git/Documentation/technical/reftable.adoc

reftable
--------

Overview
~~~~~~~~

Problem statement
^^^^^^^^^^^^^^^^^

Some repositories contain a lot of references (e.g. android at 866k,
rails at 31k). The existing packed-refs format takes up a lot of space
(e.g. 62M), and does not scale with additional references. Lookup of a
single reference requires linearly scanning the file.

Atomic pushes modifying multiple references require copying the entire
packed-refs file, which can be a considerable amount of data moved
(e.g. 62M in, 62M out) for even small transactions (2 refs modified).

Repositories with many loose references occupy a large number of disk
blocks from the local file system, as each reference is its own file
storing 41 bytes (and another file for the corresponding reflog). This
negatively affects the number of inodes available when a large number of
repositories are stored on the same filesystem. Readers can be penalized
due to the larger number of syscalls required to traverse and read the
`$GIT_DIR/refs` directory.


Objectives
^^^^^^^^^^

* Near constant time lookup for any single reference, even when the
repository is cold and not in process or kernel cache.
* Near constant time verification if an object name is referred to by at least
one reference (for allow-tip-sha1-in-want).
* Efficient enumeration of an entire namespace, such as `refs/tags/`.
* Support atomic push with `O(size_of_update)` operations.
* Combine reflog storage with ref storage for small transactions.
* Separate reflog storage for base refs and historical logs.

Description
^^^^^^^^^^^

A reftable file is a portable binary file format customized for
reference storage. References are sorted, enabling linear scans, binary
search lookup, and range scans.

Storage in the file is organized into variable sized blocks. Prefix
compression is used within a single block to reduce disk space. Block
size and alignment are tunable by the writer.

Performance
^^^^^^^^^^^

Space used, packed-refs vs. reftable:

[cols=",>,>,>,>,>",options="header",]
|===============================================================
|repository |packed-refs |reftable |% original |avg ref |avg obj
|android |62.2 M |36.1 M |58.0% |33 bytes |5 bytes
|rails |1.8 M |1.1 M |57.7% |29 bytes |4 bytes
|git |78.7 K |48.1 K |61.0% |50 bytes |4 bytes
|git (heads) |332 b |269 b |81.0% |33 bytes |0 bytes
|===============================================================

Scan (read 866k refs), by reference name lookup (single ref from 866k
refs), and by SHA-1 lookup (refs with that SHA-1, from 866k refs):

[cols=",>,>,>,>",options="header",]
|=========================================================
|format |cache |scan |by name |by SHA-1
|packed-refs |cold |402 ms |409,660.1 usec |412,535.8 usec
|packed-refs |hot | |6,844.6 usec |20,110.1 usec
|reftable |cold |112 ms |33.9 usec |323.2 usec
|reftable |hot | |20.2 usec |320.8 usec
|=========================================================

Space used for 149,932 log entries for 43,061 refs, reflog vs. reftable:

[cols=",>,>",options="header",]
|================================
|format |size |avg entry
|$GIT_DIR/logs |173 M |1209 bytes
|reftable |5 M |37 bytes
|================================

Details
~~~~~~~

Peeling
^^^^^^^

References stored in a reftable are peeled, a record for an annotated
(or signed) tag records both the tag object, and the object it refers
to. This is analogous to storage in the packed-refs format.

Reference name encoding
^^^^^^^^^^^^^^^^^^^^^^^

Reference names are an uninterpreted sequence of bytes that must pass
linkgit:git-check-ref-format[1] as a valid reference name.

Key unicity
^^^^^^^^^^^

Each entry must have a unique key; repeated keys are disallowed.

Network byte order
^^^^^^^^^^^^^^^^^^

All multi-byte, fixed width fields are in network byte order.

Varint encoding
^^^^^^^^^^^^^^^

Varint encoding is identical to the ofs-delta encoding method used
within pack files.

Decoder works as follows:

....
val = buf[ptr] & 0x7f
while (buf[ptr] & 0x80) {
  ptr++
  val = ((val + 1) << 7) | (buf[ptr] & 0x7f)
}
....

Ordering
^^^^^^^^

Blocks are lexicographically ordered by their first reference.

Directory/file conflicts
^^^^^^^^^^^^^^^^^^^^^^^^

The reftable format accepts both `refs/heads/foo` and
`refs/heads/foo/bar` as distinct references.

