Skip to main content

kevy_store/
lib.rs

1//! kevy-store — the keyspace.
2//!
3//! A single-threaded, multi-type keyspace with lazy expiration. Each Redis data
4//! type is backed by a modern `std` structure — behaviour-compatible, but **not**
5//! Redis's legacy encodings:
6//!
7//! | Type | Backing structure |
8//! |------|-------------------|
9//! | String | `Vec<u8>` |
10//! | Hash / Set | `HashMap` / `HashSet` (hashbrown Swiss table) |
11//! | List | `VecDeque` (ring buffer, O(1) ends) |
12//! | Sorted set | `HashMap` + `BTreeSet<(score, member)>` (a B-tree, not a skiplist) |
13//!
14//! Wrong-type access returns [`StoreError::WrongType`]. The API is `&mut self`
15//! and lock-free, so a thread-per-core runtime ([kevy-rt]) can own one shard per
16//! core with no locking. Part of the [kevy] key–value server.
17//!
18//! `maxmemory` enforcement + 8 eviction policies live in [`evict`]; toggle via
19//! [`Store::set_max_memory`]. With `maxmemory == 0` (the default) the hot-path
20//! cost collapses to a single predicted-not-taken branch, matching the
21//! "unlimited" mode in Redis byte-for-byte.
22//!
23//! [kevy]: https://crates.io/crates/kevy
24//! [kevy-rt]: https://crates.io/crates/kevy-rt
25//!
26//! # Example
27//!
28//! ```
29//! use kevy_store::Store;
30//!
31//! use std::borrow::Cow;
32//! let mut s = Store::new();
33//! s.set(b"greeting", b"hello".to_vec(), None, false, false);
34//! assert_eq!(s.get(b"greeting").unwrap(), Some(Cow::Borrowed(&b"hello"[..])));
35//!
36//! s.hset(b"user:1", &[(b"name".to_vec(), b"alice".to_vec())]).unwrap();
37//! assert_eq!(s.hget(b"user:1", b"name").unwrap(), Some(&b"alice"[..]));
38//!
39//! // A string command on a hash key is a type error, as in Redis.
40//! assert_eq!(s.get(b"user:1"), Err(kevy_store::StoreError::WrongType));
41//! ```
42#![forbid(unsafe_code)]
43
44mod accounting;
45mod bitmap;
46mod clock;
47mod entry;
48pub mod evict;
49pub mod expire;
50pub use expire::ExpireStats;
51pub(crate) use entry::Entry;
52mod hash;
53mod keyspace;
54mod list;
55mod list_ops;
56mod set;
57mod small_set;
58pub use small_set::{SmallSetData, SmallSetIter};
59mod small_hash;
60pub use small_hash::{SmallHashData, SmallHashIter};
61mod small_list;
62pub use small_list::{SmallListData, SmallListIter};
63mod small_zset;
64pub use small_zset::{SmallZSetData, SmallZSetIter};
65mod snapshot;
66pub use snapshot::SnapshotView;
67mod stream;
68mod string;
69mod util;
70mod value;
71mod zset;
72pub use stream::{
73    AutoclaimResult, ConsumerGroup, ConsumerState, EntryBatch, GroupCreateMode,
74    LoadedGroup, LoadedPelEntry, LoadedStreamEntry, PelEntry, PendingExtended,
75    PendingExtendedRow, PendingSummary, ReadGroupId, StreamData, StreamId, StreamIdError,
76    XAddIdSpec, XClaimOpts, now_unix_ms, parse_explicit_id, parse_range_end,
77    parse_range_start, parse_xadd_id,
78};
79pub use string::GetReply;
80pub use util::glob_match;
81pub use value::*;
82
83pub(crate) use clock::{deadline_at, now_ns, pack_deadline, remaining_ms};
84use kevy_map::KevyMap;
85
86/// Feed kevy's monotonic clock on `wasm32-unknown-unknown`, which has no
87/// `Instant`. The embedding host advances time (ns since an arbitrary fixed
88/// epoch, e.g. `Date.now() * 1e6`) before TTL-sensitive ops and once per
89/// reaper tick. No-op concept on native targets, where the OS clock is the
90/// source — hence wasm-only.
