Struct Allocator 

pub struct Allocator { /* private fields */ }

Implementations

impl Allocator

pub fn new() -> Self

pub fn try_on_leadership_gained( &mut self, fence_floor: u64, committed_ceiling: u64, epoch: Epoch, ) -> Result<(), CoreError>

Seed the allocator once the failover fence has durably persisted both the floor and the pre-extended ceiling.

fence_floor is the first physical_ms the new leader may issue — the server sets it to prior_high_water + 1 so the new leader’s timestamps are strictly above any the prior leader could have issued.

committed_ceiling is the pre-extended upper bound the server has already persisted (typically fence_floor + window_ms). It must satisfy committed_ceiling >= fence_floor so the allocator can serve try_grant immediately without an additional extension round-trip.

pub fn on_leadership_lost(&mut self)

pub fn is_leader(&self) -> bool

pub fn epoch(&self) -> Option<Epoch>

pub fn committed_high_water(&self) -> Option<u64>

Current committed high-water in physical-millisecond units, or None when not the leader. The high-water is the upper bound the allocator will not exceed without a fresh try_commit_window_extension.

pub fn try_grant( &mut self, now_ms: u64, count: u32, ) -> Result<WindowGrant, CoreError>

Hot path. Issue count timestamps from the in-memory window.

Returns WindowExhausted when the in-memory remainder cannot cover the request; the caller (typically the server) then runs prepare → persist → commit and retries.

State is written back only on success: a failed grant (out-of-range or exhausted window) leaves next_physical_ms/next_logical untouched.

pub fn would_grant(&self, now_ms: u64, count: u32) -> bool

Non-mutating predicate: would try_grant(now_ms, count) succeed right now? Used by the server’s extension single-flight to decide whether a peer extender has already added enough room, avoiding a redundant persist_high_water round-trip. Delegates to the same project_grant helper try_grant uses, so the exhaustion check cannot drift — a coarser predicate would risk false positives (skip the extension, then fail the outer retry) for requests whose count straddles the window edge.

pub fn try_prepare_window_extension( &self, now_ms: u64, ahead_ms: u64, ) -> Result<u64, CoreError>

Compute the high-water value the caller should durably persist before calling try_commit_window_extension. Does not mutate.

Returns max(committed_high_water + 1, now_ms) + ahead_ms. The +1 on committed_high_water guarantees forward progress when wall clock is behind the persisted bound (rare, but possible after a clock-step-back).

Returns Err(CoreError::NotLeader) off-leader, matching every other mutating method. A 0 sentinel here would be indistinguishable from a legitimately prepared bound, letting a caller that skipped is_leader() proceed as if preparation had succeeded.

pub fn try_commit_window_extension( &mut self, persisted_high_water: u64, expected_epoch: Epoch, ) -> Result<CommitOutcome, CoreError>

Apply a durably-persisted window extension. persisted_high_water is the value returned by ConsensusDriver::persist_high_water, which is monotonic — it may equal or exceed the value passed to prepare.

The expected_epoch argument fences out late-arriving commits from a prior leader epoch: if the allocator is no longer at this epoch (either it has lost leadership or a new leader took over), the commit is dropped. Combined with the server’s drain barrier, this guarantees a late persist from epoch N cannot raise the durable bound observed by epoch N+M.

Returns CommitOutcome: Applied when the bound advanced, or Ignored (with the reason) for the three benign drop cases. A value exceeding the 46-bit physical ceiling is an invariant violation, not a benign drop, so it stays Err(PhysicalMsOutOfRange).

Trait Implementations

impl Default for Allocator

fn default() -> Self

Returns the “default value” for a type.