failsafe 1.3.0

A circuit breaker implementation
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400

use std::fmt::{self, Debug};
use std::sync::Arc;
use std::time::{Duration, Instant};

use parking_lot::Mutex;

use super::clock;
use super::failure_policy::FailurePolicy;
use super::instrument::Instrument;

const ON_CLOSED: u8 = 0b0000_0001;
const ON_HALF_OPEN: u8 = 0b0000_0010;
const ON_REJECTED: u8 = 0b0000_0100;
const ON_OPEN: u8 = 0b0000_1000;

/// States of the state machine.
#[derive(Debug)]
enum State {
    /// A closed breaker is operating normally and allowing.
    Closed,
    /// An open breaker has tripped and will not allow requests through until an interval expired.
    Open(Instant, Duration),
    /// A half open breaker has completed its wait interval and will allow requests. The state keeps
    /// the previous duration in an open state.
    HalfOpen(Duration),
}

struct Shared<POLICY> {
    state: State,
    failure_policy: POLICY,
}

struct Inner<POLICY, INSTRUMENT> {
    shared: Mutex<Shared<POLICY>>,
    instrument: INSTRUMENT,
}

/// A circuit breaker implementation backed by state machine.
///
/// It is implemented via a finite state machine with three states: `Closed`, `Open` and `HalfOpen`.
/// The state machine does not know anything about the backend's state by itself, but uses the
/// information provided by the method via `on_success` and `on_error` events. Before communicating
/// with the backend, the the permission to do so must be obtained via the method `is_call_permitted`.
///
/// The state of the state machine changes from `Closed` to `Open` when the `FailurePolicy`
/// reports that the failure rate is above a (configurable) threshold. Then, all access to the backend
/// is blocked for a time duration provided by `FailurePolicy`.
///
/// After the time duration has elapsed, the state changes from `Open` to `HalfOpen` and allows
/// calls to see if the backend is still unavailable or has become available again. If the circuit
/// breaker receives a failure on the next call, the state will change back to `Open`. Otherwise
/// it changes to `Closed`.
pub struct StateMachine<POLICY, INSTRUMENT> {
    inner: Arc<Inner<POLICY, INSTRUMENT>>,
}

impl State {
    /// Returns a string value for the state identifier.
    #[inline]
    pub fn as_str(&self) -> &'static str {
        match self {
            State::Open(_, _) => "open",
            State::Closed => "closed",
            State::HalfOpen(_) => "half_open",
        }
    }
}

impl<POLICY, INSTRUMENT> Debug for StateMachine<POLICY, INSTRUMENT> {
    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
        let shared = self.inner.shared.lock();
        f.debug_struct("StateMachine")
            .field("state", &(shared.state.as_str()))
            .finish()
    }
}

impl<POLICY, INSTRUMENT> Clone for StateMachine<POLICY, INSTRUMENT> {
    fn clone(&self) -> Self {
        StateMachine {
            inner: self.inner.clone(),
        }
    }
}

impl<POLICY> Shared<POLICY>
where
    POLICY: FailurePolicy,
{
    #[inline]
    fn transit_to_closed(&mut self) {
        self.state = State::Closed;
        self.failure_policy.revived();
    }

    #[inline]
    fn transit_to_half_open(&mut self, delay: Duration) {
        self.state = State::HalfOpen(delay);
    }

    #[inline]
    fn transit_to_open(&mut self, delay: Duration) {
        let until = clock::now() + delay;
        self.state = State::Open(until, delay);
    }
}

impl<POLICY, INSTRUMENT> StateMachine<POLICY, INSTRUMENT>
where
    POLICY: FailurePolicy,
    INSTRUMENT: Instrument,
{
    /// Creates a new state machine with given failure policy and instrument.
    pub fn new(failure_policy: POLICY, instrument: INSTRUMENT) -> Self {
        instrument.on_closed();

        StateMachine {
            inner: Arc::new(Inner {
                shared: Mutex::new(Shared {
                    state: State::Closed,
                    failure_policy,
                }),
                instrument,
            }),
        }
    }

    /// Requests permission to call.
    ///
    /// It returns `true` if a call is allowed, or `false` if prohibited.
    pub fn is_call_permitted(&self) -> bool {
        let mut instrument: u8 = 0;

        let res = {
            let mut shared = self.inner.shared.lock();

            match shared.state {
                State::Closed => true,
                State::HalfOpen(_) => true,
                State::Open(until, delay) => {
                    if clock::now() > until {
                        shared.transit_to_half_open(delay);
                        instrument |= ON_HALF_OPEN;
                        true
                    } else {
                        instrument |= ON_REJECTED;
                        false
                    }
                }
            }
        };

        if instrument & ON_HALF_OPEN != 0 {
            self.inner.instrument.on_half_open();
        }

        if instrument & ON_REJECTED != 0 {
            self.inner.instrument.on_call_rejected();
        }

        res
    }

    /// Reset state machine to Closed
    ///
    pub fn reset(&self) {
        let mut shared = self.inner.shared.lock();
        match shared.state {
            State::HalfOpen(_) => {
                shared.transit_to_closed();
                self.inner.instrument.on_closed();
            }
            State::Open(_, _) => {
                shared.transit_to_closed();
                self.inner.instrument.on_closed();
            }
            _ => {}
        }
    }

    /// Records a successful call.
    ///
    /// This method must be invoked when a call was success.
    pub fn on_success(&self) {
        let mut instrument: u8 = 0;
        {
            let mut shared = self.inner.shared.lock();
            if let State::HalfOpen(_) = shared.state {
                shared.transit_to_closed();
                instrument |= ON_CLOSED;
            }
            shared.failure_policy.record_success()
        }

        if instrument & ON_CLOSED != 0 {
            self.inner.instrument.on_closed();
        }
    }