This property is useful for retaining log records in reftable, but may
confuse versions of Git using `$GIT_DIR/refs` directory tree to maintain
references. Users of reftable may choose to continue to reject `foo` and
`foo/bar` type conflicts to prevent problems for peers.

File format
~~~~~~~~~~~

Structure
^^^^^^^^^

A reftable file has the following high-level structure:

....
first_block {
  header
  first_ref_block
}
ref_block*
ref_index*
obj_block*
obj_index*
log_block*
log_index*
footer
....

A log-only file omits the `ref_block`, `ref_index`, `obj_block` and
`obj_index` sections, containing only the file header and log block:

....
first_block {
  header
}
log_block*
log_index*
footer
....

In a log-only file, the first log block immediately follows the file
header, without padding to block alignment.

Block size
^^^^^^^^^^

The file's block size is arbitrarily determined by the writer, and does
not have to be a power of 2. The block size must be larger than the
longest reference name or log entry used in the repository, as
references cannot span blocks.

Powers of two that are friendly to the virtual memory system or
filesystem (such as 4k or 8k) are recommended. Larger sizes (64k) can
yield better compression, with a possible increased cost incurred by
readers during access.

The largest block size is `16777215` bytes (15.99 MiB).

Block alignment
^^^^^^^^^^^^^^^

Writers may choose to align blocks at multiples of the block size by
including `padding` filled with NUL bytes at the end of a block to round
out to the chosen alignment. When alignment is used, writers must
specify the alignment with the file header's `block_size` field.

Block alignment is not required by the file format. Unaligned files must
set `block_size = 0` in the file header, and omit `padding`. Unaligned
files with more than one ref block must include the link:#Ref-index[ref
index] to support fast lookup. Readers must be able to read both aligned
and non-aligned files.

Very small files (e.g. a single ref block) may omit `padding` and the ref
index to reduce total file size.

Header (version 1)
^^^^^^^^^^^^^^^^^^

A 24-byte header appears at the beginning of the file:

....
'REFT'
uint8( version_number = 1 )
uint24( block_size )
uint64( min_update_index )
uint64( max_update_index )
....

Aligned files must specify `block_size` to configure readers with the
expected block alignment. Unaligned files must set `block_size = 0`.

The `min_update_index` and `max_update_index` describe bounds for the
`update_index` field of all log records in this file. When reftables are
used in a stack for link:#Update-transactions[transactions], these
fields can order the files such that the prior file's
`max_update_index + 1` is the next file's `min_update_index`.

Header (version 2)
^^^^^^^^^^^^^^^^^^

A 28-byte header appears at the beginning of the file:

....
'REFT'
uint8( version_number = 2 )
uint24( block_size )
uint64( min_update_index )
uint64( max_update_index )
uint32( hash_id )
....

The header is identical to `version_number=1`, with the 4-byte hash ID
("sha1" for SHA1 and "s256" for SHA-256) appended to the header.

For maximum backward compatibility, it is recommended to use version 1 when
writing SHA1 reftables.

First ref block
^^^^^^^^^^^^^^^

The first ref block shares the same block as the file header, and is 24
bytes smaller than all other blocks in the file. The first block
immediately begins after the file header, at position 24.

If the first block is a log block (a log-only file), its block header
begins immediately at position 24.

Ref block format
^^^^^^^^^^^^^^^^

A ref block is written as:

....
'r'
uint24( block_len )
ref_record+
uint24( restart_offset )+
uint16( restart_count )

padding?
....

Blocks begin with `block_type = 'r'` and a 3-byte `block_len` which
encodes the number of bytes in the block up to, but not including the
optional `padding`. This is always less than or equal to the file's
block size. In the first ref block, `block_len` includes 24 bytes for
the file header.

The 2-byte `restart_count` stores the number of entries in the
`restart_offset` list, which must not be empty. Readers can use
`restart_count` to binary search between restarts before starting a
linear scan.

Exactly `restart_count` 3-byte `restart_offset` values precede the
`restart_count`. Offsets are relative to the start of the block and
refer to the first byte of any `ref_record` whose name has not been
prefix compressed. Entries in the `restart_offset` list must be sorted,
ascending. Readers can start linear scans from any of these records.

A variable number of `ref_record` fill the middle of the block,
describing reference names and values. The format is described below.

As the first ref block shares the first file block with the file header,
all `restart_offset` in the first block are relative to the start of the
file (position 0), and include the file header. This forces the first
`restart_offset` to be `28`.

ref record
++++++++++

A `ref_record` describes a single reference, storing both the name and
its value(s). Records are formatted as:

....
varint( prefix_length )
varint( (suffix_length << 3) | value_type )
suffix
varint( update_index_delta )
value?
....

The `prefix_length` field specifies how many leading bytes of the prior
reference record's name should be copied to obtain this reference's
name. This must be 0 for the first reference in any block, and also must
be 0 for any `ref_record` whose offset is listed in the `restart_offset`
