enforce strict recency invariants during ingestion

Author: zaidoon1

src/error.rs

@@ -20,6 +20,9 @@ pub enum Error {
     /// Some required files could not be recovered from disk
     Unrecoverable,
 
+    /// Ingestion could not start because required preconditions were not met
+    IngestionPreconditionFailed,
+
     /// Checksum mismatch
     ChecksumMismatch {
         /// Checksum of loaded block

src/tree/ingest.rs

@@ -8,6 +8,7 @@ use crate::{
     SeqNo, UserKey, UserValue,
 };
 use std::path::PathBuf;
+use std::sync::RwLockWriteGuard;
 
 pub const INITIAL_CANONICAL_LEVEL: usize = 1;
 
@@ -20,6 +21,7 @@ pub struct Ingestion<'a> {
     pub(crate) writer: MultiWriter,
     seqno: SeqNo,
     last_key: Option<UserKey>,
+    _ingestion_guard: RwLockWriteGuard<'a, ()>,
 }
 
 impl<'a> Ingestion<'a> {
@@ -29,6 +31,45 @@ impl<'a> Ingestion<'a> {
     ///
     /// Will return `Err` if an IO error occurs.
     pub fn new(tree: &'a Tree) -> crate::Result<Self> {
+        // Block concurrent writes and concurrent ingestions for the duration of this ingestion.
+        let ingestion_guard = tree.0.ingestion_lock.write().expect("lock is poisoned");
+
+        // If the active memtable has data, flush it first to preserve strict recency invariants
+        // for the read path (active > sealed > tables). This avoids overlapping in-memory state
+        // with newly ingested on-disk tables.
+        tree.flush_active_memtable(SeqNo::MAX)?;
+
+        // Flush any remaining sealed memtables synchronously into tables, then register them.
+        if tree.sealed_memtable_count() > 0 {
+            let sealed: Vec<(u64, std::sync::Arc<crate::Memtable>)> = {
+                let sv = tree
+                    .version_history
+                    .read()
+                    .expect("lock is poisoned")
+                    .latest_version();
+                sv.sealed_memtables
+                    .iter()
+                    .map(|(id, mt)| (*id, std::sync::Arc::clone(mt)))
+                    .collect()
+            };
+
+            let mut tables = Vec::with_capacity(sealed.len());
+            for (id, mt) in sealed {
+                if let Some((table, _blob)) = tree.flush_memtable(id, &mt, SeqNo::MAX)? {
+                    tables.push(table);
+                }
+            }
+            if !tables.is_empty() {
+                tree.register_tables(&tables, None, None)?;
+            }
+        }
+
+        // Ensure invariants are satisfied before proceeding with ingestion.
+        if tree.sealed_memtable_count() > 0 {
+            drop(ingestion_guard);
+            return Err(crate::Error::IngestionPreconditionFailed);
+        }
+
         let folder = tree.config.path.join(crate::file::TABLES_FOLDER);
         log::debug!("Ingesting into tables in {}", folder.display());
 
@@ -102,6 +143,7 @@ impl<'a> Ingestion<'a> {
             writer,
             seqno: 0,
             last_key: None,
+            _ingestion_guard: ingestion_guard,
         })
     }
 
@@ -250,3 +292,28 @@ impl<'a> Ingestion<'a> {
         Ok(())
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::{memtable::Memtable, SequenceNumberCounter};
+
+    #[test]
+    fn ingestion_fails_when_sealed_memtable_cannot_be_flushed() -> crate::Result<()> {
+        let dir = tempfile::tempdir()?;
+        let config = crate::config::Config::new(dir.path(), SequenceNumberCounter::default());
+        let tree = Tree::open(config)?;
+
+        // Inject an empty sealed memtable. Flushing this produces no table, so it remains sealed.
+        let id = tree.get_next_table_id();
+        tree.add_sealed_memtable(id, std::sync::Arc::new(Memtable::default()));
+
+        let err = match Ingestion::new(&tree) {
+            Ok(_) => panic!("expected IngestionPreconditionFailed"),
+            Err(e) => e,
+        };
+        assert!(matches!(err, crate::Error::IngestionPreconditionFailed));
+
+        Ok(())
+    }
+}

src/tree/inner.rs

@@ -59,6 +59,9 @@ pub struct TreeInner {
     /// can be concurrent next to each other.
     pub(crate) major_compaction_lock: RwLock<()>,
 
+    /// Prevents concurrent memtable writes during ingestion.
+    pub(crate) ingestion_lock: RwLock<()>,
+
     #[doc(hidden)]
     #[cfg(feature = "metrics")]
     pub metrics: Arc<Metrics>,
@@ -77,6 +80,7 @@ impl TreeInner {
             version_history: Arc::new(RwLock::new(SuperVersions::new(version))),
             stop_signal: StopSignal::default(),
             major_compaction_lock: RwLock::default(),
+            ingestion_lock: RwLock::default(),
             compaction_state: Arc::new(Mutex::new(CompactionState::default())),
 