    /// Records a failed call.
    ///
    /// This method must be invoked when a call failed.
    pub fn on_error(&self) {
        let mut instrument: u8 = 0;
        {
            let mut shared = self.inner.shared.lock();
            match shared.state {
                State::Closed => {
                    if let Some(delay) = shared.failure_policy.mark_dead_on_failure() {
                        shared.transit_to_open(delay);
                        instrument |= ON_OPEN;
                    }
                }
                State::HalfOpen(delay_in_half_open) => {
                    // Pick up the next open state's delay from the policy, if policy returns Some(_)
                    // use it, otherwise reuse the delay from the current state.
                    let delay = shared
                        .failure_policy
                        .mark_dead_on_failure()
                        .unwrap_or(delay_in_half_open);
                    shared.transit_to_open(delay);
                    instrument |= ON_OPEN;
                }
                _ => {}
            }
        }

        if instrument & ON_OPEN != 0 {
            self.inner.instrument.on_open();
        }
    }
}

#[cfg(test)]
mod tests {
    use std::sync::atomic::{AtomicUsize, Ordering};
    use std::sync::{Arc, Mutex};

    use super::super::backoff;
    use super::super::failure_policy::consecutive_failures;
    use super::*;

    /// Perform `Closed` -> `Open` -> `HalfOpen` -> `Open` -> `HalfOpen` -> `Closed` transitions.
    #[test]
    fn state_machine() {
        clock::freeze(move |time| {
            let observe = Observer::new();
            let backoff = backoff::exponential(5.seconds(), 300.seconds());
            let policy = consecutive_failures(3, backoff);
            let state_machine = StateMachine::new(policy, observe.clone());

            assert!(state_machine.is_call_permitted());

            // Perform success requests. the circuit breaker must be closed.
            for _i in 0..10 {
                assert!(state_machine.is_call_permitted());
                state_machine.on_success();
                assert!(observe.is_closed());
            }

            // Perform failed requests, the circuit breaker still closed.
            for _i in 0..2 {
                assert!(state_machine.is_call_permitted());
                state_machine.on_error();
                assert!(observe.is_closed());
            }

            // Perform a failed request and transit to the open state for 5s.
            assert!(state_machine.is_call_permitted());
            state_machine.on_error();
            assert!(observe.is_open());

            // Reject call attempts, the circuit breaker in open state.
            for i in 0..10 {
                assert!(!state_machine.is_call_permitted());
                assert_eq!(i + 1, observe.rejected_calls());
            }

            // Wait 2s, the circuit breaker still open.
            time.advance(2.seconds());
            assert!(!state_machine.is_call_permitted());
            assert!(observe.is_open());

            clock::now();

            // Wait 4s (6s total), the circuit breaker now in the half open state.
            time.advance(4.seconds());
            assert!(state_machine.is_call_permitted());
            assert!(observe.is_half_open());

            // Perform a failed request and transit back to the open state for 10s.
            state_machine.on_error();
            assert!(!state_machine.is_call_permitted());
            assert!(observe.is_open());

            // Wait 5s, the circuit breaker still open.
            time.advance(5.seconds());
            assert!(!state_machine.is_call_permitted());
            assert!(observe.is_open());

            // Wait 6s (11s total), the circuit breaker now in the half open state.
            time.advance(6.seconds());
            assert!(state_machine.is_call_permitted());
            assert!(observe.is_half_open());

            // Perform a success request and transit to the closed state.
            state_machine.on_success();
            assert!(state_machine.is_call_permitted());
            assert!(observe.is_closed());

            // Perform success requests.
            for _i in 0..10 {
                assert!(state_machine.is_call_permitted());
                state_machine.on_success();
            }

            // Perform failed request and transit back to open state
            for _i in 0..3 {
                state_machine.on_error();
            }
            assert!(observe.is_open());

            // Reset state machine
            state_machine.reset();
            assert!(observe.is_closed());
        });
    }

    #[derive(Debug)]
    enum State {
        Open,
        HalfOpen,
        Closed,
    }

    #[derive(Clone, Debug)]
    struct Observer {
        state: Arc<Mutex<State>>,
        rejected_calls: Arc<AtomicUsize>,
    }

    impl Observer {
        fn new() -> Self {
            Observer {
                state: Arc::new(Mutex::new(State::Closed)),
                rejected_calls: Arc::new(AtomicUsize::new(0)),
            }
        }

        fn is_closed(&self) -> bool {
            matches!(*self.state.lock().unwrap(), State::Closed)
        }

        fn is_open(&self) -> bool {
            matches!(*self.state.lock().unwrap(), State::Open)
        }

        fn is_half_open(&self) -> bool {
            matches!(*self.state.lock().unwrap(), State::HalfOpen)
        }

        fn rejected_calls(&self) -> usize {
            self.rejected_calls.load(Ordering::SeqCst)
        }
    }

    impl Instrument for Observer {
        fn on_call_rejected(&self) {
            self.rejected_calls.fetch_add(1, Ordering::SeqCst);
        }

        fn on_open(&self) {
            println!("state=open");
            let mut own_state = self.state.lock().unwrap();
            *own_state = State::Open
        }

        fn on_half_open(&self) {
            println!("state=half_open");
            let mut own_state = self.state.lock().unwrap();
            *own_state = State::HalfOpen
        }

        fn on_closed(&self) {
            println!("state=closed");
            let mut own_state = self.state.lock().unwrap();
            *own_state = State::Closed
        }
    }

    trait IntoDuration {
        fn seconds(self) -> Duration;
    }

    impl IntoDuration for u64 {
        fn seconds(self) -> Duration {
            Duration::from_secs(self)
        }
    }
}