91#[cfg(all(target_arch = "wasm32", target_os = "unknown"))]
92pub use clock::set_clock_ns;
93/// Feed kevy's wall clock (Unix-epoch millis, e.g. `Date.now()`) on
94/// `wasm32-unknown-unknown`, where `SystemTime::now()` traps. Used by `XADD`
95/// auto-IDs and `EXPIREAT`/`PEXPIREAT`.
96#[cfg(all(target_arch = "wasm32", target_os = "unknown"))]
97pub use clock::set_wall_clock_ms;
98
99
100/// Outcome of [`Store::rename`] — three-way result so the dispatch
101/// layer can pick the right RESP frame (`+OK` / `-ERR no such key` /
102/// `:0` for `RENAMENX`-with-existing-dst).
103#[derive(Debug, PartialEq, Eq)]
104pub enum RenameOutcome {
105    /// Source removed, destination created (overwriting any prior dst).
106    Renamed,
107    /// Source key doesn't exist.
108    NoSuchSrc,
109    /// `RENAMENX` only — destination already exists, no rename done.
110    DstExists,
111}
112
113/// Operation errors surfaced to the command layer.
114#[derive(Debug, PartialEq, Eq)]
115pub enum StoreError {
116    /// Key holds a different type than the command expects.
117    WrongType,
118    /// Value is not a base-10 integer (INCR family).
119    NotInteger,
120    /// Result would overflow `i64`.
121    Overflow,
122    /// Index outside the collection (LSET).
123    OutOfRange,
124    /// Key does not exist where the command requires one (LSET).
125    NoSuchKey,
126    /// Value is not a valid float (INCRBYFLOAT).
127    NotFloat,
128    /// `maxmemory` would be exceeded and the active eviction policy is
129    /// [`EvictionPolicy::NoEviction`]. Surfaces as Redis's classic OOM error
130    /// at the RESP layer.
131    OutOfMemory,
132}
133
134/// Maxmemory eviction policy. Mirror of `kevy_config::EvictionPolicy` —
135/// duplicated here so `kevy-store` stays a leaf crate (no `kevy-config` dep).
136#[derive(Debug, Clone, Copy, PartialEq, Eq, Default)]
137pub enum EvictionPolicy {
138    /// Refuse writes once `maxmemory` is hit. Default.
139    #[default]
140    NoEviction,
141    /// Approximated LRU across all keys.
142    AllKeysLru,
143    /// Approximated LFU across all keys.
144    AllKeysLfu,
145    /// Random key across all keys.
146    AllKeysRandom,
147    /// Approximated LRU across keys with a TTL.
148    VolatileLru,
149    /// Approximated LFU across keys with a TTL.
150    VolatileLfu,
151    /// Random key from those with a TTL.
152    VolatileRandom,
153    /// Key with the shortest remaining TTL.
154    VolatileTtl,
155}
156
157impl EvictionPolicy {
158    /// Whether the policy ranks candidates by LRU clock (read-touches matter).
159    #[inline]
160    pub fn uses_lru(self) -> bool {
161        matches!(self, Self::AllKeysLru | Self::VolatileLru)
162    }
163
164    /// Whether the policy ranks candidates by LFU counter (read-touches and
165    /// log-counter increments matter).
166    #[inline]
167    pub fn uses_lfu(self) -> bool {
168        matches!(self, Self::AllKeysLfu | Self::VolatileLfu)
169    }
170
171    /// Whether the policy restricts eviction to keys that carry a TTL.
172    #[inline]
173    pub fn is_volatile(self) -> bool {
174        matches!(
175            self,
176            Self::VolatileLru | Self::VolatileLfu | Self::VolatileRandom | Self::VolatileTtl
177        )
178    }
179}
180
181/// A single-database keyspace.
