emdb 0.7.0

A lightweight, high-performance embedded database for Rust.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378

// Copyright 2026 James Gober. Licensed under Apache-2.0.

//! In-memory Bloom filter for negative-lookup acceleration.
//!
//! The v0.7 read path consults a per-namespace Bloom filter before touching
//! the keymap. A negative answer is **definitive** ("the key is not in the
//! database"); a positive answer is probabilistic and the caller falls
//! through to the keymap and page-cache layers. False positives waste a
//! lookup, but never cause a wrong answer.
//!
//! ## Sizing
//!
//! Targeting a 1% false-positive rate the optimal parameters are:
//!
//! - `m / n ≈ 9.585` bits per key.
//! - `k = 7` hash functions.
//!
//! We use 10 bits per key (slightly conservative, friendly to byte
//! alignment) and 7 hashes. Memory per namespace: `1.25 MB` per million
//! keys, sized once at open time from the catalog's `record_count`.
//!
//! ## Hashing
//!
//! The two-hash trick (Kirsch & Mitzenmacher, 2006) lets us derive `k`
//! independent hashes from a single 64-bit hash. We split the keymap's
//! 64-bit FxHash into a `(low: u32, high: u32)` pair and compute hash
//! `i ∈ 0..k` as `low + i * high` modulo `m`. The bias is negligible at
//! `m / n ≈ 10`.

use std::sync::atomic::{AtomicU64, Ordering};

use crate::{Error, Result};

/// Bits per key. Chosen to keep the false-positive rate near 1%.
pub(crate) const BITS_PER_KEY: u32 = 10;

/// Number of hash functions per insert/lookup.
pub(crate) const HASH_COUNT: u32 = 7;

/// Lower bound on the bit array size. A tiny namespace (a handful of keys)
/// still gets a usable bloom rather than one that saturates instantly.
/// Power-of-two so the modular index calculation reduces to a mask.
const MIN_BITS: u64 = 1024;

/// Compute the bit count for a fresh bloom sized for `keys` items.
///
/// The result is **always a power of two** so the per-lookup `bit_idx %
/// bit_count` reduces to `bit_idx & (bit_count - 1)` — a single AND
/// instruction on every hash function in the hot path.
fn sized_bits_for_keys(keys: u64) -> u64 {
    let raw = keys.saturating_mul(u64::from(BITS_PER_KEY));
    let lower_bound = raw.max(MIN_BITS);
    if lower_bound.is_power_of_two() {
        return lower_bound;
    }
    lower_bound
        .checked_next_power_of_two()
        .unwrap_or(1_u64 << 63)
}

/// Bloom filter implementation.
///
/// `Bloom` is `Sync` because mutations go through atomic word stores and
/// only set bits (never clear), so a missed atomic OR is safe — at worst we
/// observe a false negative briefly until the next set, which is impossible
/// because we never clear bits. The underlying invariant ("set bits do not
/// vanish") is what makes the filter correct under concurrent inserts and
/// concurrent reads without locks.
///
/// The bit array is held as a fixed-size `Box<[AtomicU64]>` rather than a
/// `Vec`: once constructed the bloom never resizes, and `Box<[_]>` is
/// 16 bytes lighter than `Vec` in the struct, which matters when
/// thousands of namespaces each carry their own bloom.
#[derive(Debug)]
pub(crate) struct Bloom {
    /// Bit array stored as `u64` words for cheap atomic OR.
    words: Box<[AtomicU64]>,
    /// Total bit count. Equal to `words.len() * 64`. Always a power of two
    /// so the per-hash modular reduction is a single AND.
    bit_count: u64,
    /// `bit_count - 1`. Pre-computed so the hot path does one AND, not an
    /// AND plus a subtract.
    bit_mask: u64,
}

impl Bloom {
    /// Construct a new bloom sized for at least `expected_keys` items.
    #[must_use]
    pub(crate) fn for_keys(expected_keys: u64) -> Self {
        let bit_count = sized_bits_for_keys(expected_keys);
        let word_count = (bit_count / 64) as usize;
        let mut words: Vec<AtomicU64> = Vec::with_capacity(word_count);
        for _ in 0..word_count {
            words.push(AtomicU64::new(0));
        }
        Self {
            words: words.into_boxed_slice(),
            bit_count,
            bit_mask: bit_count - 1,
        }
    }