table at the end of the block.

Recovering a reference name from any `ref_record` is a simple concat:

....
this_name = prior_name[0..prefix_length] + suffix
....

The `suffix_length` value provides the number of bytes available in
`suffix` to copy from `suffix` to complete the reference name.

The `update_index` that last modified the reference can be obtained by
adding `update_index_delta` to the `min_update_index` from the file
header: `min_update_index + update_index_delta`.

The `value` follows. Its format is determined by `value_type`, one of
the following:

* `0x0`: deletion; no value data (see transactions, below)
* `0x1`: one object name; value of the ref
* `0x2`: two object names; value of the ref, peeled target
* `0x3`: symbolic reference: `varint( target_len ) target`

Symbolic references use `0x3`, followed by the complete name of the
reference target. No compression is applied to the target name.

Types `0x4..0x7` are reserved for future use.

Ref index
^^^^^^^^^

The ref index stores the name of the last reference from every ref block
in the file, enabling reduced disk seeks for lookups. Any reference can
be found by searching the index, identifying the containing block, and
searching within that block.

The index may be organized into a multi-level index, where the 1st level
index block points to additional ref index blocks (2nd level), which may
in turn point to either additional index blocks (e.g. 3rd level) or ref
blocks (leaf level). Disk reads required to access a ref go up with
higher index levels. Multi-level indexes may be required to ensure no
single index block exceeds the file format's max block size of
`16777215` bytes (15.99 MiB). To achieve constant O(1) disk seeks for
lookups the index must be a single level, which is permitted to exceed
the file's configured block size, but not the format's max block size of
15.99 MiB.

If present, the ref index block(s) appears after the last ref block.

If there are at least 4 ref blocks, a ref index block should be written
to improve lookup times. Cold reads using the index require 2 disk reads
(read index, read block), and binary searching < 4 blocks also requires
<= 2 reads. Omitting the index block from smaller files saves space.

If the file is unaligned and contains more than one ref block, the ref
index must be written.

Index block format:

....
'i'
uint24( block_len )
index_record+
uint24( restart_offset )+
uint16( restart_count )

padding?
....

The index blocks begin with `block_type = 'i'` and a 3-byte `block_len`
which encodes the number of bytes in the block, up to but not including
the optional `padding`.

The `restart_offset` and `restart_count` fields are identical in format,
meaning and usage as in ref blocks.

To reduce the number of reads required for random access in very large
files the index block may be larger than other blocks. However, readers
must hold the entire index in memory to benefit from this, so it's a
time-space tradeoff in both file size and reader memory.

Increasing the file's block size decreases the index size. Alternatively
a multi-level index may be used, keeping index blocks within the file's
block size, but increasing the number of blocks that need to be
accessed.

index record
++++++++++++

An index record describes the last entry in another block. Index records
are written as:

....
varint( prefix_length )
varint( (suffix_length << 3) | 0 )
suffix
varint( block_position )
....

Index records use prefix compression exactly like `ref_record`.

Index records store `block_position` after the suffix, specifying the
absolute position in bytes (from the start of the file) of the block
that ends with this reference. Readers can seek to `block_position` to
begin reading the block header.

Readers must examine the block header at `block_position` to determine
if the next block is another level index block, or the leaf-level ref
block.

Reading the index
+++++++++++++++++

Readers loading the ref index must first read the footer (below) to
obtain `ref_index_position`. If not present, the position will be 0. The
`ref_index_position` is for the 1st level root of the ref index.

Obj block format
^^^^^^^^^^^^^^^^

Object blocks are optional. Writers may choose to omit object blocks,
especially if readers will not use the object name to ref mapping.

Object blocks use unique, abbreviated 2-31 byte object name keys, mapping to
ref blocks containing references pointing to that object directly, or as
the peeled value of an annotated tag. Like ref blocks, object blocks use
the file's standard block size. The abbreviation length is available in
the footer as `obj_id_len`.

To save space in small files, object blocks may be omitted if the ref
index is not present, as brute force search will only need to read a few
ref blocks. When missing, readers should brute force a linear search of
all references to lookup by object name.

An object block is written as:

....
'o'
uint24( block_len )
obj_record+
uint24( restart_offset )+
uint16( restart_count )

padding?
....

Fields are identical to ref block. Binary search using the restart table
works the same as in reference blocks.

Because object names are abbreviated by writers to the shortest unique
abbreviation within the reftable, obj key lengths have a variable length. Their
length must be at least 2 bytes. Readers must compare only for common prefix
match within an obj block or obj index.

obj record
++++++++++