182///
183/// The keyspace map is a [`KevyMap`] — a pure-Rust open-addressing Swiss
184/// table tuned for kevy's per-shard, single-trust-domain keyspace. The
185/// hasher is [`kevy_hash::KevyHash`] (one-call inlinable; no DoS hardening
186/// since the shard is single-threaded with no cross-trust keys). Owning the
187/// table also exposes bucket addresses for software prefetch on the batch
188/// driver.
189#[derive(Default)]
190pub struct Store {
191    pub(crate) map: KevyMap<SmallBytes, Entry>,
192    /// Coarse cached monotonic clock (ns since [`epoch`]), refreshed by the
193    /// reactor loop / reaper tick via [`Self::refresh_clock`]. Lazy expiry on
194    /// the read path (`live_entry`) compares deadlines against this instead of
195    /// calling `Instant::now()` per access — the Redis cached-`mstime` model.
196    /// `0` (the `Default`) reads as "epoch" → keys look live until the first
197    /// refresh, the safe direction (expires at most one refresh-interval late,
198    /// never early — writes stamp deadlines from a *fresh* clock).
199    pub(crate) cached_ns: u64,
200    /// Whether lazy expiry trusts `Self::cached_ns` (set by a reactor/reaper
201    /// that calls [`Self::refresh_clock`]) instead of reading a fresh clock per
202    /// access. Enabled by the server reactor and the embedded background
203    /// reaper; left `false` (the `Default`) for manual-reaper / bare-`Store`
204    /// use, where nothing refreshes the cache so each access reads fresh —
205    /// preserving "lazy expiry works without an explicit tick".
206    pub(crate) cached_clock: bool,
207    /// Live byte estimate (dynamic per-entry weights + [`ENTRY_OVERHEAD`] per
208    /// key). Compared against [`Self::maxmemory`] to drive eviction.
209    pub(crate) used_memory: u64,
210    /// Soft byte ceiling. `0` = unlimited; the entire accounting + eviction
211    /// machinery short-circuits to a single not-taken branch in that case.
212    pub(crate) maxmemory: u64,
213    /// Active eviction policy. Only consulted when `used_memory > maxmemory`.
214    pub(crate) eviction_policy: EvictionPolicy,
215    /// Total keys evicted by [`Self::try_evict_after_write`] — surfaced via
216    /// `INFO memory` / `MEMORY STATS`.
217    pub(crate) evictions_total: u64,
218    /// Monotonic access counter; the upper 32 bits are unused, the lower 32
219    /// stamp `Entry::lru_clock` on each access while eviction is enabled.
220    pub(crate) clock_counter: u64,
221    /// `used_memory` peak across the shard's lifetime; surfaced as
222    /// `used_memory_peak` in `INFO memory`.
223    pub(crate) used_memory_peak: u64,
224    /// Keys expired since startup (lazy reap path AND
225    /// [`Self::tick_expire`]). Surfaced via `INFO keyspace` / `MEMORY STATS`
226    /// once those fields land.
227    pub(crate) expired_keys_total: u64,
228    /// Count of live keys carrying a TTL — the size of Redis's "expire set"
229    /// (`INFO keyspace`'s `expires=`). Maintained in O(1) at every TTL
230    /// transition (`insert_entry` / `remove_entry` deltas + the in-place
231    /// EXPIRE / PERSIST / SET sites) so the gauge never pays an O(n) keyspace
232    /// scan; [`Self::ttl_pending_count`] is the O(n) ground truth used to
233    /// assert this counter never drifts.
234    pub(crate) expires: u64,
235    /// `WATCH` version counters — present only for keys that have been
236    /// `WATCH`-ed at least once. [`Self::record_watch`] inserts the entry
237    /// (version 0 = "never written since first watch"); every subsequent
238    /// write on this shard calls [`Self::bump_if_watched`] which increments
239    /// only if the key is present in the map. Keys never `WATCH`-ed pay
240    /// one empty-map hashmap lookup per write (~10 ns).
