Skip to main content

Module workload

omnigraph_server

Module workload 

Source
Expand description

Per-actor admission control for the HTTP server (MR-686 §VII.A).

The HTTP server’s previous global RwLock<Omnigraph> serialized every mutating request across all actors. PR 2 removes that lock — engine APIs are now &self, so concurrent calls from different actors can run against Arc<Omnigraph> simultaneously. Without admission control, one heavy actor can exhaust shared capacity (Lance I/O threads, manifest churn, network) and starve other actors.

This module provides:

  • Per-actor in-flight count cap: each actor has a tokio::sync::Semaphore with OMNIGRAPH_PER_ACTOR_INFLIGHT_MAX permits (default 16). try_acquire_owned() returns Err when exhausted; the server maps this to HTTP 429.

  • Per-actor in-flight byte budget: each actor accumulates an AtomicU64 byte estimate. fetch_add(est_bytes) then a check against byte_cap is race-free via decrement-on-rejection. The server maps an over-budget result to HTTP 429 as well.

Counts are governed by the semaphore (race-free try_acquire_owned() enforces the cap atomically); bytes use fetch_add + decrement-on- rejection. Both checks are atomic compare-and-act, never load-then-act — the test actor_admission_race_does_not_exceed_cap pins this contract by spawning 32 concurrent try_admit calls against a cap of 16 and asserting exactly 16 succeed.

Acquisition order against the engine’s per-(table, branch) write queue: admission FIRST (the HTTP handler reserves capacity before calling into the engine), engine queue SECOND (acquired inside MutationStaging::commit_all). This composes cleanly because admission is a single per-actor count + budget check, never cross-actor; nothing the engine does can change a peer actor’s admission state.

Structs§

AdmissionGuard
Drop-on-completion guard for an admitted request. Dropping releases the in-flight count permit (via Drop on the underlying semaphore permit) and decrements the actor’s byte counter.
WorkloadController
Server-side per-actor admission controller. Constructed once at server startup and shared via Arc<WorkloadController> on AppState.

Enums§

RejectReason
Why a try_admit call returned Err. The server maps each variant to a specific HTTP response code; see WorkloadController docs.

Constants§

DEFAULT_PER_ACTOR_BYTES_MAX
Default per-actor in-flight byte budget (4 GiB). Override via OMNIGRAPH_PER_ACTOR_BYTES_MAX.
DEFAULT_PER_ACTOR_INFLIGHT_MAX
Default per-actor in-flight count cap. Override via OMNIGRAPH_PER_ACTOR_INFLIGHT_MAX.