    /// Construct from raw bytes produced by [`Bloom::encode`].
    ///
    /// # Errors
    ///
    /// Returns [`Error::Corrupted`] when `bytes.len()` is not a multiple of
    /// 8 or when the resulting bit count is not a power of two.
    pub(crate) fn from_bytes(bytes: &[u8]) -> Result<Self> {
        if bytes.len() % 8 != 0 {
            return Err(Error::Corrupted {
                offset: 0,
                reason: "bloom byte length is not a multiple of 8",
            });
        }
        let word_count = bytes.len() / 8;
        let bit_count = (word_count * 64) as u64;
        if bit_count == 0 || !bit_count.is_power_of_two() {
            return Err(Error::Corrupted {
                offset: 0,
                reason: "bloom bit count must be a positive power of two",
            });
        }
        let mut words: Vec<AtomicU64> = Vec::with_capacity(word_count);
        for i in 0..word_count {
            let off = i * 8;
            let mut buf = [0_u8; 8];
            buf.copy_from_slice(&bytes[off..off + 8]);
            words.push(AtomicU64::new(u64::from_le_bytes(buf)));
        }
        Ok(Self {
            words: words.into_boxed_slice(),
            bit_count,
            bit_mask: bit_count - 1,
        })
    }

    /// Encode the filter as a contiguous byte buffer in little-endian order.
    /// Each `u64` word is written as eight bytes; `from_bytes` is the
    /// inverse.
    #[must_use]
    pub(crate) fn encode(&self) -> Vec<u8> {
        let mut out = Vec::with_capacity(self.words.len() * 8);
        for word in &self.words {
            out.extend_from_slice(&word.load(Ordering::Relaxed).to_le_bytes());
        }
        out
    }

    /// Total bit count.
    #[must_use]
    pub(crate) const fn bit_count(&self) -> u64 {
        self.bit_count
    }

    /// Total word count (`bit_count / 64`).
    #[must_use]
    pub(crate) fn word_count(&self) -> usize {
        self.words.len()
    }

    /// Insert a key (identified by its 64-bit FxHash) into the filter.
    ///
    /// Concurrent inserts and concurrent `contains` calls are safe; both
    /// proceed under `AtomicU64::fetch_or` and never block.
    pub(crate) fn insert(&self, hash: u64) {
        for bit_idx in self.bit_indices(hash) {
            let word = bit_idx / 64;
            let mask = 1_u64 << (bit_idx % 64);
            // SAFETY-equivalent: word index is bounded by `bit_indices`'s
            // modulo-`bit_count` arithmetic, which guarantees `< bit_count`,
            // so `word < words.len()`.
            let _previous = self.words[word as usize].fetch_or(mask, Ordering::Relaxed);
        }
    }

    /// `true` when the key may be present (subject to the configured FPR);
    /// `false` is a definitive "the key has never been inserted".
    #[must_use]
    pub(crate) fn contains(&self, hash: u64) -> bool {
        for bit_idx in self.bit_indices(hash) {
            let word = bit_idx / 64;
            let mask = 1_u64 << (bit_idx % 64);
            let current = self.words[word as usize].load(Ordering::Relaxed);
            if current & mask == 0 {
                return false;
            }
        }
        true
    }

    /// Clear every bit. Concurrent `contains` calls in flight at the time
    /// of `clear` may briefly return false negatives; this is acceptable
    /// because clear is only called during catastrophic operations
    /// (`db.clear`, namespace drop) where the underlying records are also
    /// gone.
    pub(crate) fn clear(&self) {
        for word in &self.words {
            word.store(0, Ordering::Relaxed);
        }
    }

    fn bit_indices(&self, hash: u64) -> impl Iterator<Item = u64> + '_ {
        // Two-hash trick (Kirsch & Mitzenmacher 2006): derive `k`
        // independent indices from one 64-bit hash by taking
        // `(low + i * high) mod bit_count`. With a power-of-two
        // bit_count, the modulo collapses to a mask.
        let low = hash as u32 as u64;
        let high = hash >> 32;
        let mask = self.bit_mask;
        (0..u64::from(HASH_COUNT)).map(move |i| low.wrapping_add(i.wrapping_mul(high)) & mask)
    }
}

#[cfg(test)]
mod tests {
    use super::{sized_bits_for_keys, Bloom, BITS_PER_KEY, HASH_COUNT, MIN_BITS};

    fn h(key: &[u8]) -> u64 {
        crate::storage::fxhash::hash(key)
    }

    #[test]
    fn fresh_bloom_reports_no_keys_present() {
        let bloom = Bloom::for_keys(1024);
        assert!(!bloom.contains(h(b"missing")));
        assert!(!bloom.contains(h(b"also-missing")));
    }

    #[test]
    fn inserted_key_is_definitely_reported_as_present() {
        let bloom = Bloom::for_keys(1024);
        bloom.insert(h(b"alpha"));
        assert!(bloom.contains(h(b"alpha")));
    }