241    ///
242    /// The map grows monotonically — entries are never evicted, even
243    /// when no conn is currently watching the key. For high-key-churn
244    /// workloads this can become a memory item; v1.x acceptable since
245    /// the entry is `Vec<u8>` + `u64` (~ 30 B + key length) and only
246    /// touched on writes / WATCH calls.
247    pub(crate) watch_versions: std::collections::HashMap<Vec<u8>, u64>,
248    /// Optional handle to the runtime's bio thread (v1.25 A.3). Set by
249    /// `kevy-rt::Runtime::run` via [`Self::set_bio_drop_sender`] before
250    /// the shard reactor loop starts. `None` = inline drop (bare-Store
251    /// embedders, snapshots-loader programs, the test harness — anything
252    /// without a kevy-rt runtime around it). Reads on the hot path are
253    /// one `Option::as_ref` branch; the steady-state inline-drop path
254    /// pays nothing beyond that branch.
255    pub(crate) bio_drop_sender: Option<value::BioDropSender>,
256    /// v1.25 A.2 batch-send buffer. Heavy `Value`s displaced by SET
257    /// overwrites accumulate here instead of paying one mpsc send per
258    /// drop; flushed in one `mpsc::Sender::send` at the end of every
259    /// reactor iteration (via [`Self::flush_pending_drops`], invoked
260    /// from `kevy-rt`'s epoll + io_uring reactor loops before the AOF
261    /// fsync window). Amortising the channel cost over N drops lets
262    /// the heap-heavy threshold sit at 1 KB — small enough that the
263    /// Axis I 256 B – 16 KB SET tail benefits, big enough that
264    /// sub-µs small-class drops still go inline (the push + flush
265    /// branch would cost more than the inline free).
266    ///
267    /// **Latency window**: drops sit in this buffer ≤ one reactor
268    /// iteration (10s of µs at busy-poll, ≤ park-timeout at idle —
269    /// 50 ms by default). On a reactor with no traffic the buffer
270    /// stays small (no new SETs to displace anything); on a reactor
271    /// with sustained writes the per-iter flush fires fast enough
272    /// that worst-case stall is bounded by `MAX_PENDING_DROPS`.
273    ///
274    /// **Bounded growth**: at `MAX_PENDING_DROPS` items the
275    /// `maybe_offload_drop` path force-flushes — protects against
276    /// pathological "thousand SETs in one iter never flush" cases
277    /// (would otherwise hold thousands of Box<Value>s in RAM until
278    /// the iter ends).
279    pub(crate) pending_drops: Vec<Box<Value>>,
280}
281
282/// Maximum [`Store::pending_drops`] depth before forcing a flush
283/// inside `maybe_offload_drop` (rather than waiting for the reactor's
284/// per-iter `flush_pending_drops`). Caps memory held in the batch
285/// buffer at ≤ 64 × sizeof(Box<Value>) (≤ 512 B of pointers + whatever
286/// the boxed payloads weigh — which we WANT to ship anyway, since
287/// holding the bio-bound batch defeats the point of off-reactor frees).
288/// 64 picked as: amortises mpsc send cost (~few hundred ns) across
289/// enough drops that per-drop overhead is ≤ 10 ns, while staying small
290/// enough that worst-case bunch-up latency at the bio thread is bounded.
291pub(crate) const MAX_PENDING_DROPS: usize = 64;
292
293impl Store {
294    pub fn new() -> Self {
295        Store::default()
296    }
297
298    /// Refresh the coarse cached clock (`Self::cached_ns`) from a single
299    /// `Instant::now()`. Call once per reactor-loop batch / reaper tick; the
300    /// per-access read path then skips its own clock read. Lazy expiry is
301    /// coarse to this cadence (a key expires ≤ one refresh-interval late,
302    /// never early — writes stamp deadlines from a fresh clock).
