. (It may be a bit more if
540
a transport operation takes a long time to complete.)
542
:param timeout: Approximate maximum amount of time to wait for the
545
:param poll: Delay in seconds between retrying the lock.
547
:param max_attempts: Maximum number of times to try to lock.
549
:return: The lock token.
552
timeout = _DEFAULT_TIMEOUT_SECONDS
554
poll = _DEFAULT_POLL_SECONDS
555
# XXX: the transport interface doesn't let us guard against operations
556
# there taking a long time, so the total elapsed time or poll interval
557
# may be more than was requested.
558
deadline = time.time() + timeout
565
return self.attempt_lock()
566
except LockContention:
567
# possibly report the blockage, then try again
569
# TODO: In a few cases, we find out that there's contention by
570
# reading the held info and observing that it's not ours. In
571
# those cases it's a bit redundant to read it again. However,
572
# the normal case (??) is that the rename fails and so we
573
# don't know who holds the lock. For simplicity we peek
575
new_info = self.peek()
576
if new_info is not None and new_info != last_info:
577
if last_info is None:
578
start = 'Unable to obtain'
580
start = 'Lock owner changed for'
582
formatted_info = self._format_lock_info(new_info)
583
if deadline_str is None:
584
deadline_str = time.strftime('%H:%M:%S',
585
time.localtime(deadline))
586
# As local lock urls are correct we display them.
587
# We avoid displaying remote lock urls.
588
lock_url = self.transport.abspath(self.path)
589
if lock_url.startswith('file://'):
590
lock_url = lock_url.split('.bzr/')[0]
593
user, hostname, pid, time_ago = formatted_info
594
msg = ('%s lock %s ' # lock_url
598
'[process #%s], ' # pid
599
'acquired %s.') # time ago
600
msg_args = [start, lock_url, user, hostname, pid, time_ago]
602
msg += ('\nWill continue to try until %s, unless '
604
msg_args.append(deadline_str)
605
msg += '\nSee "bzr help break-lock" for more.'
606
self._report_function(msg, *msg_args)
607
if (max_attempts is not None) and (attempt_count >= max_attempts):
608
self._trace("exceeded %d attempts")
609
raise LockContention(self)
610
if time.time() + poll < deadline:
611
self._trace("waiting %ss", poll)
614
# As timeout is always 0 for remote locks
615
# this block is applicable only for local
617
self._trace("timeout after waiting %ss", timeout)
618
raise LockContention('(local)', lock_url)
620
def leave_in_place(self):
621
self._locked_via_token = True
623
def dont_leave_in_place(self):
624
self._locked_via_token = False
626
def lock_write(self, token=None):
627
"""Wait for and acquire the lock.
629
:param token: if this is already locked, then lock_write will fail
630
unless the token matches the existing lock.
631
:returns: a token if this instance supports tokens, otherwise None.
632
:raises TokenLockingNotSupported: when a token is given but this
633
instance doesn't support using token locks.
634
:raises MismatchedToken: if the specified token doesn't match the token
635
of the existing lock.
637
A token should be passed in if you know that you have locked the object
638
some other way, and need to synchronise this object's state with that
641
XXX: docstring duplicated from LockableFiles.lock_write.
643
if token is not None:
644
self.validate_token(token)
646
self._lock_held = True
647
self._locked_via_token = True
650
return self.wait_lock()
653
"""Compatibility-mode shared lock.
655
LockDir doesn't support shared read-only locks, so this
656
just pretends that the lock is taken but really does nothing.
658
# At the moment Branches are commonly locked for read, but
659
# we can't rely on that remotely. Once this is cleaned up,
660
# reenable this warning to prevent it coming back in
662
## warn("LockDir.lock_read falls back to write lock")
663
if self._lock_held or self._fake_read_lock:
664
raise LockContention(self)
665
self._fake_read_lock = True
667
def _format_lock_info(self, info):
668
"""Turn the contents of peek() into something for the user"""
669
start_time = info.get('start_time')
670
if start_time is None:
671
time_ago = '(unknown)'
673
time_ago = format_delta(time.time() - int(info['start_time']))
674
user = info.get('user', '<unknown>')
675
hostname = info.get('hostname', '<unknown>')
676
pid = info.get('pid', '<unknown>')
684
def validate_token(self, token):
685
if token is not None:
691
lock_token = info.get('nonce')
692
if token != lock_token:
693
raise errors.TokenMismatch(token, lock_token)
695
self._trace("revalidated by token %r", token)
697
def _trace(self, format, *args):
698
if 'lock' not in debug.debug_flags:
700
mutter(str(self) + ": " + (format % args))
added
removed
bzrlib/lockdir.py
