rate-limit: Add readers-writer lock to bucket table

Signed-off-by: Christian Pardillo Laursen <[email protected]>

Author: cplaursen

ocaml/libs/rate-limit/bucket_table.ml

@@ -12,33 +12,73 @@
  * GNU Lesser General Public License for more details.
  *)
 
-type t = (string, Token_bucket.t) Hashtbl.t
+type t = {
+    table: (string, Token_bucket.t) Hashtbl.t
+  ; mutable readers: int
+  ; reader_count: Mutex.t    (* protects readers count *)
+  ; resource: Mutex.t (* held collectively by readers, exclusively by writers *)
+}
 
-let create () = Hashtbl.create 16
+let with_lock = Xapi_stdext_threads.Threadext.Mutex.execute
 
-let add_bucket table ~user_agent ~burst_size ~fill_rate =
-  let bucket_option = Token_bucket.create ~burst_size ~fill_rate in
-  match bucket_option with
-  | Some bucket ->
-      Hashtbl.replace table user_agent bucket ;
-      true
-  | None ->
-      false
+let with_read_lock t f =
+  with_lock t.reader_count (fun () ->
+      t.readers <- t.readers + 1 ;
+      if t.readers = 1 then Mutex.lock t.resource
+  ) ;
+  Fun.protect f ~finally:(fun () ->
+      with_lock t.reader_count (fun () ->
+          t.readers <- t.readers - 1 ;
+          if t.readers = 0 then Mutex.unlock t.resource
+      )
+  )
 
-let delete_bucket table ~user_agent = Hashtbl.remove table user_agent
+let with_write_lock t f = with_lock t.resource f
 
-let try_consume table ~user_agent amount =
-  match Hashtbl.find_opt table user_agent with
-  | None ->
-      false
-  | Some bucket ->
-      Token_bucket.consume bucket amount
+let create () =
+  {
+      table= Hashtbl.create 10
+    ; readers= 0
+    ; reader_count= Mutex.create ()
+    ; resource= Mutex.create ()
+  }
+
+(* TODO: Indicate failure reason - did we get invalid config or try to add an
+   already present user_agent? *)
+let add_bucket t ~user_agent ~burst_size ~fill_rate =
+  with_write_lock t (fun () ->
+      if Hashtbl.mem t.table user_agent then
+        false
+      else
+        match Token_bucket.create ~burst_size ~fill_rate with
+        | Some bucket ->
+            Hashtbl.add t.table user_agent bucket ;
+            true
+        | None ->
+            false
+  )
+
+let delete_bucket t ~user_agent =
+  with_write_lock t (fun () -> Hashtbl.remove t.table user_agent)
+
+let try_consume t ~user_agent amount =
+  with_read_lock t (fun () ->
+      match Hashtbl.find_opt t.table user_agent with
+      | None ->
+          false
+      | Some bucket ->
+          Token_bucket.consume bucket amount
+  )
 
-let peek table ~user_agent =
-  Option.map Token_bucket.peek (Hashtbl.find_opt table user_agent)
+let peek t ~user_agent =
+  with_read_lock t (fun () ->
+      Option.map Token_bucket.peek (Hashtbl.find_opt t.table user_agent)
+  )
 
-let consume_and_block table ~user_agent amount =
-  match Hashtbl.find_opt table user_agent with
+(* TODO this has fairness issues - fix with queue or similar *)
+let consume_and_block t ~user_agent amount =
+  let bucket_opt = with_read_lock t (fun () -> Hashtbl.find_opt t.table user_agent) in
+  match bucket_opt with
   | None ->
       ()
   | Some bucket ->

ocaml/libs/rate-limit/test/test_bucket_table.ml

@@ -126,33 +126,186 @@ let test_consume_and_block_nonexistent () =
   Alcotest.(check pass)
     "consume_and_block on nonexistent bucket should not block" () ()
 