303    #[inline]
304    pub fn refresh_clock(&mut self) {
305        self.cached_ns = now_ns();
306    }
307
308    /// Enable/disable trusting the cached clock for lazy expiry (see
309    /// `Self::cached_ns`). Call with `true` only when something refreshes the
310    /// clock regularly (the server reactor per batch, the embedded background
311    /// reaper per tick); leave `false` for manual-reaper mode. Seeds the cache
312    /// when enabling so the first access is accurate.
313    #[inline]
314    pub fn set_cached_clock(&mut self, on: bool) {
315        self.cached_clock = on;
316        if on {
317            self.refresh_clock();
318        }
319    }
320
321    /// Install (or clear, with `maxmemory == 0`) the eviction limit and
322    /// policy. Cheap; safe to call repeatedly (e.g. on `CONFIG SET`).
323    #[inline]
324    pub fn set_max_memory(&mut self, maxmemory: u64, policy: EvictionPolicy) {
325        self.maxmemory = maxmemory;
326        self.eviction_policy = policy;
327    }
328
329    /// Install the runtime's bio-drop channel (v1.25 A.3 + A.2). Called
330    /// once from `kevy-rt::Runtime::run` per shard before the reactor
331    /// loop starts. After install, [`Self::maybe_offload_drop`] (invoked
332    /// from the SET overwrite fast path) accumulates oversize `Value`s
333    /// into a per-shard batch; the reactor calls
334    /// [`Self::flush_pending_drops`] at the end of every iter to ship
335    /// the batch in one mpsc send. Bounded the Axis I 10 KB SET p999/max
336    /// blow-up that synchronous `Box::<[u8]>::drop` of a jemalloc
337    /// large-class slot caused (see `kevy_rt::bio`).
338    #[inline]
339    pub fn set_bio_drop_sender(&mut self, sender: value::BioDropSender) {
340        self.bio_drop_sender = Some(sender);
341    }
342
343    /// Accumulate `old` into the per-shard bio-drop batch buffer
344    /// ([`Store::pending_drops`]) if it's heap-heavy AND a bio channel
345    /// is installed. Otherwise drop inline. The hot path is one branch
346    /// on `bio_drop_sender.is_none()` followed by the variant-cheap
347    /// [`Value::is_heap_heavy`] check; for the `Value::Str(SmallBytes)`
348    /// steady state of typical bench shapes the inline-drop path is
349    /// preserved unchanged.
350    ///
351    /// **v1.25 A.2 batch model**: per-send mpsc cost (atomic +
352    /// cross-thread cacheline) is amortised across the batch by
353    /// [`Self::flush_pending_drops`], which the reactor calls once per
354    /// iter. Force-flushes here when the buffer hits
355    /// [`MAX_PENDING_DROPS`] to bound RAM in-flight.
356    #[inline]
357    pub(crate) fn maybe_offload_drop(&mut self, old: Value) {
358        if self.bio_drop_sender.is_none() {
359            // No channel (bare Store / embedded reaper / tests): the
360            // Value falls out of scope and drops inline. Same
361            // behaviour as v1.24.
362            drop(old);
363            return;
364        }
365        if !old.is_heap_heavy() {
366            // Under-threshold: jemalloc small-class free is sub-µs.
367            // The Vec::push + force-flush branch costs more than the
368            // inline free for this size — leave it inline.
369            drop(old);
370            return;
371        }
372        self.pending_drops.push(Box::new(old));
373        if self.pending_drops.len() >= MAX_PENDING_DROPS {
374            self.flush_pending_drops();
375        }
376    }
377
378    /// Ship the per-shard bio-drop batch buffer to the bio thread in
379    /// one mpsc send. Called from `kevy-rt`'s reactor loop at the end
380    /// of every iteration (both the epoll `Shard::run` and the io_uring
381    /// `Shard::run_uring` paths, just before the AOF fsync window so a
382    /// pending fsync stall doesn't pin a batch-ful of heavy values in
383    /// per-shard memory).
