·
7 commits
to master
since this release
Added
Queue::claim_batchclaims up tomax_jobspending jobs in one
transaction, sharing one claim-lock hold and one commit across the
batch. Jobs are returned in claim order and share one lease.
Queue::claimis now a batch of one.Queue::wait_for_jobs_onblocks until a job becomes claimable on
one queue. UnlikeQueue::wait_for_jobs, the wakeup is queue-scoped
and delivered to one waiter per inserted job.Queue::ack_withacknowledges a job and applies a set of effects in
the same transaction: follow-up enqueues (AckEffects::enqueues,
honouringrun_at,dedup_key,priority, andid_overrideper
request) and caller KV writes and deletes. Either the ack and every
effect land together or nothing does; when the claim is gone the
call fails withClaimLostand applies nothing, so a chained job
exists only if the settlement that created it won.Queue::ackis
nowack_withwith empty effects.Error::ClaimLost: returned byack,ack_with,nack,
dead_letter, andrenew_leasewhen the record's claim is no
longer present (the lease expired and the reaper requeued the job,
or the record is a stale copy from before a lease renewal rotated
the claimed key). These cases previously returned the catch-all
Error::InvalidState, which remains for genuine misuse (a record
missinglease_expires_at,requeue_dead_jobon a non-dead
record).Worker::process_with_effects: workers can returnAckEffects
from processing, whichrun_workerandrun_worker_concurrent
apply atomically with the job's acknowledgement via
Queue::ack_with.processandprocess_with_effectsdefault to
each other; implement exactly one. ExistingWorker
implementations are unaffected.Queue::closepersists each queue's claim-scan state (scan bound
and emptiness marker) under a newcursor:key prefix; the next
open restores the in-memory state from it and deletes the record. The
first claim after a clean restart resumes at the recorded bound
instead of re-scanning the tombstone band left by previously claimed
jobs, whose cost grows with the band and the store's latency. After
a crash the record is absent and the first claim falls back to the
front prefix scan as before.
Changed
run_workerno longer exits when settling a job fails. Settlement
failures (includingClaimLostwhen a job outlives its lease and
the reaper requeues it) are logged and the loop continues, matching
run_worker_concurrent; the redelivered attempt settles the job.
Claim-path errors still terminate both loops. Both loops log a lost
claim distinctly from other settlement failures.run_worker_concurrentclaims jobs in batches sized to its free
capacity viaQueue::claim_batch, costing one claim transaction
per batch instead of per job under a backlog. Jobs are still
processed concurrently and acked individually.Queue::claim_with_waitand therun_worker/run_worker_concurrent
loops wait on a queue-scoped wakeup that wakes one waiter per
inserted job, instead of the process-wide notification that woke
every waiting worker on every insert. A pool of idle workers no
longer contends on the claim path when a single job arrives, and a
worker claiming a job passes one wakeup on so a backlog keeps waking
further workers.Queue::claim_with_waitnow also keeps waiting out
its fullmax_waitafter losing a claim race instead of returning
Noneearly.Queue::claimcommits without awaiting WAL durability. Claims
serialise per queue through the claim lock, which excluded them from
WAL group commit: the lock holder awaited its flush before the next
claim could start, making the flush round trip the queue's claim
throughput ceiling.
Losing an unflushed claim in a crash leaves the job pending, so it
is redelivered immediately on recovery instead of after its lease
expires; at-least-once delivery is unaffected, and a settled job's
claim is always durable because later durable commits flush
preceding WAL entries.- The scheduler promotes due jobs without awaiting WAL durability,
for the same reasons and with the same crash behaviour as the
reaper change below: a lost promotion leaves the scheduled key in
place with itsrun_atin the past, and the next tick re-promotes
it. A backlog of due jobs (a retry-backoff wave, or scheduled jobs
accumulated during downtime) no longer promotes at one job per
flush interval. - The reaper requeues and dead-letters expired claims without awaiting
WAL durability. Each expired claim is processed in its own
transaction, and awaiting the flush serialised the sweep at one job
per flush interval (about ten per second at the default 100 ms
flush). A commit lost in a crash leaves the expired claim in place
for the next sweep, which re-processes it without consuming an
attempt, and later durable commits flush preceding WAL entries, so
a settled job's requeue is durable by ordering. - The done and dead-letter retention sweeps delete expired records
without awaiting WAL durability, for the same reasons as the reaper
and scheduler changes above: a delete lost in a crash leaves the
record in place for the next sweep, whose existence re-check keeps
the rerun idempotent. With this, no background sweep awaits the
flush; only caller-driven operations do. A retention backlog no
longer delays the lease reaping that shares its tick. Queue::claimtracks per-queue emptiness and a scan bound in
process memory. Polling an empty queue answers without a storage
scan or the claim lock, and the pending tombstone band is never
re-walked from the front while the process stays up; a full prefix
scan now happens only on cold start or process restart.- Queue stats counter merges are excluded from transaction conflict
detection. The merges are commutative, so concurrent job-state
transitions on the same queue no longer abort and retry each other
over the shared stats keys.
Fixed
- A
pending:insert landing behind the claim cursor while a claim
was in flight could have its cursor invalidation overwritten by
that claim's cursor update, hiding the job from cursor scans until
the queue next drained. The scan bound now moves back to include
such inserts, and a claim drops its bound advance when the bound
moved while it ran. - A
pending:key could be hidden from claims indefinitely when its
insert committed while a claim was in flight and the key sorted at
or below the keys that claim advanced the scan bound past. Job ids
are generated before the enqueue transaction commits, so commit
order can invert key order under concurrent producers, and a
requeue (reaper or nack) restores a job at its original key. The
next claim then recorded emptiness at a valid epoch and the queue
answeredNonewhile live jobs were pending. Bound advances now
clamp to the smallest key recorded since the bound was observed,
including when no bound exists yet (the first claim after a
process restart) and when the key equals the claimed one (the
claimed job requeued after its lease expired within the claim). - Duplicate
EnqueueOptions::id_overridevalues are now rejected
transactionally withError::DuplicateJobIdinstead of overwriting
jobindex:{id}and leaving older queue-state records behind. Queue::ack,Queue::nack,Queue::dead_letter, and
Queue::renew_leasenow check that the expectedclaimed:record
still exists before settling a job. A worker finishing after its
lease was reaped now getsError::ClaimLostinstead of being
able to ack, retry, dead-letter, renew, or corrupt stats from a
staleJobRecord.Queue::nackandQueue::renew_leasenow retry on transaction
conflict likeQueue::ackandQueue::dead_letteralready did.
A reaper committing the expired-lease delete concurrently with a
late settlement is now retried (and resolves toError::ClaimLost
on the next attempt) instead of surfacing a raw SlateDB transaction
error to the caller.Queue::requeue_dead_jobnow checks that the dead-letter record
still exists before reviving it. Requeueing a stale record after
dead-letter retention swept it now returnsError::JobNotFound
instead of recreating the job and corrupting queue stats.