lock-db 0.3.0

Lock manager and deadlock detection for Rust databases - row/range locks, multiple granularities, and wait-for cycle detection.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359

//! Property-based tests for the lock-table invariants.
//!
//! The central correctness property of a lock manager is that it never grants
//! two incompatible locks on the same resource. Rather than assert that
//! directly on the manager's private state, these tests run a stream of
//! arbitrary acquire/release operations against both the real `LockManager` and
//! a tiny reference model that applies the compatibility rules by hand, then
//! assert the two agree after every step. If the manager ever grants a lock the
//! model rejects (or vice versa), the property fails and proptest shrinks the
//! operation sequence to a minimal counterexample.

// The lock manager is only built with the `std` feature; these properties
// exercise it, so they compile away entirely in a `no_std` configuration.
#![cfg(feature = "std")]
#![allow(clippy::unwrap_used)]

use std::collections::HashMap;

use lock_db::{KeyRange, LockError, LockManager, LockMode, ResourceId, TxnId};
use proptest::prelude::*;

/// Small fixed universe keeps contention high and the shrunk cases readable.
const TXNS: u64 = 4;
const RESOURCES: u64 = 3;

#[derive(Clone, Copy, Debug)]
enum Op {
    Acquire { txn: u64, res: u64, mode: LockMode },
    Release { txn: u64, res: u64 },
}

const MODES: [LockMode; 5] = [
    LockMode::IntentionShared,
    LockMode::IntentionExclusive,
    LockMode::Shared,
    LockMode::SharedIntentionExclusive,
    LockMode::Exclusive,
];

fn op_strategy() -> impl Strategy<Value = Op> {
    let txn = 0..TXNS;
    let res = 0..RESOURCES;
    prop_oneof![
        (txn.clone(), res.clone(), 0..MODES.len()).prop_map(|(txn, res, m)| Op::Acquire {
            txn,
            res,
            mode: MODES[m],
        }),
        (txn, res).prop_map(|(txn, res)| Op::Release { txn, res }),
    ]
}

/// Reference model: the mode each transaction holds on each resource.
#[derive(Default)]
struct Model {
    held: HashMap<(u64, u64), LockMode>,
}

impl Model {
    fn holders_of(&self, res: u64) -> Vec<(u64, LockMode)> {
        self.held
            .iter()
            .filter(|((_, r), _)| *r == res)
            .map(|((t, _), m)| (*t, *m))
            .collect()
    }

    /// Returns the result an honest lock manager must produce for this acquire,
    /// updating the model when the grant succeeds.
    fn apply_acquire(&mut self, txn: u64, res: u64, mode: LockMode) -> Result<(), LockError> {
        if let Some(&current) = self.held.get(&(txn, res)) {
            if current.covers(mode) {
                return Ok(());
            }
            // Upgrade to the join, allowed only if compatible with other holders.
            let target = current.join(mode);
            let blocked = self
                .holders_of(res)
                .into_iter()
                .any(|(t, held)| t != txn && !held.compatible_with(target));
            if blocked {
                return Err(LockError::Conflict);
            }
            let _ = self.held.insert((txn, res), target);
            return Ok(());
        }

        let compatible = self
            .holders_of(res)
            .into_iter()
            .all(|(_, held)| held.compatible_with(mode));
        if compatible {
            let _ = self.held.insert((txn, res), mode);
            Ok(())
        } else {
            Err(LockError::Conflict)
        }
    }

    fn apply_release(&mut self, txn: u64, res: u64) -> Result<(), LockError> {
        if self.held.remove(&(txn, res)).is_some() {
            Ok(())
        } else {
            Err(LockError::NotHeld)
        }
    }