An `obj_record` describes a single object abbreviation, and the blocks
containing references using that unique abbreviation:

....
varint( prefix_length )
varint( (suffix_length << 3) | cnt_3 )
suffix
varint( cnt_large )?
varint( position_delta )*
....

Like in reference blocks, abbreviations are prefix compressed within an
obj block. On large reftables with many unique objects, higher block
sizes (64k), and higher restart interval (128), a `prefix_length` of 2
or 3 and `suffix_length` of 3 may be common in obj records (unique
abbreviation of 5-6 raw bytes, 10-12 hex digits).

Each record contains `position_count` number of positions for matching
ref blocks. For 1-7 positions the count is stored in `cnt_3`. When
`cnt_3 = 0` the actual count follows in a varint, `cnt_large`.

The use of `cnt_3` bets most objects are pointed to by only a single
reference, some may be pointed to by a couple of references, and very
few (if any) are pointed to by more than 7 references.

A special case exists when `cnt_3 = 0` and `cnt_large = 0`: there are no
`position_delta`, but at least one reference starts with this
abbreviation. A reader that needs exact reference names must scan all
references to find which specific references have the desired object.
Writers should use this format when the `position_delta` list would have
overflowed the file's block size due to a high number of references
pointing to the same object.

The first `position_delta` is the position from the start of the file.
Additional `position_delta` entries are sorted ascending and relative to
the prior entry, e.g. a reader would perform:

....
pos = position_delta[0]
prior = pos
for (j = 1; j < position_count; j++) {
  pos = prior + position_delta[j]
  prior = pos
}
....

With a position in hand, a reader must linearly scan the ref block,
starting from the first `ref_record`, testing each reference's object names
(for `value_type = 0x1` or `0x2`) for full equality. Faster searching by
object name within a single ref block is not supported by the reftable format.
Smaller block sizes reduce the number of candidates this step must
consider.

Obj index
^^^^^^^^^

The obj index stores the abbreviation from the last entry for every obj
block in the file, enabling reduced disk seeks for all lookups. It is
formatted exactly the same as the ref index, but refers to obj blocks.

The obj index should be present if obj blocks are present, as obj blocks
should only be written in larger files.

Readers loading the obj index must first read the footer (below) to
obtain `obj_index_position`. If not present, the position will be 0.

Log block format
^^^^^^^^^^^^^^^^

Unlike ref and obj blocks, log blocks are always unaligned.

Log blocks are variable in size, and do not match the `block_size`
specified in the file header or footer. Writers should choose an
appropriate buffer size to prepare a log block for deflation, such as
`2 * block_size`.

A log block is written as:

....
'g'
uint24( block_len )
zlib_deflate {
  log_record+
  uint24( restart_offset )+
  uint16( restart_count )
}
....

Log blocks look similar to ref blocks, except `block_type = 'g'`.

The 4-byte block header is followed by the deflated block contents using
zlib deflate. The `block_len` in the header is the inflated size
(including 4-byte block header), and should be used by readers to
preallocate the inflation output buffer. A log block's `block_len` may
exceed the file's block size.

Offsets within the log block (e.g. `restart_offset`) still include the
4-byte header. Readers may prefer prefixing the inflation output buffer
with the 4-byte header.

Within the deflate container, a variable number of `log_record` describe
reference changes. The log record format is described below. See ref
block format (above) for a description of `restart_offset` and
`restart_count`.

Because log blocks have no alignment or padding between blocks, readers
must keep track of the bytes consumed by the inflater to know where the
next log block begins.

log record
++++++++++

Log record keys are structured as:

....
ref_name '\0' reverse_int64( update_index )
....

where `update_index` is the unique transaction identifier. The
`update_index` field must be unique within the scope of a `ref_name`.
See the update transactions section below for further details.

The `reverse_int64` function inverses the value so lexicographical
ordering the network byte order encoding sorts the more recent records
with higher `update_index` values first:

....
reverse_int64(int64 t) {
  return 0xffffffffffffffff - t;
}
....

Log records have a similar starting structure to ref and index records,
utilizing the same prefix compression scheme applied to the log record
key described above.

....
    varint( prefix_length )
    varint( (suffix_length << 3) | log_type )
    suffix
    log_data {
      old_id
      new_id
      varint( name_length    )  name
      varint( email_length   )  email
      varint( time_seconds )
      sint16( tz_offset )
      varint( message_length )  message
    }?
....

Log record entries use `log_type` to indicate what follows:

* `0x0`: deletion; no log data.
* `0x1`: standard git reflog data using `log_data` above.

The `log_type = 0x0` is mostly useful for `git stash drop`, removing an
entry from the reflog of `refs/stash` in a transaction file (below),
without needing to rewrite larger files. Readers reading a stack of
reflogs must treat this as a deletion.

For `log_type = 0x1`, the `log_data` section follows
