indexbus_platform_core/

lifecycle.rs

//! Lifecycle + supervision primitives.
//!
//! This module provides a small set of **std-only** coordination helpers intended for
//! long-running services:
//!
//! - [`Shutdown`](crate::lifecycle::Shutdown) / [`ShutdownToken`](crate::lifecycle::ShutdownToken):
//!   cooperative shutdown signaling.
//! - [`Supervisor`](crate::lifecycle::Supervisor): spawn and join supervised threads, optionally
//!   restartable with backoff.
//!
//! ## Contracts
//!
//! - These primitives coordinate *control flow* (shutdown / join), not data synchronization.
//! - Child tasks must be written to observe shutdown and return in a bounded amount of time.
//! - `Supervisor::join_all` drains the supervisor's child list; it is intended to be called once.

use crate::errors::{Error, Result};

use core::time::Duration;

#[cfg(feature = "std")]
use std::{
    sync::{
        atomic::{AtomicBool, Ordering},
        Arc, Condvar, Mutex,
    },
    thread,
    thread::JoinHandle,
};

#[cfg(feature = "std")]
#[derive(Debug)]
struct ShutdownInner {
    flag: AtomicBool,
    mu: Mutex<()>,
    cv: Condvar,
}

#[cfg(feature = "std")]
impl ShutdownInner {
    fn new() -> Self {
        Self {
            flag: AtomicBool::new(false),
            mu: Mutex::new(()),
            cv: Condvar::new(),
        }
    }
}

/// A clonable shutdown token that tasks can poll or wait on.
///
/// **Contract:** this token is a cooperative cancellation primitive.
/// Tasks/threads are expected to poll [`ShutdownToken::is_shutdown`] and exit promptly when it
/// becomes `true`.
///
/// **Features:** waiting APIs require `std`.
#[derive(Clone, Debug)]
pub struct ShutdownToken {
    #[cfg(feature = "std")]
    inner: Arc<ShutdownInner>,
}

impl ShutdownToken {
    /// Returns `true` iff shutdown has been triggered.
    ///
    /// **Contract:** once `true`, this will remain `true` for the lifetime of the token.
    pub fn is_shutdown(&self) -> bool {
        #[cfg(feature = "std")]
        {
            self.inner.flag.load(Ordering::Acquire)
        }

        #[cfg(not(feature = "std"))]
        {
            false
        }
    }

    /// Block the current thread until shutdown is triggered.
    ///
    /// **Panics:** panics if the internal mutex is poisoned.
    #[cfg(feature = "std")]
    pub fn wait(&self) {
        if self.is_shutdown() {
            return;
        }

        let guard = self.inner.mu.lock().expect("shutdown mutex poisoned");
        let _guard = self
            .inner
            .cv
            .wait_while(guard, |_| !self.is_shutdown())
            .expect("shutdown mutex poisoned");
    }

    /// Block the current thread until shutdown is triggered, or the timeout elapses.
    ///
    /// Returns `true` if shutdown was observed.
    ///
    /// **Panics:** panics if the internal mutex is poisoned.
    #[cfg(feature = "std")]
    pub fn wait_timeout(&self, timeout: Duration) -> bool {
        if self.is_shutdown() {
            return true;
        }

        let guard = self.inner.mu.lock().expect("shutdown mutex poisoned");
        let (_guard, _timeout) = self
            .inner
            .cv
            .wait_timeout_while(guard, timeout, |_| !self.is_shutdown())
            .expect("shutdown mutex poisoned");
        self.is_shutdown()
    }
}

/// Shutdown coordinator.
///
/// A [`Shutdown`] can create many [`ShutdownToken`] clones; calling [`Shutdown::trigger`]
/// transitions the shutdown flag to "true" and wakes any threads blocked in
/// [`ShutdownToken::wait`] / [`ShutdownToken::wait_timeout`].
///
/// **Contract:** shutdown is one-way and idempotent.
pub struct Shutdown {
    #[cfg(feature = "std")]
    inner: Arc<ShutdownInner>,
}

impl Shutdown {
    /// Create a new shutdown coordinator.
    pub fn new() -> Self {
        #[cfg(feature = "std")]
        {
            let inner = Arc::new(ShutdownInner::new());
            Self { inner }
        }

        #[cfg(not(feature = "std"))]
        {
            Self {}
        }
    }

    /// Create a clonable token that can observe shutdown.
    pub fn token(&self) -> ShutdownToken {
        #[cfg(feature = "std")]
        {
            ShutdownToken {
                inner: self.inner.clone(),
            }
        }

        #[cfg(not(feature = "std"))]
        {
            ShutdownToken {}
        }
    }