    /// The compatibility invariant the manager must always satisfy: every pair
    /// of distinct holders of the same resource holds compatible modes.
    fn assert_internally_consistent(&self) {
        let mut by_res: HashMap<u64, Vec<LockMode>> = HashMap::new();
        for ((_, res), mode) in &self.held {
            by_res.entry(*res).or_default().push(*mode);
        }
        for modes in by_res.values() {
            for i in 0..modes.len() {
                for j in (i + 1)..modes.len() {
                    assert!(
                        modes[i].compatible_with(modes[j]),
                        "incompatible holders coexist: {:?} and {:?}",
                        modes[i],
                        modes[j],
                    );
                }
            }
        }
    }
}

proptest! {
    #![proptest_config(ProptestConfig::with_cases(400))]

    /// The manager agrees with the reference model after every operation, for
    /// any interleaving of acquires and releases, across several shard counts.
    #[test]
    fn manager_matches_model(
        ops in proptest::collection::vec(op_strategy(), 1..200),
        shards in prop_oneof![Just(1usize), Just(4), Just(16)],
    ) {
        let lm = LockManager::with_shards(shards);
        let mut model = Model::default();

        for op in ops {
            match op {
                Op::Acquire { txn, res, mode } => {
                    let want = model.apply_acquire(txn, res, mode);
                    let got = lm.try_acquire(TxnId::new(txn), ResourceId::new(res), mode);
                    prop_assert_eq!(got, want, "acquire mismatch on op {:?}", op);
                }
                Op::Release { txn, res } => {
                    let want = model.apply_release(txn, res);
                    let got = lm.release(TxnId::new(txn), ResourceId::new(res));
                    prop_assert_eq!(got, want, "release mismatch on op {:?}", op);
                }
            }

            model.assert_internally_consistent();

            // Cross-check observable manager state against the model.
            for t in 0..TXNS {
                for r in 0..RESOURCES {
                    let expected = model.held.get(&(t, r)).copied();
                    prop_assert_eq!(lm.mode_held(TxnId::new(t), ResourceId::new(r)), expected);
                }
                prop_assert_eq!(
                    lm.holder_count(ResourceId::new(0)),
                    model.holders_of(0).len()
                );
            }
        }
    }

    /// `release_all` drops exactly the locks the model says a transaction holds,
    /// and leaves every other transaction's locks untouched.
    #[test]
    fn release_all_matches_model(
        ops in proptest::collection::vec(op_strategy(), 1..200),
        victim in 0..TXNS,
    ) {
        let lm = LockManager::with_shards(8);
        let mut model = Model::default();

        for op in ops {
            match op {
                Op::Acquire { txn, res, mode } => {
                    if model.apply_acquire(txn, res, mode).is_ok() {
                        let _ = lm.try_acquire(TxnId::new(txn), ResourceId::new(res), mode);
                    }
                }
                Op::Release { txn, res } => {
                    if model.apply_release(txn, res).is_ok() {
                        let _ = lm.release(TxnId::new(txn), ResourceId::new(res));
                    }
                }
            }
        }

        let expected_count = model.held.keys().filter(|(t, _)| *t == victim).count();
        let released = lm.release_all(TxnId::new(victim));
        prop_assert_eq!(released, expected_count);

        // The victim now holds nothing; everyone else is unchanged.
        for r in 0..RESOURCES {
            prop_assert_eq!(lm.mode_held(TxnId::new(victim), ResourceId::new(r)), None);
        }
        for t in 0..TXNS {
            if t == victim {
                continue;
            }
            for r in 0..RESOURCES {
                let expected = model.held.get(&(t, r)).copied();
                prop_assert_eq!(lm.mode_held(TxnId::new(t), ResourceId::new(r)), expected);
            }
        }
    }
}

// ---- range locks ----

const SPACES: u64 = 2;
const KEY_MAX: u64 = 7;

