running_actions_manager: bounded retry on hard_link NotFound to fix loser-entry emplace race

The first reader-side fix (commit a2f4f4a) wrapped `fs::hard_link`
inside `FileEntry::get_file_path_locked` so the per-entry read lock
was held across the syscall. Buildstream CI on PR #2341 STILL
surfaced the same ENOENT "file was likely evicted from cache"
failure, hitting the action's max-retry budget (4 > 3) and
cancelling jobs that referenced files like `usr/bin/perl5.26.1`
across multiple digests.

The first fix protected the WINNER-entry case: a reader holding
`Arc<entry_A>` cannot have entry_A's content file renamed out
mid-hard_link, because a concurrent `unref(entry_A)` (which takes
the same RwLock as a writer) must wait for the reader's read lock.

It did NOT protect the LOSER-entry case:

  1. Reader R calls `get_file_entry_for_digest(d)` and the
     evicting map returns `Arc<entry_A>` (the entry currently
     under d in the map).
  2. Concurrent writer B finishes an emplace for the SAME key.
     `EvictingMap::insert(B)` displaces A, calling `unref(A)`.
     `unref(A)` takes A's write lock and renames A's file from
     `content_path/<d>` to A's own temp path. A's file is now
     gone from the content path.
  3. R then calls `get_file_path_locked(A)`. The read lock now
     correctly serializes with the (already-completed) unref —
     but R's captured path points at A, and A's file is gone.
     `fs::hard_link` returns ENOENT. The CAS still has the digest
     under entry_B's content path; B is in the map; B's file is
     on disk. Re-fetching the entry from the map returns B and
     a second hard_link attempt against B's path succeeds.

Fix: bounded retry inside `download_to_directory`. On Code::NotFound
the reader sleeps for a 10ms backoff (giving any racing writer's
`emplace_file` background spawn time to finish renaming the temp
into the content path), re-fetches the entry from the map (which
now returns the winning writer's entry), and retries the hard_link.
Capped at HARDLINK_MAX_RETRIES = 3 so that genuine eviction-pressure
ENOENT (no writer racing, the digest truly is gone) cannot spin —
the existing "max_bytes too small" guidance is preserved on the
post-budget error path.

Retry budget choice: 3 attempts (= 1 original + 2 retries).
Production traces show at most one displacement per concurrent
write cycle for a given digest; a single retry resolves the
documented race. Two retries gives one extra slot of headroom for
the rare case where a third writer enters the cycle between
attempts. Going higher risks masking the real eviction-pressure
case the original error message was designed to surface.

Test: download_to_directory_retries_when_entry_evicted_between_lookup_and_hardlink

  * Pre-populates digest with entry_A in the evicting_map at
    content_path/<d>.
  * Constructs a synthetic entry_B pointing at the same content
    path (via test-only constructors on `SharedContext` and
    `EncodedFilePath` added in this commit) and inserts it under
    the same key. The map's real `insert` calls `LenEntry::unref(A)`
    which renames A's file out — same code path as a real writer's
    displacement.
  * Spawns the reader (`download_to_directory`). Spawns a
    restorer task that sleeps 2ms then writes fresh bytes back
    into content_path/<d> (mimicking writer B's emplace having
    completed its rename).
  * Without the retry the reader's single hard_link runs against
    the still-missing content path and fails with NotFound. With
    the retry, attempt 1 fails, the loop sleeps 10ms (during
    which the restorer's write lands), attempt 2 finds the file
    and the hard_link succeeds.

Empirical FAIL-at-HEAD~1 / PASS-at-HEAD proof:

  * Locally toggled HARDLINK_MAX_RETRIES from 3 to 1 (effectively
    no retry); the new test failed deterministically with:
      "Error { code: NotFound, messages: [\"No such file or
      directory (os error 2)\", \"Could not make hardlink ... after
      1 attempts ...\"] }"
  * Restored HARDLINK_MAX_RETRIES = 3; the new test passes 5/5
    runs in ~0.03s each, and the full
    running_actions_manager_test binary passes all 32 tests
    (the prior 31 + the new one).

Re: TODO #2051 (deadlock with large number of files) — unchanged
from the analysis in the parent commit. The per-FileEntry read
lock is per-digest, not global; concurrency for download_to_directory
remains governed by `fs::hard_link`'s open-file semaphore.