linkgit:git-update-ref[1] logging and includes:

* two object names (old id, new id)
* varint string of committer's name
* varint string of committer's email
* varint time in seconds since epoch (Jan 1, 1970)
* 2-byte timezone offset in minutes (signed)
* varint string of message

`tz_offset` is the absolute number of minutes from GMT the committer was
at the time of the update. For example `GMT-0800` is encoded in reftable
as `sint16(-480)` and `GMT+0230` is `sint16(150)`.

The committer email does not contain `<` or `>`, it's the value normally
found between the `<>` in a git commit object header.

The `message_length` may be 0, in which case there was no message
supplied for the update.

Contrary to traditional reflog (which is a file), renames are encoded as
a combination of ref deletion and ref creation.  A deletion is a log
record with a zero new_id, and a creation is a log record with a zero old_id.

Reading the log
+++++++++++++++

Readers accessing the log must first read the footer (below) to
determine the `log_position`. The first block of the log begins at
`log_position` bytes since the start of the file. The `log_position` is
not block aligned.

Importing logs
++++++++++++++

When importing from `$GIT_DIR/logs` writers should globally order all
log records roughly by timestamp while preserving file order, and assign
unique, increasing `update_index` values for each log line. Newer log
records get higher `update_index` values.

Although an import may write only a single reftable file, the reftable
file must span many unique `update_index`, as each log line requires its
own `update_index` to preserve semantics.

Log index
^^^^^^^^^

The log index stores the log key
(`refname \0 reverse_int64(update_index)`) for the last log record of
every log block in the file, supporting bounded-time lookup.

A log index block must be written if 2 or more log blocks are written to
the file. If present, the log index appears after the last log block.
There is no padding used to align the log index to block alignment.

Log index format is identical to ref index, except the keys are 9 bytes
longer to include `'\0'` and the 8-byte `reverse_int64(update_index)`.
Records use `block_position` to refer to the start of a log block.

Reading the index
+++++++++++++++++

Readers loading the log index must first read the footer (below) to
obtain `log_index_position`. If not present, the position will be 0.

Footer
^^^^^^

After the last block of the file, a file footer is written. It begins
like the file header, but is extended with additional data.

....
    HEADER

    uint64( ref_index_position )
    uint64( (obj_position << 5) | obj_id_len )
    uint64( obj_index_position )

    uint64( log_position )
    uint64( log_index_position )

    uint32( CRC-32 of above )
....

If a section is missing (e.g. ref index) the corresponding position
field (e.g. `ref_index_position`) will be 0.

* `obj_position`: byte position for the first obj block.
* `obj_id_len`: number of bytes used to abbreviate object names in
obj blocks.
* `log_position`: byte position for the first log block.
* `ref_index_position`: byte position for the start of the ref index.
* `obj_index_position`: byte position for the start of the obj index.
* `log_index_position`: byte position for the start of the log index.

The size of the footer is 68 bytes for version 1, and 72 bytes for
version 2.

Reading the footer
++++++++++++++++++

Readers must first read the file start to determine the version
number. Then they seek to `file_length - FOOTER_LENGTH` to access the
footer. A trusted external source (such as `stat(2)`) is necessary to
obtain `file_length`. When reading the footer, readers must verify:

* 4-byte magic is correct
* 1-byte version number is recognized
* 4-byte CRC-32 matches the other 64 bytes (including magic, and
version)

Once verified, the other fields of the footer can be accessed.

Empty tables
++++++++++++

A reftable may be empty. In this case, the file starts with a header
and is immediately followed by a footer.

Binary search
^^^^^^^^^^^^^

Binary search within a block is supported by the `restart_offset` fields
at the end of the block. Readers can binary search through the restart
table to locate between which two restart points the sought reference or
key should appear.

Each record identified by a `restart_offset` stores the complete key in
the `suffix` field of the record, making the compare operation during
binary search straightforward.

Once a restart point lexicographically before the sought reference has
been identified, readers can linearly scan through the following record
entries to locate the sought record, terminating if the current record
sorts after (and therefore the sought key is not present).

Restart point selection
+++++++++++++++++++++++

Writers determine the restart points at file creation. The process is
arbitrary, but every 16 or 64 records is recommended. Every 16 may be
more suitable for smaller block sizes (4k or 8k), every 64 for larger
block sizes (64k).

More frequent restart points reduces prefix compression and increases
space consumed by the restart table, both of which increase file size.

Less frequent restart points makes prefix compression more effective,
decreasing overall file size, with increased penalties for readers
walking through more records after the binary search step.

A maximum of `65535` restart points per block is supported.

Considerations
~~~~~~~~~~~~~~