#[derive(Clone, Copy, Debug)]
enum RangeOp {
    Acquire {
        txn: u64,
        space: u64,
        range: KeyRange,
        mode: LockMode,
    },
    Release {
        txn: u64,
        space: u64,
        range: KeyRange,
    },
}

fn range_strategy() -> impl Strategy<Value = KeyRange> {
    (0..=KEY_MAX, 0..=KEY_MAX).prop_map(|(a, b)| {
        let (lo, hi) = if a <= b { (a, b) } else { (b, a) };
        KeyRange::new(lo, hi).unwrap()
    })
}

fn range_op_strategy() -> impl Strategy<Value = RangeOp> {
    let txn = 0..TXNS;
    let space = 0..SPACES;
    prop_oneof![
        (txn.clone(), space.clone(), range_strategy(), 0..MODES.len()).prop_map(
            |(txn, space, range, m)| RangeOp::Acquire {
                txn,
                space,
                range,
                mode: MODES[m],
            }
        ),
        (txn, space, range_strategy()).prop_map(|(txn, space, range)| RangeOp::Release {
            txn,
            space,
            range
        }),
    ]
}

/// Reference model for range locks, mirroring the manager's storage exactly: a
/// per-space `Vec` of holders, pushed on acquire and `swap_remove`d on release,
/// so both stay in identical order and the "first matching range" picked on
/// release is the same element in both.
#[derive(Default)]
struct RangeModel {
    spaces: HashMap<u64, Vec<(u64, KeyRange, LockMode)>>,
}

impl RangeModel {
    fn apply_acquire(
        &mut self,
        txn: u64,
        space: u64,
        range: KeyRange,
        mode: LockMode,
    ) -> Result<(), LockError> {
        let holders = self.spaces.entry(space).or_default();
        let conflict = holders
            .iter()
            .any(|(t, r, m)| *t != txn && r.overlaps(range) && !m.compatible_with(mode));
        if conflict {
            return Err(LockError::Conflict);
        }
        holders.push((txn, range, mode));
        Ok(())
    }

    fn apply_release(&mut self, txn: u64, space: u64, range: KeyRange) -> Result<(), LockError> {
        if let Some(holders) = self.spaces.get_mut(&space) {
            if let Some(pos) = holders
                .iter()
                .position(|(t, r, _)| *t == txn && *r == range)
            {
                let _ = holders.swap_remove(pos);
                return Ok(());
            }
        }
        Err(LockError::NotHeld)
    }

    fn assert_no_incompatible_overlap(&self) {
        for holders in self.spaces.values() {
            for i in 0..holders.len() {
                for j in (i + 1)..holders.len() {
                    let (ti, ri, mi) = holders[i];
                    let (tj, rj, mj) = holders[j];
                    if ti != tj && ri.overlaps(rj) {
                        assert!(
                            mi.compatible_with(mj),
                            "incompatible overlapping ranges: {ri:?}/{mi:?} and {rj:?}/{mj:?}",
                        );
                    }
                }
            }
        }
    }
}

proptest! {
    #![proptest_config(ProptestConfig::with_cases(400))]

    /// The range-lock facility agrees with the reference model after every
    /// operation, and never lets two transactions hold overlapping ranges in
    /// incompatible modes.
    #[test]
    fn range_manager_matches_model(
        ops in proptest::collection::vec(range_op_strategy(), 1..200),
    ) {
        let lm = LockManager::with_shards(4);
        let mut model = RangeModel::default();

        for op in ops {
            match op {
                RangeOp::Acquire { txn, space, range, mode } => {
                    let want = model.apply_acquire(txn, space, range, mode);
                    let got = lm.try_acquire_range(TxnId::new(txn), ResourceId::new(space), range, mode);
                    prop_assert_eq!(got, want, "acquire mismatch on {:?}", op);
                }
                RangeOp::Release { txn, space, range } => {
                    let want = model.apply_release(txn, space, range);
                    let got = lm.release_range(TxnId::new(txn), ResourceId::new(space), range);
                    prop_assert_eq!(got, want, "release mismatch on {:?}", op);
                }
            }

            model.assert_no_incompatible_overlap();

            for s in 0..SPACES {
                let expected = model.spaces.get(&s).map_or(0, Vec::len);
                prop_assert_eq!(lm.range_count(ResourceId::new(s)), expected);
            }
        }
    }
}