    /// Trigger shutdown.
    ///
    /// Returns `true` if this call transitioned from not-shutdown to shutdown.
    ///
    /// **Notes:** this notifies all waiters even if shutdown was already triggered.
    pub fn trigger(&self) -> bool {
        #[cfg(feature = "std")]
        {
            let was = self.inner.flag.swap(true, Ordering::Release);

            // Wake any waiters. We always notify to avoid edge cases around late waits.
            self.inner.cv.notify_all();

            !was
        }

        #[cfg(not(feature = "std"))]
        {
            false
        }
    }
}

impl Default for Shutdown {
    fn default() -> Self {
        Self::new()
    }
}

/// Supervisor configuration.
///
/// **Contract:** values are validated by [`Supervisor::validate`].
#[derive(Debug, Clone, Copy)]
pub struct SupervisorConfig {
    /// Maximum number of restarts for restartable children.
    pub max_restarts: u32,

    /// Initial backoff when restarting a child.
    pub restart_backoff_initial: Duration,

    /// Maximum backoff when restarting a child.
    pub restart_backoff_max: Duration,
}

impl Default for SupervisorConfig {
    fn default() -> Self {
        Self {
            max_restarts: 10,
            restart_backoff_initial: Duration::from_millis(50),
            restart_backoff_max: Duration::from_secs(5),
        }
    }
}

#[cfg(feature = "std")]
struct SupervisorInner {
    cfg: SupervisorConfig,
    shutdown: Shutdown,
    children: Mutex<Vec<Child>>,
}

/// A supervised child.
#[cfg(feature = "std")]
#[derive(Debug)]
struct Child {
    name: String,
    join: JoinHandle<Result<()>>,
}

/// A minimal supervisor that coordinates shutdown and tracks child threads.
///
/// **Blessed pattern:**
/// - Create one [`Supervisor`] at process start.
/// - Spawn long-running threads with [`Supervisor::spawn_thread`] (or
///   [`Supervisor::spawn_restartable_thread`]), and exit the thread when shutdown is requested.
/// - On shutdown (signal / admin request), call [`Supervisor::shutdown_and_join`].
///
/// ## Error semantics
///
/// - A child thread that returns `Err` causes [`Supervisor::join_all`] to return `Err`.
/// - A child thread that panics also causes [`Supervisor::join_all`] to return `Err`.
///   When multiple children fail, errors are aggregated into a single message.
#[derive(Clone)]
pub struct Supervisor {
    #[cfg(feature = "std")]
    inner: Arc<SupervisorInner>,

    #[cfg(not(feature = "std"))]
    _private: (),
}

impl Supervisor {
    /// Create a new supervisor with the provided configuration.
    ///
    /// **Contract:** configuration is validated when spawning children.
    pub fn new(cfg: SupervisorConfig) -> Self {
        #[cfg(feature = "std")]
        {
            Self {
                inner: Arc::new(SupervisorInner {
                    cfg,
                    shutdown: Shutdown::new(),
                    children: Mutex::new(Vec::new()),
                }),
            }
        }

        #[cfg(not(feature = "std"))]
        {
            let _ = cfg;
            Self { _private: () }
        }
    }

    /// Get the supervisor configuration.
    pub fn config(&self) -> SupervisorConfig {
        #[cfg(feature = "std")]
        {
            self.inner.cfg
        }

        #[cfg(not(feature = "std"))]
        {
            SupervisorConfig::default()
        }
    }

    /// Access the supervisor's shutdown coordinator.
    pub fn shutdown(&self) -> Shutdown {
        #[cfg(feature = "std")]
        {
            Shutdown {
                inner: self.inner.shutdown.inner.clone(),
            }
        }

        #[cfg(not(feature = "std"))]
        {
            Shutdown::new()
        }
    }

    /// Convenience accessor for the supervisor shutdown token.
    pub fn token(&self) -> ShutdownToken {
        self.shutdown().token()
    }

    /// Validate the current configuration.
    ///
    /// **Errors:** returns [`Error`] if the configuration is internally inconsistent.
    pub fn validate(&self) -> Result<()> {
        let cfg = self.config();
        if cfg.max_restarts == 0 {
            return Err(Error::msg("max_restarts must be non-zero"));
        }
        if cfg.restart_backoff_initial.is_zero() {
            return Err(Error::msg("restart_backoff_initial must be non-zero"));
        }
        if cfg.restart_backoff_max < cfg.restart_backoff_initial {
            return Err(Error::msg(
                "restart_backoff_max must be >= restart_backoff_initial",
            ));
        }
        Ok(())
    }