Lightweight refs dominate
^^^^^^^^^^^^^^^^^^^^^^^^^

The reftable format assumes the vast majority of references are single
object names valued with common prefixes, such as Gerrit Code Review's
`refs/changes/` namespace, GitHub's `refs/pulls/` namespace, or many
lightweight tags in the `refs/tags/` namespace.

Annotated tags storing the peeled object cost an additional object name per
reference.

Low overhead
^^^^^^^^^^^^

A reftable with very few references (e.g. git.git with 5 heads) is 269
bytes for reftable, vs. 332 bytes for packed-refs. This supports
reftable scaling down for transaction logs (below).

Block size
^^^^^^^^^^

For a Gerrit Code Review type repository with many change refs, larger
block sizes (64 KiB) and less frequent restart points (every 64) yield
better compression due to more references within the block compressing
against the prior reference.

Larger block sizes reduce the index size, as the reftable will require
fewer blocks to store the same number of references.

Minimal disk seeks
^^^^^^^^^^^^^^^^^^

Assuming the index block has been loaded into memory, binary searching
for any single reference requires exactly 1 disk seek to load the
containing block.

Scans and lookups dominate
^^^^^^^^^^^^^^^^^^^^^^^^^^

Scanning all references and lookup by name (or namespace such as
`refs/heads/`) are the most common activities performed on repositories.
Object names are stored directly with references to optimize this use case.

Logs are infrequently read
^^^^^^^^^^^^^^^^^^^^^^^^^^

Logs are infrequently accessed, but can be large. Deflating log blocks
saves disk space, with some increased penalty at read time.

Logs are stored in an isolated section from refs, reducing the burden on
reference readers that want to ignore logs. Further, historical logs can
be isolated into log-only files.

Logs are read backwards
^^^^^^^^^^^^^^^^^^^^^^^

Logs are frequently accessed backwards (most recent N records for master
to answer `master@{4}`), so log records are grouped by reference, and
sorted descending by update index.