-let test_concurrent_access () =
+let test_add_same_key_race () =
+  (* Test the check-then-act race in add_bucket.
+     add_bucket does: if not mem then add. Without locking, multiple threads
+     could all pass the mem check and try to add, but only one should succeed.
+     Note: OCaml 4's GIL makes races hard to trigger, but this test verifies
+     the invariant holds under concurrent access and would catch races if the
+     GIL is released at allocation points within the critical section. *)
+  let iterations = 500 in
+  let threads_per_iter = 10 in
+  let failures = ref 0 in
+  let failures_mutex = Mutex.create () in
+  for _ = 1 to iterations do
+    let table = Bucket_table.create () in
+    let success_count = ref 0 in
+    let count_mutex = Mutex.create () in
+    let barrier = ref 0 in
+    let barrier_mutex = Mutex.create () in
+    let threads =
+      Array.init threads_per_iter (fun _ ->
+          Thread.create
+            (fun () ->
+              (* Increment barrier and wait for all threads *)
+              Mutex.lock barrier_mutex ;
+              incr barrier ;
+              Mutex.unlock barrier_mutex ;
+              while
+                Mutex.lock barrier_mutex ;
+                let b = !barrier in
+                Mutex.unlock barrier_mutex ;
+                b < threads_per_iter
+              do
+                Thread.yield ()
+              done ;
+              (* All threads try to add the same key simultaneously *)
+              let success =
+                Bucket_table.add_bucket table ~user_agent:"contested_key"
+                  ~burst_size:10.0 ~fill_rate:1.0
+              in
+              if success then (
+                Mutex.lock count_mutex ;
+                incr success_count ;
+                Mutex.unlock count_mutex
+              )
+            )
+            ()
+      )
+    in
+    Array.iter Thread.join threads ;
+    (* Exactly one thread should succeed in adding the key *)
+    if !success_count <> 1 then (
+      Mutex.lock failures_mutex ;
+      incr failures ;
+      Mutex.unlock failures_mutex
+    )
+  done ;
+  Alcotest.(check int)
+    "Exactly one add should succeed for same key (across all iterations)" 0
+    !failures
+
+let test_concurrent_add_delete_stress () =
+  (* Stress test: rapidly add and delete entries.
+     Without proper locking, hashtable can get corrupted. *)
   let table = Bucket_table.create () in
-  let _ =
-    Bucket_table.add_bucket table ~user_agent:"agent1" ~burst_size:100.0
-      ~fill_rate:0.01
+  let iterations = 1000 in
+  let num_keys = 10 in
+  let errors = ref 0 in
+  let errors_mutex = Mutex.create () in
+  let add_threads =
+    Array.init 5 (fun t ->
+        Thread.create
+          (fun () ->
+            for i = 0 to iterations - 1 do
+              let key = Printf.sprintf "key%d" ((t * iterations + i) mod num_keys) in
+              let _ =
+                Bucket_table.add_bucket table ~user_agent:key ~burst_size:10.0
+                  ~fill_rate:1.0
+              in
+              ()
+            done
+          )
+          ()
+    )
   in
-  let successful_consumes = ref 0 in
-  let counter_mutex = Mutex.create () in
-  let threads =
-    Array.init 20 (fun _ ->
+  let delete_threads =
+    Array.init 5 (fun t ->
         Thread.create
           (fun () ->
-            let success =
-              Bucket_table.try_consume table ~user_agent:"agent1" 5.0
-            in
-            if success then (
-              Mutex.lock counter_mutex ;
-              incr successful_consumes ;
-              Mutex.unlock counter_mutex
-            )
+            for i = 0 to iterations - 1 do
+              let key = Printf.sprintf "key%d" ((t * iterations + i) mod num_keys) in
+              Bucket_table.delete_bucket table ~user_agent:key
+            done
           )
           ()
     )
   in
-  Array.iter Thread.join threads ;
+  let read_threads =
+    Array.init 5 (fun t ->
+        Thread.create
+          (fun () ->
+            for i = 0 to iterations - 1 do
+              let key = Printf.sprintf "key%d" ((t * iterations + i) mod num_keys) in
+              (* This should never crash, even if key doesn't exist *)
+              try
+                let _ = Bucket_table.peek table ~user_agent:key in
+                ()
+              with _ ->
+                Mutex.lock errors_mutex ;
+                incr errors ;
+                Mutex.unlock errors_mutex
+            done
+          )
+          ()
+    )
+  in
+  Array.iter Thread.join add_threads ;
+  Array.iter Thread.join delete_threads ;
+  Array.iter Thread.join read_threads ;
+  Alcotest.(check int) "No errors during concurrent operations" 0 !errors
+
+let test_consume_during_delete_race () =
+  (* Test that try_consume doesn't crash when bucket is being deleted.
+     Without proper locking, we could try to access a deleted bucket. *)
+  let iterations = 500 in
+  let errors = ref 0 in
+  let errors_mutex = Mutex.create () in
+  for _ = 1 to iterations do
+    let table = Bucket_table.create () in
+    let _ =
+      Bucket_table.add_bucket table ~user_agent:"target" ~burst_size:100.0
+        ~fill_rate:1.0
+    in
+    let barrier = ref 0 in
+    let barrier_mutex = Mutex.create () in
+    let consumer =
+      Thread.create
+        (fun () ->
+          Mutex.lock barrier_mutex ;
+          incr barrier ;
+          Mutex.unlock barrier_mutex ;
+          while
+            Mutex.lock barrier_mutex ;
+            let b = !barrier in
+            Mutex.unlock barrier_mutex ;
+            b < 2
+          do
+            Thread.yield ()
+          done ;
+          try
+            let _ = Bucket_table.try_consume table ~user_agent:"target" 1.0 in
+            ()
+          with _ ->
+            Mutex.lock errors_mutex ;
+            incr errors ;
+            Mutex.unlock errors_mutex
+        )
+        ()
+    in
+    let deleter =
+      Thread.create
+        (fun () ->
+          Mutex.lock barrier_mutex ;
+          incr barrier ;
+          Mutex.unlock barrier_mutex ;
+          while
+            Mutex.lock barrier_mutex ;
+            let b = !barrier in
+            Mutex.unlock barrier_mutex ;
+            b < 2
+          do
+            Thread.yield ()
+          done ;
+          Bucket_table.delete_bucket table ~user_agent:"target"
+        )
+        ()
+    in
+    Thread.join consumer ;
+    Thread.join deleter
+  done ;
   Alcotest.(check int)
-    "Exactly 20 consumes should succeed" 20 !successful_consumes
+    "No crashes during consume/delete race" 0 !errors
 
 let test =
   [
@@ -168,7 +321,9 @@ let test =
   ; ("Multiple agents", `Quick, test_multiple_agents)
   ; ("Consume and block", `Slow, test_consume_and_block)
   ; ("Consume and block nonexistent", `Quick, test_consume_and_block_nonexistent)
-  ; ("Concurrent access", `Quick, test_concurrent_access)
+  ; ("Add same key race", `Quick, test_add_same_key_race)
+  ; ("Concurrent add/delete stress", `Quick, test_concurrent_add_delete_stress)
+  ; ("Consume during delete race", `Quick, test_consume_during_delete_race)
   ]
 
 let () = Alcotest.run "Bucket table library" [("Bucket table tests", test)]