    /// Spawn a supervised thread.
    ///
    /// **Contract:** the closure should return when it observes shutdown.
    ///
    /// **Errors:**
    /// - Returns an error if configuration validation fails.
    /// - Returns an error if the OS thread cannot be spawned.
    ///
    /// If the closure returns `Err`, [`Supervisor::join_all`] will return `Err`.
    #[cfg(feature = "std")]
    pub fn spawn_thread<F>(&self, name: impl Into<String>, f: F) -> Result<()>
    where
        F: FnOnce(ShutdownToken) -> Result<()> + Send + 'static,
    {
        self.validate()?;

        let name = name.into();
        let token = self.token();
        let join = thread::Builder::new()
            .name(name.clone())
            .spawn(move || f(token))
            .map_err(|e| Error::msg(format!("failed to spawn thread '{name}': {e}")))?;

        self.inner
            .children
            .lock()
            .expect("children mutex poisoned")
            .push(Child { name, join });
        Ok(())
    }

    /// Spawn a supervised thread that will be restarted with backoff on error.
    ///
    /// **Contract:**
    /// - The child exits successfully if shutdown is requested.
    /// - If the closure returns `Err` and shutdown is not requested, the supervisor sleeps for a
    ///   backoff duration and retries.
    ///
    /// **Errors:**
    /// - Returns an error if configuration validation fails.
    /// - Returns an error if the OS thread cannot be spawned.
    /// - Returns an error if the child exceeds `max_restarts`.
    #[cfg(feature = "std")]
    pub fn spawn_restartable_thread<F>(&self, name: impl Into<String>, f: F) -> Result<()>
    where
        F: Fn(ShutdownToken) -> Result<()> + Send + Sync + 'static,
    {
        self.validate()?;

        let name = name.into();
        let token = self.token();
        let cfg = self.config();

        let f = Arc::new(f);
        let name2 = name.clone();
        let join = thread::Builder::new()
            .name(name.clone())
            .spawn(move || {
                let mut restarts: u32 = 0;
                let mut backoff = cfg.restart_backoff_initial;

                loop {
                    if token.is_shutdown() {
                        return Ok(());
                    }

                    match (f)(token.clone()) {
                        Ok(()) => return Ok(()),
                        Err(e) => {
                            if token.is_shutdown() {
                                return Ok(());
                            }

                            if restarts >= cfg.max_restarts {
                                return Err(Error::msg(format!(
                                    "restartable child '{name2}' exceeded max_restarts ({}) after error: {e}",
                                    cfg.max_restarts
                                )));
                            }

                            restarts = restarts.saturating_add(1);
                            thread::sleep(backoff);
                            backoff = (backoff + backoff).min(cfg.restart_backoff_max);
                        }
                    }
                }
            })
            .map_err(|e| Error::msg(format!("failed to spawn thread '{name}': {e}")))?;

        self.inner
            .children
            .lock()
            .expect("children mutex poisoned")
            .push(Child { name, join });
        Ok(())
    }

    /// Join all supervised children.
    ///
    /// **Contract:** this drains the supervisor's child list. A subsequent call will join zero
    /// children and return `Ok(())`.
    ///
    /// **Errors:**
    /// - If any child returns an error, returns an aggregated [`Error`].
    /// - If any child panics, returns an aggregated [`Error`].
    #[cfg(feature = "std")]
    pub fn join_all(&self) -> Result<()> {
        let mut children = self.inner.children.lock().expect("children mutex poisoned");
        let mut errs: Vec<String> = Vec::new();

        for child in children.drain(..) {
            match child.join.join() {
                Ok(Ok(())) => {}
                Ok(Err(e)) => errs.push(format!("{}: {e}", child.name)),
                Err(panic) => errs.push(format!("{}: {}", child.name, Error::panic_message(panic))),
            }
        }

        if errs.is_empty() {
            Ok(())
        } else if errs.len() == 1 {
            Err(Error::msg(errs.remove(0)))
        } else {
            Err(Error::msg(format!(
                "multiple child failures:\n- {}",
                errs.join("\n- ")
            )))
        }
    }

    /// Convenience: trigger shutdown and then join all children.
    ///
    /// **Contract:** this is equivalent to calling [`Shutdown::trigger`] and then
    /// [`Supervisor::join_all`].
    #[cfg(feature = "std")]
    pub fn shutdown_and_join(&self) -> Result<()> {
        let _ = self.shutdown().trigger();
        self.join_all()
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[cfg(feature = "std")]
    use std::sync::atomic::{AtomicU32, Ordering as AtomicOrdering};

    #[cfg(feature = "std")]
    use std::sync::Arc;

    #[test]
    fn shutdown_token_observes_trigger() {
        let shutdown = Shutdown::new();
        let token = shutdown.token();

        assert!(!token.is_shutdown());
        assert!(shutdown.trigger());
        assert!(token.is_shutdown());
    }