             #[cfg(feature = "metrics")]

src/tree/mod.rs

@@ -81,55 +81,34 @@ impl AbstractTree for Tree {
 
     #[expect(clippy::significant_drop_tightening)]
     fn get_internal_entry(&self, key: &[u8], seqno: SeqNo) -> crate::Result<Option<InternalValue>> {
-        // Returns the newest visible version (`entry.seqno < seqno`) across all sources
-        // for the given snapshot watermark `seqno`:
-        // - Active memtable
-        // - Sealed memtables (newest-first)
-        // - Tables (newest-first)
-        // Ingestion can write newer versions directly to tables with an explicit `seqno`,
-        // so we compare seqnos across sources and keep the maximal visible version, then
-        // apply tombstone semantics once to that winner.
+        // Returns the newest visible version (`entry.seqno < seqno`) by consulting sources
+        // in recency order and returning on first hit: active memtable, sealed memtables,
+        // then tables (each scanned newest-first).
 
         let version_history_lock = self.version_history.read().expect("lock is poisoned");
         let super_version = version_history_lock.get_version_for_snapshot(seqno);
         // Avoid holding the read lock across potential I/O in table lookups
         drop(version_history_lock);
 
-        // 1) Active memtable (in-memory)
-        //    If it yields the maximal visible seqno (seqno-1), no source can be newer.
-        let mut best: Option<InternalValue> = super_version.active_memtable.get(key, seqno);
-        if let Some(ref b) = best {
-            if seqno > 0 && b.key.seqno + 1 == seqno {
-                return Ok(ignore_tombstone_value(b.clone()));
-            }
+        if let Some(entry) = super_version.active_memtable.get(key, seqno) {
+            return Ok(ignore_tombstone_value(entry));
         }
 
-        // 2) Sealed memtables (in-memory, newest-first)
-        //    If active memtable already has a hit, sealed memtables cannot be newer.
-        if best.is_none() {
-            if let Some(entry) =
-                Self::get_internal_entry_from_sealed_memtables(&super_version, key, seqno)
-            {
-                // Early-exit if sealed provided the maximal visible seqno.
-                if seqno > 0 && entry.key.seqno + 1 == seqno {
-                    return Ok(ignore_tombstone_value(entry));
-                }
-                best = Some(entry);
-            }
+        // Now look in sealed memtables
+        if let Some(entry) =
+            Self::get_internal_entry_from_sealed_memtables(&super_version, key, seqno)
+        {
+            return Ok(ignore_tombstone_value(entry));
         }
 
-        // 3) Tables (on-disk), scanned newest-first within each level/run
+        // Now look in tables... this may involve disk I/O
         if let Some(entry) =
             self.get_internal_entry_from_tables(&super_version.version, key, seqno)?
         {
-            match &best {
-                Some(b) if b.key.seqno >= entry.key.seqno => {}
-                _ => best = Some(entry),
-            }
+            return Ok(ignore_tombstone_value(entry));
         }
 
-        // Apply tombstone semantics after selecting the newest visible version
-        Ok(best.and_then(ignore_tombstone_value))
+        Ok(None)
     }
 
     fn current_version(&self) -> Version {
@@ -571,16 +550,19 @@ impl AbstractTree for Tree {
         value: V,
         seqno: SeqNo,
     ) -> (u64, u64) {
+        let _ingestion_guard = self.0.ingestion_lock.read().expect("lock is poisoned");
         let value = InternalValue::from_components(key, value, seqno, ValueType::Value);
         self.append_entry(value)
     }
 
     fn remove<K: Into<UserKey>>(&self, key: K, seqno: SeqNo) -> (u64, u64) {
+        let _ingestion_guard = self.0.ingestion_lock.read().expect("lock is poisoned");
         let value = InternalValue::new_tombstone(key, seqno);
         self.append_entry(value)
     }
 
     fn remove_weak<K: Into<UserKey>>(&self, key: K, seqno: SeqNo) -> (u64, u64) {
+        let _ingestion_guard = self.0.ingestion_lock.read().expect("lock is poisoned");
         let value = InternalValue::new_weak_tombstone(key, seqno);
         self.append_entry(value)
     }
@@ -915,6 +897,7 @@ impl Tree {
             stop_signal: StopSignal::default(),
             config,
             major_compaction_lock: RwLock::default(),
+            ingestion_lock: RwLock::default(),
             compaction_state: Arc::new(Mutex::new(CompactionState::default())),
 
