amaters-core 0.2.0

Core kernel for AmateRS - Fully Homomorphic Encrypted Database
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254

//! Memory-use limiter with cooperative back-pressure.
//!
//! [`MemoryLimiter`] tracks a global byte count via an [`AtomicUsize`] counter.
//! Callers must obtain an [`AllocationGuard`] via [`MemoryLimiter::try_allocate`];
//! the guard decrements the counter automatically on drop, ensuring the tracked
//! usage stays accurate even across panics.
//!
//! # Design
//!
//! The compare-exchange loop in [`MemoryLimiter::try_allocate`] gives linearisable
//! semantics: either the allocation is fully visible or it is rejected, with no
//! window where the counter exceeds `max_bytes`.
//!
//! # Example
//!
//! ```rust
//! use amaters_core::memory_limiter::MemoryLimiter;
//!
//! let limiter = MemoryLimiter::new(1024);
//! let guard = limiter.try_allocate(512).expect("should fit");
//! assert_eq!(limiter.current_bytes(), 512);
//! drop(guard);
//! assert_eq!(limiter.current_bytes(), 0);
//! ```

use std::fmt;
use std::sync::Arc;
use std::sync::atomic::{AtomicUsize, Ordering};

// ---------------------------------------------------------------------------
// OomError
// ---------------------------------------------------------------------------

/// Error returned when a [`MemoryLimiter`] rejects an allocation because the
/// requested bytes would exceed `max_bytes`.
#[derive(Debug)]
pub struct OomError {
    /// Configured maximum, in bytes.
    pub max_bytes: usize,
    /// Number of bytes currently tracked.
    pub current_bytes: usize,
    /// Number of bytes that were requested.
    pub requested: usize,
}

impl fmt::Display for OomError {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        write!(
            f,
            "OOM: requested {} bytes but only {} / {} available",
            self.requested,
            self.max_bytes.saturating_sub(self.current_bytes),
            self.max_bytes,
        )
    }
}

impl std::error::Error for OomError {}

// ---------------------------------------------------------------------------
// MemoryLimiter
// ---------------------------------------------------------------------------

/// A cooperative memory limiter backed by an atomic byte counter.
///
/// Use [`try_allocate`](MemoryLimiter::try_allocate) to reserve bytes.
/// The returned [`AllocationGuard`] releases the reservation when dropped.
#[derive(Debug)]
pub struct MemoryLimiter {
    max_bytes: usize,
    current: Arc<AtomicUsize>,
}

impl MemoryLimiter {
    /// Create a new limiter with the given `max_bytes` ceiling.
    pub fn new(max_bytes: usize) -> Self {
        Self {
            max_bytes,
            current: Arc::new(AtomicUsize::new(0)),
        }
    }

    /// Return the number of bytes currently reserved.
    pub fn current_bytes(&self) -> usize {
        self.current.load(Ordering::Acquire)
    }

    /// Return the configured maximum, in bytes.
    pub fn max_bytes(&self) -> usize {
        self.max_bytes
    }

    /// Attempt to reserve `n` bytes.
    ///
    /// Succeeds if `current + n <= max_bytes`; otherwise returns [`OomError`].
    /// The reservation is released automatically when the returned
    /// [`AllocationGuard`] is dropped.
    ///
    /// The implementation uses a compare-exchange loop to ensure that the
    /// counter never transiently exceeds `max_bytes`, even under heavy
    /// concurrent load.
    pub fn try_allocate(&self, n: usize) -> Result<AllocationGuard, OomError> {
        loop {
            let cur = self.current.load(Ordering::Acquire);
            if cur + n > self.max_bytes {
                return Err(OomError {
                    max_bytes: self.max_bytes,
                    current_bytes: cur,
                    requested: n,
                });
            }
            match self
                .current
                .compare_exchange(cur, cur + n, Ordering::AcqRel, Ordering::Acquire)
            {
                Ok(_) => {
                    return Ok(AllocationGuard {
                        n,
                        current: Arc::clone(&self.current),
                    });
                }
                Err(_) => continue,
            }
        }
    }
}