    #[test]
    fn shutdown_trigger_is_idempotent() {
        let shutdown = Shutdown::new();
        let token = shutdown.token();

        assert!(shutdown.trigger());
        assert!(!shutdown.trigger());
        assert!(token.is_shutdown());
    }

    #[cfg(feature = "std")]
    #[test]
    fn shutdown_token_wait_unblocks() {
        let shutdown = Shutdown::new();
        let token = shutdown.token();

        let t = std::thread::spawn(move || {
            token.wait();
        });

        std::thread::sleep(Duration::from_millis(10));
        shutdown.trigger();
        t.join().unwrap();
    }

    #[test]
    fn supervisor_validate_rejects_zero_restarts() {
        let s = Supervisor::new(SupervisorConfig {
            max_restarts: 0,
            ..SupervisorConfig::default()
        });
        assert!(s.validate().is_err());
    }

    #[cfg(feature = "std")]
    #[test]
    fn supervisor_tracks_and_joins_children() {
        let sup = Supervisor::new(SupervisorConfig::default());
        let token = sup.token();

        let seen = Arc::new(AtomicU32::new(0));
        let seen2 = seen.clone();
        sup.spawn_thread("child", move |t| {
            while !t.is_shutdown() {
                std::hint::spin_loop();
            }
            seen2.store(1, AtomicOrdering::Release);
            Ok(())
        })
        .unwrap();

        assert!(!token.is_shutdown());
        sup.shutdown().trigger();
        sup.join_all().unwrap();
        assert_eq!(seen.load(AtomicOrdering::Acquire), 1);
    }

    #[cfg(feature = "std")]
    #[test]
    fn restartable_thread_restarts_then_succeeds() {
        let sup = Supervisor::new(SupervisorConfig {
            max_restarts: 3,
            restart_backoff_initial: Duration::from_millis(1),
            restart_backoff_max: Duration::from_millis(5),
        });

        let attempts = Arc::new(AtomicU32::new(0));
        let attempts2 = attempts.clone();

        sup.spawn_restartable_thread("restartable", move |_t| {
            let n = attempts2.fetch_add(1, AtomicOrdering::AcqRel);
            if n < 2 {
                return Err(Error::msg("boom"));
            }
            Ok(())
        })
        .unwrap();

        sup.join_all().unwrap();
        assert!(attempts.load(AtomicOrdering::Acquire) >= 3);
    }

    #[cfg(feature = "std")]
    #[test]
    fn restartable_thread_stops_after_exceeding_max_restarts() {
        let sup = Supervisor::new(SupervisorConfig {
            max_restarts: 1,
            restart_backoff_initial: Duration::from_millis(1),
            restart_backoff_max: Duration::from_millis(1),
        });

        let attempts = Arc::new(AtomicU32::new(0));
        let attempts2 = attempts.clone();

        sup.spawn_restartable_thread("restartable", move |_t| {
            attempts2.fetch_add(1, AtomicOrdering::AcqRel);
            Err(Error::msg("boom"))
        })
        .unwrap();

        let err = sup.join_all().unwrap_err();
        assert!(err.to_string().contains("exceeded max_restarts"));
        assert_eq!(attempts.load(AtomicOrdering::Acquire), 2);
    }

    #[cfg(feature = "std")]
    #[test]
    fn restartable_thread_exits_cleanly_on_shutdown() {
        let sup = Supervisor::new(SupervisorConfig {
            max_restarts: 100,
            restart_backoff_initial: Duration::from_millis(1),
            restart_backoff_max: Duration::from_millis(2),
        });

        // This child always errors when invoked; the supervisor loop should exit Ok once
        // shutdown is observed.
        sup.spawn_restartable_thread("restartable", move |_t| Err(Error::msg("boom")))
            .unwrap();

        sup.shutdown().trigger();
        sup.join_all().unwrap();
    }

    #[cfg(feature = "std")]
    #[test]
    fn join_all_aggregates_errors_and_panics() {
        let sup = Supervisor::new(SupervisorConfig::default());

        sup.spawn_thread("err", move |_t| Err(Error::msg("nope")))
            .unwrap();
        sup.spawn_thread("panic", move |_t| -> Result<()> { panic!("boom") })
            .unwrap();

        let err = sup.join_all().unwrap_err();
        let msg = err.to_string();
        assert!(
            msg.contains("multiple child failures")
                || msg.contains("err:")
                || msg.contains("panic:")
        );
        assert!(msg.contains("err"));
        assert!(msg.contains("panic"));
    }

    #[cfg(feature = "std")]
    #[test]
    fn shutdown_token_wait_timeout_times_out() {
        let shutdown = Shutdown::new();
        let token = shutdown.token();
        assert!(!token.wait_timeout(Duration::from_millis(5)));
    }
}