[RFC] Dune cache metadata format

[snowleopard]

The current Dune cache metadata format deviates from the original spec in the following way:

• In the spec, we store pairs of relative target paths, such as default/src/foo.cmi, and their digests with a collision chain suffix, i.e. 27dee4501f5da0e12be7ef16eb743e56.1.
• In the current implementation, instead of suffixed digests, we store full paths to the file store, i.e. ~/.cache/dune/db/v2/files/27/27dee4501f5da0e12be7ef16eb743e56.1 for some home directory ~.

So, instead of:

(files
 (default/src/foo.cmi 27dee4501f5da0e12be7ef16eb743e56.1)
 (default/src/foo.cmx 73ae356a65a0fc82b3bcf8504ce7b18b.1))

we have

(files
 (default/src/foo.cmi ~/.cache/dune/db/v2/files/27dee4501f5da0e12be7ef16eb743e56.1)
 (default/src/foo.cmx ~/.cache/dune/db/v2/files/73ae356a65a0fc82b3bcf8504ce7b18b.1))

To me, the current representation seems suboptimal for two reasons:

• It takes more space: every file is stored prefixed with the cache root, but this root is known when Dune starts and can always be appended when need be.
• It makes metadata non-relocatable, i.e. if the root changes for whatever reason, the metadata will need to be patched to modify the paths. Same for relocating metadata to a different build system.

@diml @mefyl As far as I see, nothing prevents us to change the implementation to align with the spec. I'm happy to implement the change if we agree that it's the right thing to do. Note that this will require increasing the version from v2 to v3.

I also think that it would be useful to decouple the version of file storage format from the version of the metadata format: in this way, if we increase the metadata format to v3, the existing file storage will remain useful.

---

If we do go ahead with bumping the version, I would also suggest removing hash collision suffices .1 from the metadata. They add complexity but Dune isn't really designed to safely and securely deal with MD5 collisions anyway. It would be better to admit that Dune (at least currently) assumes that there are no hash collisions, and remove this bit of complexity.

MD5 has 128 bits, so to have a 50% chance of any hash colliding with any other hash, we need ~2^64 hashes. This is a lot, we will never generate that many.

An attacker could easily find MD5 collisions though. In the long term, if we worry about security, we should be moving towards SHA1/SHA2.

[snowleopard]

In fact, I've just realised that the current implementation has a bug in handling hash collision chains.

For the chains to work correctly, we need to assume that there are no holes in suffix numbering, i.e. we can't have a situation where ab/abc.2 exists but ab/abc.1 doesn't exist. However, the cache trimming function doesn't take collision chain suffices into account at all, so it can delete ab/abc.1 because it hasn't been used for a while but keep ab/abc.2. This breaks the correctness assumption.

What happens further in this case? We will never be able to find the remaining file ab/abc.2 in the cache, because we always start looking from the suffix .1. The file ab/abc.2 will effectively be temporarily deleted from the cache (but will still occupy space!), until we add ab/abc.1 and revive it.

Can we fix this bug? We surely can, but at the cost of adding further complexity. I suggest to simply remove the (broken) support for hash collisions for now.

---

In summary, here is my extended proposal:

• Decouple the version of the file store, from the version of the metadata.
• Drop support for hash collisions.
• Drop absolute paths from the metadata files.

If accepted, I volunteer to implement all of the above.

[mefyl]

Regarding the most recent comment, it's known:

src/cache/local.ml:  (* We need to ensure we do not create holes in the suffix numbering for this
src/cache/local.ml:     to work *)

I honestly think we should drop collisions handling. As you said it's virtually impossible for it to happen. If we fear about attacks, we should change our hash algorithm instead.

Regarding the file path, I think there was a reason for it, but can't remember what. Feel free to try with shorter paths, and if you don't hit any bump it should be fine. I'm not sure we should deal with separate versions for metadata and data, it would require quite some work, and "losing" your cache contents once in a while should not be an issue.

[snowleopard]

@mefyl Thanks!

I'm not sure we should deal with separate versions for metadata and data, it would require quite some work

What do you mean? To me, it doesn't look more complicated than simply defining meta_version and files_version instead of hardcoding the string "v2" in both roots. Then we can bump these versions independently when need be.

UPDATE: Actually, in addition to splitting versions, we'll probably need to slightly change the directory structure. For example:

• ~/.cache/dune/db/v2/files -> ~/.cache/dune/db/files/v2
• ~/.cache/dune/db/v2/meta -> ~/.cache/dune/db/meta/v2
  In this way, we can increase only one of the versions, e.g. files/v2 -> files/v3 while keeping the other one as meta/v2.

By the way, regardless of whether we split versioning, we need to think what to do with old versions of cache. I think the right thing to do is to delete all old versions while trimming. In this way, we can tell the users to run the trimming command to clean up old caches when we change versions.

[snowleopard]

During today's Dune meeting it has been decided to proceed with the proposal, so I'm marking it as accepted. While it's being implemented, any further feedback is very welcome!