             #[cfg(feature = "metrics")]

tests/ingestion_invariants.rs

@@ -0,0 +1,163 @@
+use std::sync::mpsc;
+use std::thread;
+use std::time::Duration;
+
+use lsm_tree::{AbstractTree, Config, KvSeparationOptions, SeqNo};
+
+#[test]
+fn ingestion_autoflushes_active_memtable() -> lsm_tree::Result<()> {
+    let folder = tempfile::tempdir()?;
+    let tree = Config::new(&folder, Default::default()).open()?;
+
+    // Write to active memtable
+    for i in 0..10u32 {
+        let k = format!("a{:03}", i);
+        tree.insert(k.as_bytes(), b"v", 1);
+    }
+
+    let tables_before = tree.table_count();
+    let sealed_before = tree.sealed_memtable_count();
+    assert_eq!(sealed_before, 0);
+
+    // Start ingestion (should auto-flush active)
+    tree.ingestion()?.with_seqno(10).finish()?;
+
+    // After ingestion, data is in tables; no sealed memtables
+    assert_eq!(tree.sealed_memtable_count(), 0);
+    assert!(tree.table_count() >= tables_before + 1);
+
+    // Reads must succeed from tables
+    for i in 0..10u32 {
+        let k = format!("a{:03}", i);
+        assert_eq!(
+            tree.get(k.as_bytes(), SeqNo::MAX)?,
+            Some(b"v".as_slice().into())
+        );
+    }
+
+    Ok(())
+}
+
+#[test]
+fn ingestion_flushes_sealed_memtables() -> lsm_tree::Result<()> {
+    let folder = tempfile::tempdir()?;
+    let tree = Config::new(&folder, Default::default()).open()?;
+
+    // Put items into active and seal them
+    for i in 0..8u32 {
+        let k = format!("s{:03}", i);
+        tree.insert(k.as_bytes(), b"x", 1);
+    }
+    assert!(tree.rotate_memtable().is_some());
+    assert!(tree.sealed_memtable_count() > 0);
+
+    let tables_before = tree.table_count();
+
+    // Ingestion should flush sealed memtables and register resulting tables
+    tree.ingestion()?.with_seqno(20).finish()?;
+
+    assert_eq!(tree.sealed_memtable_count(), 0);
+    assert!(tree.table_count() >= tables_before + 1);
+
+    for i in 0..8u32 {
+        let k = format!("s{:03}", i);
+        assert_eq!(
+            tree.get(k.as_bytes(), SeqNo::MAX)?,
+            Some(b"x".as_slice().into())
+        );
+    }
+
+    Ok(())
+}
+
+#[test]
+fn ingestion_blocks_memtable_writes_until_finish() -> lsm_tree::Result<()> {
+    let folder = tempfile::tempdir()?;
+    let tree = Config::new(&folder, Default::default()).open()?;
+
+    // Acquire ingestion and hold it to block writes
+    let ingest = tree.ingestion()?.with_seqno(5);
+
+    let (started_tx, started_rx) = mpsc::channel();
+    let (done_tx, done_rx) = mpsc::channel();
+    let tree2 = tree.clone();
+
+    let handle = thread::spawn(move || {
+        started_tx.send(()).ok();
+        // This insert should block until ingestion finishes (ingestion_lock is held)
+        tree2.insert(b"k_block", b"v", 6);
+        done_tx.send(()).ok();
+    });
+
+    // Wait for the writer thread to start the attempt
+    started_rx.recv().unwrap();
+
+    // Give it a moment; it should still be blocked
+    thread::sleep(Duration::from_millis(100));
+    assert!(
+        done_rx.try_recv().is_err(),
+        "insert should still be blocked"
+    );
+
+    // Finish ingestion to release the lock
+    ingest.finish()?;
+
+    // Now the insert should complete
+    handle.join().unwrap();
+    done_rx.recv_timeout(Duration::from_secs(1)).unwrap();
+
+    // Verify the write landed
+    assert_eq!(
+        tree.get(b"k_block", SeqNo::MAX)?,
+        Some(b"v".as_slice().into())
+    );
+
+    Ok(())
+}
+
+#[test]
+fn blob_ingestion_honors_invariants_and_blocks_writes() -> lsm_tree::Result<()> {
+    let folder = tempfile::tempdir()?;
+    let tree = Config::new(&folder, Default::default())
+        .with_kv_separation(Some(KvSeparationOptions::default().separation_threshold(1)))
+        .open()?;
+
+    // Write small values into memtable and then start blob ingestion
+    for i in 0..4u32 {
+        let k = format!("b{:03}", i);
+        tree.insert(k.as_bytes(), b"y", 1);
+    }
+
+    let (started_tx, started_rx) = mpsc::channel();
+    let (done_tx, done_rx) = mpsc::channel();
+    let tree2 = tree.clone();
+
+    let ingest = tree.ingestion()?.with_seqno(30);
+
+    // Concurrent write should block while ingestion is active
+    let handle = thread::spawn(move || {
+        started_tx.send(()).ok();
+        tree2.insert(b"b999", b"z", 31);
+        done_tx.send(()).ok();
+    });
+
+    started_rx.recv().unwrap();
+    thread::sleep(Duration::from_millis(100));
+    assert!(done_rx.try_recv().is_err());
+
+    ingest.finish()?;
+    handle.join().unwrap();
+    done_rx.recv_timeout(Duration::from_secs(1)).unwrap();
+
+    // Data visible after ingestion
+    for i in 0..4u32 {
+        let k = format!("b{:03}", i);
+        assert_eq!(
+            tree.get(k.as_bytes(), SeqNo::MAX)?,
+            Some(b"y".as_slice().into())
+        );
+    }
+    assert_eq!(tree.get(b"b999", SeqNo::MAX)?, Some(b"z".as_slice().into()));
+
+    Ok(())
+}