384    ///
385    /// Empty-buffer fast path: zero work, predictable not-taken
386    /// branch. Reactor calls this unconditionally per iter; the steady-
387    /// state cost for a no-SET-overwrite iter is one length check.
388    ///
389    /// `SendError` here means the bio thread has exited (shutdown
390    /// territory — `Runtime::run` has dropped its sender AFTER the
391    /// shard threads joined). Drop the batch inline; the `SendError`
392    /// payload carries the `Vec` back so its `Box<Value>`s run their
393    /// Drop here, preserving correctness.
394    #[inline]
395    pub fn flush_pending_drops(&mut self) {
396        if self.pending_drops.is_empty() {
397            return;
398        }
399        let tx = match self.bio_drop_sender.as_ref() {
400            Some(tx) => tx,
401            // Shouldn't happen — caller (`maybe_offload_drop`) only
402            // pushes when the sender exists. Defensive: if a future
403            // refactor invokes `flush_pending_drops` from somewhere
404            // unconditional, drop the batch inline.
405            None => {
406                self.pending_drops.clear();
407                return;
408            }
409        };
410        let batch = std::mem::take(&mut self.pending_drops);
411        if let Err(_send_err) = tx.send(batch) {
412            // Bio thread is gone (shutdown). The SendError carries
413            // the Vec, which drops here — every Box<Value> runs its
414            // Drop inline. Benign one-time stall during tear-down.
415        }
416    }
417
418    /// Live byte estimate (see field doc).
419    #[inline]
420    pub fn used_memory(&self) -> u64 {
421        self.used_memory
422    }
423
424    /// `used_memory` high-water mark since startup.
425    #[inline]
426    pub fn used_memory_peak(&self) -> u64 {
427        self.used_memory_peak
428    }
429
430    /// Configured `maxmemory` (0 = unlimited).
431    #[inline]
432    pub fn maxmemory(&self) -> u64 {
433        self.maxmemory
434    }
435
436    /// Configured eviction policy.
437    #[inline]
438    pub fn eviction_policy(&self) -> EvictionPolicy {
439        self.eviction_policy
440    }
441
442    /// Total keys evicted since startup.
443    #[inline]
444    pub fn evictions_total(&self) -> u64 {
445        self.evictions_total
446    }
447
448    /// Live keys carrying a TTL (`INFO keyspace`'s `expires=`). O(1) — reads
449    /// the maintained counter, not an O(n) scan (cf. [`Self::ttl_pending_count`]).
450    #[inline]
451    pub fn expires_count(&self) -> usize {
452        self.expires as usize
453    }
454
455    /// Apply a signed delta to the [`Self::expires`] counter, clamped at 0.
456    /// Centralises the saturating arithmetic for every TTL-transition site.
457    #[inline]
458    pub(crate) fn adjust_expires(&mut self, delta: i64) {
459        if delta != 0 {
460            self.expires = (self.expires as i64 + delta).max(0) as u64;
461        }
462    }
463
464    /// `WATCH` — record this key in the version tracker and return its
465    /// current version. Subsequent writes on this shard bump the version
466    /// via [`Self::bump_if_watched`]. Caller (the conn's origin shard)
467    /// stores the returned version; `EXEC` later asks every owning shard
468    /// "is the version still N?" via [`Self::key_version`].
469    ///
470    /// Keys that have never been written stay at version 0 — the first
471    /// write after a `WATCH` bumps to 1, which is what makes the "dirty"
472    /// comparison work (stored 0 ≠ current 1 ⇒ abort EXEC).
473    pub fn record_watch(&mut self, key: &[u8]) -> u64 {
474        *self
475            .watch_versions
476            .entry(key.to_vec())
477            .or_insert(0)
478    }
479
480    /// Read-only version lookup used by `EXEC`'s pre-execution check.