Repository format
~~~~~~~~~~~~~~~~~

Version 1
^^^^^^^^^

A repository must set its `$GIT_DIR/config` to configure reftable:

....
[core]
    repositoryformatversion = 1
[extensions]
    refStorage = reftable
....

Layout
^^^^^^

A collection of reftable files are stored in the `$GIT_DIR/reftable/` directory.
Their names should have a random element, such that each filename is globally
unique; this helps avoid spurious failures on Windows, where open files cannot
be removed or overwritten. It suggested to use
`${min_update_index}-${max_update_index}-${random}.ref` as a naming convention.

Log-only files use the `.log` extension, while ref-only and mixed ref
and log files use `.ref`. extension.

The stack ordering file is `$GIT_DIR/reftable/tables.list` and lists the
current files, one per line, in order, from oldest (base) to newest
(most recent):

....
$ cat .git/reftable/tables.list
00000001-00000001-RANDOM1.log
00000002-00000002-RANDOM2.ref
00000003-00000003-RANDOM3.ref
....

Readers must read `$GIT_DIR/reftable/tables.list` to determine which
files are relevant right now, and search through the stack in reverse
order (last reftable is examined first).

Reftable files not listed in `tables.list` may be new (and about to be
added to the stack by the active writer), or ancient and ready to be
pruned.

Backward compatibility
^^^^^^^^^^^^^^^^^^^^^^

Older clients should continue to recognize the directory as a git
repository so they don't look for an enclosing repository in parent
directories. To this end, a reftable-enabled repository must contain the
following dummy files

* `.git/HEAD`, a regular file containing `ref: refs/heads/.invalid`.
* `.git/refs/`, a directory
* `.git/refs/heads`, a regular file

Readers
^^^^^^^

Readers can obtain a consistent snapshot of the reference space by
following:

1.  Open and read the `tables.list` file.
2.  Open each of the reftable files that it mentions.
3.  If any of the files is missing, goto 1.
4.  Read from the now-open files as long as necessary.

Update transactions
^^^^^^^^^^^^^^^^^^^

Although reftables are immutable, mutations are supported by writing a
new reftable and atomically appending it to the stack:

1.  Acquire `tables.list.lock`.
2.  Read `tables.list` to determine current reftables.
3.  Select `update_index` to be most recent file's
`max_update_index + 1`.
4.  Prepare temp reftable `tmp_XXXXXX`, including log entries.
5.  Rename `tmp_XXXXXX` to `${update_index}-${update_index}-${random}.ref`.
6.  Copy `tables.list` to `tables.list.lock`, appending file from (5).
7.  Rename `tables.list.lock` to `tables.list`.

During step 4 the new file's `min_update_index` and `max_update_index`
are both set to the `update_index` selected by step 3. All log records
for the transaction use the same `update_index` in their keys. This
enables later correlation of which references were updated by the same
transaction.

Because a single `tables.list.lock` file is used to manage locking, the
repository is single-threaded for writers. Writers may have to busy-spin
(with backoff) around creating `tables.list.lock`, for up to an
acceptable wait period, aborting if the repository is too busy to
mutate. Application servers wrapped around repositories (e.g. Gerrit
Code Review) can layer their own lock/wait queue to improve fairness to
writers.

Reference deletions
^^^^^^^^^^^^^^^^^^^

Deletion of any reference can be explicitly stored by setting the `type`
to `0x0` and omitting the `value` field of the `ref_record`. This serves
as a tombstone, overriding any assertions about the existence of the
reference from earlier files in the stack.

Compaction
^^^^^^^^^^

A partial stack of reftables can be compacted by merging references
using a straightforward merge join across reftables, selecting the most
recent value for output, and omitting deleted references that do not
appear in remaining, lower reftables.

A compacted reftable should set its `min_update_index` to the smallest
of the input files' `min_update_index`, and its `max_update_index`
likewise to the largest input `max_update_index`.

For sake of illustration, assume the stack currently consists of
reftable files (from oldest to newest): A, B, C, and D. The compactor is
going to compact B and C, leaving A and D alone.

1.  Obtain lock `tables.list.lock` and read the `tables.list` file.
2.  Obtain locks `B.lock` and `C.lock`. Ownership of these locks
prevents other processes from trying to compact these files.
3.  Release `tables.list.lock`.
4.  Compact `B` and `C` into a temp file
`${min_update_index}-${max_update_index}_XXXXXX`.
5.  Reacquire lock `tables.list.lock`.
6.  Verify that `B` and `C` are still in the stack, in that order. This
should always be the case, assuming that other processes are adhering to
the locking protocol.
7.  Rename `${min_update_index}-${max_update_index}_XXXXXX` to
`${min_update_index}-${max_update_index}-${random}.ref`.
8.  Write the new stack to `tables.list.lock`, replacing `B` and `C`
with the file from (4).
9.  Rename `tables.list.lock` to `tables.list`.
10. Delete `B` and `C`, perhaps after a short sleep to avoid forcing
readers to backtrack.

This strategy permits compactions to proceed independently of updates.

Each reftable (compacted or not) is uniquely identified by its name, so
open reftables can be cached by their name.

Windows
^^^^^^^

On windows, and other systems that do not allow deleting or renaming to open
files, compaction may succeed, but other readers may prevent obsolete tables
from being deleted.

On these platforms, the following strategy can be followed: on closing a
reftable stack, reload `tables.list`, and delete any tables no longer mentioned
in `tables.list`.

Irregular program exit may still leave about unused files. In this case, a
cleanup operation should proceed as follows:

* take a lock `tables.list.lock` to prevent concurrent modifications
* refresh the reftable stack, by reading `tables.list`
* for each `*.ref` file, remove it if
** it is not mentioned in `tables.list`, and
** its max update_index is not beyond the max update_index of the stack


Alternatives considered
~~~~~~~~~~~~~~~~~~~~~~~