    #[test]
    fn false_positive_rate_stays_below_two_percent_at_capacity() {
        // Insert exactly `n` distinct keys, then probe `n` distinct
        // never-inserted keys and count how many the filter flags as
        // "present". With 10 bits/key and 7 hashes the rate should be
        // around 1%; we allow 2% to leave room for the variance of small
        // sample sizes.
        let n: u64 = 5_000;
        let bloom = Bloom::for_keys(n);
        for i in 0..n {
            let key = format!("inserted-{i}");
            bloom.insert(h(key.as_bytes()));
        }

        let mut false_positives = 0_u64;
        for i in 0..n {
            let key = format!("never-inserted-{i}");
            if bloom.contains(h(key.as_bytes())) {
                false_positives += 1;
            }
        }
        let rate = false_positives as f64 / n as f64;
        assert!(rate < 0.02, "false-positive rate {rate} exceeded 2%");
    }

    #[test]
    fn bit_count_rounds_up_to_word_boundary_and_meets_minimum() {
        // Tiny key count forces the MIN_BITS floor.
        let bloom = Bloom::for_keys(1);
        assert!(bloom.bit_count() >= MIN_BITS);
        assert_eq!(bloom.bit_count() % 64, 0);

        // Larger key count uses BITS_PER_KEY directly.
        let bloom = Bloom::for_keys(10_000);
        let expected_min = u64::from(BITS_PER_KEY) * 10_000;
        assert!(bloom.bit_count() >= expected_min);
        assert_eq!(bloom.bit_count() % 64, 0);
    }

    #[test]
    fn encode_round_trips_through_from_bytes() {
        let bloom = Bloom::for_keys(1024);
        for i in 0..200_u64 {
            bloom.insert(h(format!("k{i}").as_bytes()));
        }
        let encoded = bloom.encode();
        let decoded = match Bloom::from_bytes(&encoded) {
            Ok(b) => b,
            Err(err) => panic!("from_bytes should succeed: {err}"),
        };
        for i in 0..200_u64 {
            assert!(decoded.contains(h(format!("k{i}").as_bytes())));
        }
        assert_eq!(decoded.bit_count(), bloom.bit_count());
    }

    #[test]
    fn from_bytes_rejects_unaligned_input() {
        let bytes = vec![0_u8; 7];
        let bloom = Bloom::from_bytes(&bytes);
        assert!(bloom.is_err());
    }

    #[test]
    fn clear_drops_every_inserted_key() {
        let bloom = Bloom::for_keys(1024);
        bloom.insert(h(b"alpha"));
        bloom.insert(h(b"beta"));
        assert!(bloom.contains(h(b"alpha")));
        bloom.clear();
        assert!(!bloom.contains(h(b"alpha")));
        assert!(!bloom.contains(h(b"beta")));
    }

    #[test]
    fn sized_bits_helper_returns_a_power_of_two() {
        // The mask shortcut on the hot path requires this. If sizing ever
        // drifts to a non-power-of-two, the per-hash modular reduction
        // silently produces wrong bit indices.
        for keys in [0_u64, 1, 100, 999, 10_000_000] {
            let bits = sized_bits_for_keys(keys);
            assert!(
                bits.is_power_of_two(),
                "{bits} bits is not a power of two for {keys} keys"
            );
            assert!(bits >= MIN_BITS);
        }
    }

    #[test]
    fn bit_mask_lookup_matches_modular_reference() {
        // Cross-check the optimised mask path against a slow modulo
        // implementation on a range of inputs.
        let bloom = Bloom::for_keys(4096);
        let bit_count = bloom.bit_count();
        for hash in [0_u64, 1, 0xFFFF_FFFF, 0xDEAD_BEEF_CAFE_BABE, u64::MAX] {
            let low = hash as u32 as u64;
            let high = hash >> 32;
            for i in 0..7_u64 {
                let modular = low.wrapping_add(i.wrapping_mul(high)) % bit_count;
                let masked = low.wrapping_add(i.wrapping_mul(high)) & (bit_count - 1);
                assert_eq!(modular, masked);
            }
        }
    }

    #[test]
    fn hash_count_constant_is_seven() {
        // Locked down because the design assumes k = 7.
        assert_eq!(HASH_COUNT, 7);
    }

    #[test]
    fn concurrent_inserts_do_not_lose_set_bits() {
        // Two threads inserting different keys must not race each other —
        // every inserted key must be `contains`-positive after both threads
        // join. Atomic `fetch_or` semantics make this trivially correct;
        // this test documents the invariant.
        use std::sync::Arc;
        let bloom = Arc::new(Bloom::for_keys(4096));
        let bloom_a = Arc::clone(&bloom);
        let bloom_b = Arc::clone(&bloom);

        let a = std::thread::spawn(move || {
            for i in 0..1024_u64 {
                bloom_a.insert(h(format!("a{i}").as_bytes()));
            }
        });
        let b = std::thread::spawn(move || {
            for i in 0..1024_u64 {
                bloom_b.insert(h(format!("b{i}").as_bytes()));
            }
        });
        let _ = a.join();
        let _ = b.join();

        for i in 0..1024_u64 {
            assert!(bloom.contains(h(format!("a{i}").as_bytes())));
            assert!(bloom.contains(h(format!("b{i}").as_bytes())));
        }
    }
}