// ---------------------------------------------------------------------------
// AllocationGuard
// ---------------------------------------------------------------------------

/// RAII guard that releases a reservation from a [`MemoryLimiter`] on drop.
pub struct AllocationGuard {
    n: usize,
    current: Arc<AtomicUsize>,
}

impl Drop for AllocationGuard {
    fn drop(&mut self) {
        self.current.fetch_sub(self.n, Ordering::AcqRel);
    }
}

impl fmt::Debug for AllocationGuard {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        f.debug_struct("AllocationGuard")
            .field("reserved_bytes", &self.n)
            .finish()
    }
}

// ---------------------------------------------------------------------------
// Tests
// ---------------------------------------------------------------------------

#[cfg(test)]
mod tests {
    use super::*;
    use std::sync::Arc;

    #[test]
    fn test_memory_limiter_allows_under_limit() {
        let limiter = MemoryLimiter::new(1024);
        let guard = limiter
            .try_allocate(512)
            .expect("should succeed under limit");
        assert_eq!(limiter.current_bytes(), 512);
        drop(guard);
        assert_eq!(limiter.current_bytes(), 0);
    }

    #[test]
    fn test_memory_limiter_rejects_over_limit() {
        let limiter = MemoryLimiter::new(1024);
        let _guard = limiter
            .try_allocate(900)
            .expect("first alloc should succeed");
        let err = limiter
            .try_allocate(200)
            .expect_err("should reject over limit");
        assert_eq!(err.max_bytes, 1024);
        assert_eq!(err.requested, 200);
        assert!(err.current_bytes >= 900);
    }

    #[test]
    fn test_memory_limiter_releases_on_drop() {
        let limiter = MemoryLimiter::new(1024);
        {
            let _guard = limiter.try_allocate(512).expect("should succeed");
            assert_eq!(limiter.current_bytes(), 512);
        }
        // Guard dropped — bytes should be released.
        assert_eq!(limiter.current_bytes(), 0);
        // A fresh allocation should now succeed.
        let _guard2 = limiter
            .try_allocate(1024)
            .expect("full budget available again");
        assert_eq!(limiter.current_bytes(), 1024);
    }

    #[test]
    fn test_memory_limiter_concurrent_allocations() {
        use std::sync::Barrier;
        use std::thread;

        // limiter max = 5 KB
        let max: usize = 5 * 1024;
        let limiter = Arc::new(MemoryLimiter::new(max));
        let successes = Arc::new(AtomicUsize::new(0));

        // All 10 threads rendezvous at the barrier before attempting allocations,
        // ensuring they race simultaneously so that at most 5 can succeed.
        let barrier = Arc::new(Barrier::new(10));

        // A second barrier ensures all allocation attempts are complete before any
        // guard is released, so the counter cannot dip between attempts.
        let barrier2 = Arc::new(Barrier::new(10));

        // Spawn 10 threads; each tries to allocate 1 KB.
        // Only 5 should succeed.
        let handles: Vec<_> = (0..10)
            .map(|_| {
                let limiter = Arc::clone(&limiter);
                let successes = Arc::clone(&successes);
                let b1 = Arc::clone(&barrier);
                let b2 = Arc::clone(&barrier2);
                thread::spawn(move || {
                    // Wait until all threads are ready.
                    b1.wait();
                    let guard = limiter.try_allocate(1024);
                    if guard.is_ok() {
                        successes.fetch_add(1, Ordering::Relaxed);
                    }
                    // Synchronise so all threads have attempted allocation before
                    // any guard is released.
                    b2.wait();
                    // guard (if Some) dropped here, releasing its reservation.
                    drop(guard);
                })
            })
            .collect();

        for handle in handles {
            handle.join().expect("thread panicked");
        }

        // After all threads finish, the counter must be 0 (all guards dropped).
        assert_eq!(limiter.current_bytes(), 0);

        // Exactly 5 threads should have succeeded (5 × 1024 == 5120 max).
        assert_eq!(successes.load(Ordering::Relaxed), 5);
    }
}