bzip packed-refs
^^^^^^^^^^^^^^^^

`bzip2` can significantly shrink a large packed-refs file (e.g. 62 MiB
compresses to 23 MiB, 37%). However the bzip format does not support
random access to a single reference. Readers must inflate and discard
while performing a linear scan.

Breaking packed-refs into chunks (individually compressing each chunk)
would reduce the amount of data a reader must inflate, but still leaves
the problem of indexing chunks to support readers efficiently locating
the correct chunk.

Given the compression achieved by reftable's encoding, it does not seem
necessary to add the complexity of bzip/gzip/zlib.

Michael Haggerty's alternate format
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Michael Haggerty proposed
link:https://lore.kernel.org/git/CAMy9T_HCnyc1g8XWOOWhe7nN0aEFyyBskV2aOMb_fe%2BwGvEJ7A%40mail.gmail.com/[an
alternate] format to reftable on the Git mailing list. This format uses
smaller chunks, without the restart table, and avoids block alignment
with padding. Reflog entries immediately follow each ref, and are thus
interleaved between refs.

Performance testing indicates reftable is faster for lookups (51%
faster, 11.2 usec vs. 5.4 usec), although reftable produces a slightly
larger file (+ ~3.2%, 28.3M vs 29.2M):

[cols=">,>,>,>",options="header",]
|=====================================
|format |size |seek cold |seek hot
|mh-alt |28.3 M |23.4 usec |11.2 usec
|reftable |29.2 M |19.9 usec |5.4 usec
|=====================================

JGit Ketch RefTree
^^^^^^^^^^^^^^^^^^

https://dev.eclipse.org/mhonarc/lists/jgit-dev/msg03073.html[JGit Ketch]
proposed
link:https://lore.kernel.org/git/CAJo%3DhJvnAPNAdDcAAwAvU9C4RVeQdoS3Ev9WTguHx4fD0V_nOg%40mail.gmail.com/[RefTree],
an encoding of references inside Git tree objects stored as part of the
repository's object database.

The RefTree format adds additional load on the object database storage
layer (more loose objects, more objects in packs), and relies heavily on
the packer's delta compression to save space. Namespaces which are flat
(e.g. thousands of tags in refs/tags) initially create very large loose
objects, and so RefTree does not address the problem of copying many
references to modify a handful.

Flat namespaces are not efficiently searchable in RefTree, as tree
objects in canonical formatting cannot be binary searched. This fails
the need to handle a large number of references in a single namespace,
such as GitHub's `refs/pulls`, or a project with many tags.

LMDB
^^^^

David Turner proposed
https://lore.kernel.org/git/1455772670-21142-26-git-send-email-dturner@twopensource.com/[using
LMDB], as LMDB is lightweight (64k of runtime code) and GPL-compatible
license.

A downside of LMDB is its reliance on a single C implementation. This
makes embedding inside JGit (a popular reimplementation of Git)
difficult, and hoisting onto virtual storage (for JGit DFS) virtually
impossible.

A common format that can be supported by all major Git implementations
(git-core, JGit, libgit2) is strongly preferred.