running-process 4.5.5

Subprocess and PTY runtime for the running-process project
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169

//! Backend crash recovery policy for broker-managed services.
//!
//! This module only models state transitions. The caller remains responsible
//! for removing dead registry entries, spawning processes, and mapping refusal
//! decisions into wire-level `Refused` replies.

use std::collections::HashMap;
use std::time::{Duration, Instant};

use super::backend_registry::BackendKey;
use super::spawn_coordinator::DEFAULT_SPAWN_BUDGET_WINDOW;

/// Default delay before the broker retries a crashed backend once.
pub const DEFAULT_RECOVERY_RETRY_BACKOFF: Duration = Duration::from_millis(250);

/// Default window before a backend-unavailable refusal can retry recovery.
pub const DEFAULT_RECOVERY_BUDGET_WINDOW: Duration = DEFAULT_SPAWN_BUDGET_WINDOW;

/// Recovery tuning for one backend key.
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
pub struct BackendRecoveryPolicy {
    /// Delay reported before the one allowed retry should begin.
    pub retry_backoff: Duration,
    /// Window bounding crash retries and backend-unavailable retry-after hints.
    pub budget_window: Duration,
}

impl BackendRecoveryPolicy {
    /// Build a policy, clamping zero durations to a non-zero floor.
    pub fn new(retry_backoff: Duration, budget_window: Duration) -> Self {
        Self {
            retry_backoff: non_zero_duration(retry_backoff),
            budget_window: non_zero_duration(budget_window),
        }
    }
}

impl Default for BackendRecoveryPolicy {
    fn default() -> Self {
        Self {
            retry_backoff: DEFAULT_RECOVERY_RETRY_BACKOFF,
            budget_window: DEFAULT_RECOVERY_BUDGET_WINDOW,
        }
    }
}

/// Per-backend recovery state keyed by broker instance, service, and version.
#[derive(Debug)]
pub struct BackendRecoveryState {
    policy: BackendRecoveryPolicy,
    entries: HashMap<BackendKey, BackendRecoveryEntry>,
}

impl BackendRecoveryState {
    /// Create empty recovery state with the default policy.
    pub fn new() -> Self {
        Self::with_policy(BackendRecoveryPolicy::default())
    }

    /// Create empty recovery state with explicit policy settings.
    pub fn with_policy(policy: BackendRecoveryPolicy) -> Self {
        Self {
            policy,
            entries: HashMap::new(),
        }
    }

    /// Record one observed backend crash and return the recovery decision.
    ///
    /// The first crash in a budget window permits one retry after the configured
    /// backoff. A second crash in the same window is treated as backend
    /// unavailable and returns a retry-after hint for the rest of the window.
    pub fn record_crash(&mut self, key: BackendKey, now: Instant) -> BackendRecoveryDecision {
        let entry = self
            .entries
            .entry(key)
            .or_insert_with(|| BackendRecoveryEntry::new(now));
        entry.refresh(now, self.policy.budget_window);
        entry.crashes_in_window = entry.crashes_in_window.saturating_add(1);

        if entry.crashes_in_window == 1 {
            return BackendRecoveryDecision::Retry {
                retry_after: self.policy.retry_backoff,
                attempt: 1,
            };
        }

        BackendRecoveryDecision::Refuse {
            reason: BackendRecoveryRefusalReason::BackendUnavailable,
            retry_after: retry_after(entry.window_started_at, now, self.policy.budget_window),
        }
    }

    /// Reset crash recovery state after the backend is verified healthy again.
    pub fn record_success(&mut self, key: &BackendKey) {
        self.entries.remove(key);
    }
}

impl Default for BackendRecoveryState {
    fn default() -> Self {
        Self::new()
    }
}

/// Decision returned after an observed backend crash.
#[derive(Clone, Debug, PartialEq, Eq)]
pub enum BackendRecoveryDecision {
    /// The broker may retry this backend once after `retry_after`.
    Retry {
        /// Delay before the retry should begin.
        retry_after: Duration,
        /// 1-based recovery attempt number.
        attempt: u32,
    },
    /// The backend should be refused as unavailable.
    Refuse {
        /// Refusal reason suitable for mapping to a Hello `Refused` reason.
        reason: BackendRecoveryRefusalReason,
        /// Retry-after hint for clients.
        retry_after: Duration,
    },
}

/// Refusal reason emitted by backend recovery state.
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
pub enum BackendRecoveryRefusalReason {
    /// The backend crashed again after its one retry.
    BackendUnavailable,
}

#[derive(Clone, Debug)]
struct BackendRecoveryEntry {
    window_started_at: Instant,
    crashes_in_window: u32,
}

impl BackendRecoveryEntry {
    fn new(now: Instant) -> Self {
        Self {
            window_started_at: now,
            crashes_in_window: 0,
        }
    }

    fn refresh(&mut self, now: Instant, budget_window: Duration) {
        if elapsed_since(self.window_started_at, now) >= budget_window {
            self.window_started_at = now;
            self.crashes_in_window = 0;
        }
    }
}

fn non_zero_duration(duration: Duration) -> Duration {
    if duration.is_zero() {
        Duration::from_millis(1)
    } else {
        duration
    }
}

fn retry_after(window_started_at: Instant, now: Instant, budget_window: Duration) -> Duration {
    budget_window.saturating_sub(elapsed_since(window_started_at, now))
}

fn elapsed_since(started_at: Instant, now: Instant) -> Duration {
    now.checked_duration_since(started_at)
        .unwrap_or(Duration::ZERO)
}