481    /// Returns `0` for keys never `WATCH`-ed (matches the initial value
482    /// `record_watch` would have inserted, so a `WATCH` → no-write →
483    /// `EXEC` sequence sees the stored 0 == current 0 and proceeds).
484    #[inline]
485    pub fn key_version(&self, key: &[u8]) -> u64 {
486        self.watch_versions.get(key).copied().unwrap_or(0)
487    }
488
489    /// Bump the version of `key` if (and only if) it has been `WATCH`-ed at
490    /// least once. Write-side call after every mutation. The empty check
491    /// runs BEFORE the key is hashed — the common nothing-watched case
492    /// pays one branch, not a guaranteed-miss probe.
493    #[inline]
494    pub fn bump_if_watched(&mut self, key: &[u8]) {
495        if self.watch_versions.is_empty() {
496            return;
497        }
498        if let Some(v) = self.watch_versions.get_mut(key) {
499            *v = v.wrapping_add(1);
500        }
501    }
502
503    /// Invalidate every watched key in one shot. Called from `FLUSHDB`
504    /// / `FLUSHALL` execution paths — every WATCH against this shard
505    /// must invalidate so a pending `EXEC` aborts.
506    pub fn bump_all_watched(&mut self) {
507        for v in self.watch_versions.values_mut() {
508            *v = v.wrapping_add(1);
509        }
510    }
511
512    /// Cached weight of `key` (dynamic part + [`ENTRY_OVERHEAD`]). Returns
513    /// `None` when the key is absent or expired (no implicit reap).
514    pub fn estimate_key_bytes(&self, key: &[u8]) -> Option<u64> {
515        self.map.get(key).map(|e| e.weight() + ENTRY_OVERHEAD)
516    }
517
518    /// O(1) precondition check the dispatch layer calls before every write
519    /// command. Returns `Err(OutOfMemory)` only when `maxmemory > 0`, the
520    /// budget is already over, AND the policy is `NoEviction` (Redis
521    /// behaviour). All other policies let the write proceed and recover via
522    /// [`Self::try_evict_after_write`].
523    #[inline]
524    pub fn precheck_for_write(&self) -> Result<(), StoreError> {
525        if self.maxmemory == 0 || self.used_memory <= self.maxmemory {
526            return Ok(());
527        }
528        if self.eviction_policy == EvictionPolicy::NoEviction {
529            return Err(StoreError::OutOfMemory);
530        }
531        Ok(())
532    }
533
534    /// Run after every write command. No-op when disabled or under budget;
535    /// otherwise samples per [`Self::eviction_policy`] and removes keys until
536    /// back under `maxmemory` or no eligible candidate remains. Returns the
537    /// number of keys evicted (0 on the common fast path).
538    #[inline]
539    pub fn try_evict_after_write(&mut self) -> usize {
540        if self.maxmemory == 0 || self.used_memory <= self.maxmemory {
541            return 0;
542        }
543        evict::evict_until_under_limit(self)
544    }
545
546}
547
548/// Apply a signed delta to a `u64` (saturating both directions). Used by
549/// `Store::account_delta` / `reweigh_entry` so the in-place mutators don't
550/// have to repeat the same overflow-guarded match.
551#[inline]
552pub(crate) fn apply_delta(v: &mut u64, delta: i64) {
553    if delta >= 0 {
554        *v = v.saturating_add(delta as u64);
555    } else {
556        *v = v.saturating_sub((-delta) as u64);
557    }
558}
559
560/// Heap bytes a `SmallBytes`-encoded key would own (`&[u8]` mirror of
561/// `SmallBytes::heap_bytes`; 22-byte inline boundary per `kevy-bytes`).
562#[inline]
563pub(crate) fn key_heap_bytes_for(key: &[u8]) -> u64 {
564    if key.len() <= 22 { 0 } else { key.len() as u64 }
565}
566
567#[cfg(test)]
568mod tests;
569#[cfg(test)]
570mod tests_memory;
571#[cfg(test)]
572mod tests_snapshot;