Scaffolding additions in nativelink-store are doc(hidden) and
*_for_test-named:
  * `FsEvictingMap` type alias made pub so external tests can
    name the evicting_map return type.
  * `SharedContext::new_for_test(temp_path, content_path)`.
  * `EncodedFilePath::new_content_for_test(shared_ctx, key)`.
  * `FilesystemStore::evicting_map_for_test()`.
None are used by production code.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: erneestoc

nativelink-store/src/filesystem_store.rs

@@ -75,6 +75,22 @@ pub struct SharedContext {
     content_path: String,
 }
 
+impl SharedContext {
+    /// Test-only constructor that lets external crates fabricate a context
+    /// matching a FilesystemStore's configured paths so they can build
+    /// synthetic `EncodedFilePath` / `FileEntryImpl` instances for race
+    /// simulations. Production code receives this only via `FilesystemStore`
+    /// construction.
+    #[doc(hidden)]
+    pub const fn new_for_test(temp_path: String, content_path: String) -> Self {
+        Self {
+            active_drop_spawns: AtomicU64::new(0),
+            temp_path,
+            content_path,
+        }
+    }
+}
+
 #[derive(Eq, PartialEq, Debug)]
 enum PathType {
     Content,
@@ -99,6 +115,23 @@ impl EncodedFilePath {
     fn get_file_path(&self) -> Cow<'_, OsStr> {
         get_file_path_raw(&self.path_type, self.shared_context.as_ref(), &self.key)
     }
+
+    /// Test-only constructor. Used by races simulation in nativelink-worker
+    /// to fabricate a `FileEntryImpl` pointing at a known-on-disk file under
+    /// the store's content path. Production code must not call this; the
+    /// store constructs its own `EncodedFilePath` values through the
+    /// `make_and_open_file` -> `emplace_file` flow.
+    #[doc(hidden)]
+    pub const fn new_content_for_test(
+        shared_context: Arc<SharedContext>,
+        key: StoreKey<'static>,
+    ) -> Self {
+        Self {
+            shared_context,
+            path_type: PathType::Content,
+            key,
+        }
+    }
 }
 
 #[inline]
@@ -444,7 +477,13 @@ pub fn key_from_file(file_name: &str, file_type: FileType) -> Result<StoreKey<'_
 /// `add_files_to_cache`.
 const SIMULTANEOUS_METADATA_READS: usize = 200;
 
-type FsEvictingMap<'a, Fe> =
+/// The concrete `EvictingMap` instantiation used by `FilesystemStore`. This
+/// alias is `pub` solely so tests in other crates (e.g. nativelink-worker's
+/// `download_to_directory_retries_when_entry_evicted_between_lookup_and_hardlink`)
+/// can name the type returned by `FilesystemStore::evicting_map_for_test`.
+/// Production code should treat this as an implementation detail.
+#[doc(hidden)]
+pub type FsEvictingMap<'a, Fe> =
     EvictingMap<StoreKeyBorrow, StoreKey<'a>, Arc<Fe>, SystemTime, RemoveItemCallbackHolder>;
 
 async fn add_files_to_cache<Fe: FileEntry>(
@@ -748,6 +787,16 @@ impl<Fe: FileEntry> FilesystemStore<Fe> {
         self.weak_self.upgrade()
     }
 
+    /// Test-only accessor for the internal evicting map. Used by tests that
+    /// need to deterministically simulate concurrent insert/displace races
+    /// (e.g. the loser-entry race exercised by
+    /// `download_to_directory_retries_when_entry_evicted_between_lookup_and_hardlink`
+    /// in nativelink-worker). Production code must not depend on this.
+    #[doc(hidden)]
+    pub const fn evicting_map_for_test(&self) -> &Arc<FsEvictingMap<'static, Fe>> {
+        &self.evicting_map
+    }
+
     pub async fn get_file_entry_for_digest(&self, digest: &DigestInfo) -> Result<Arc<Fe>, Error> {
         if is_zero_digest(digest) {
             return Ok(Arc::new(Fe::create(

nativelink-worker/src/running_actions_manager.rs

@@ -157,64 +157,124 @@ pub fn download_to_directory<'a>(
                             file_slot.write_all(&[]).await?;
                         }
                         else {
-                            let file_entry = filesystem_store
-                                .get_file_entry_for_digest(&digest)
-                                .await
-                                .err_tip(|| "During hard link")?;
-                            // Hold the read lock on the FileEntry across the
-                            // hard_link call. This closes the reader-side of the
-                            // emplace_file race: the writer side
-                            // (filesystem_store::emplace_file) inserts the entry
-                            // into the evicting map BEFORE it has renamed the
-                            // temp file into place, and holds a write lock on
-                            // the same RwLock for the duration of the rename.
-                            // If we extracted the path and released the lock
-                            // before calling hard_link (as the prior code did),
-                            // a concurrent reader could race in between the
-                            // writer's `insert()` and `rename()` and observe a
-                            // path that does not yet exist on disk -> ENOENT.
+                            // Bounded retry around the hard_link to close the
+                            // SECOND-PASS reader-side emplace race that the
+                            // earlier read-lock fix (commit a2f4f4ab) did not
+                            // cover.
+                            //
+                            // Race recap (companion fix to PR #2341):
+                            //
+                            //   The first fix held the per-FileEntry read lock
+                            //   across hard_link so that, for the entry the
+                            //   reader has in hand, a writer's `unref()`
+                            //   (write lock on the same RwLock) cannot rename
+                            //   the file out from under the syscall. That
+                            //   correctly protects the WINNER entry mid-rename.
+                            //
+                            //   It does NOT protect against the LOSER-entry
+                            //   case: the reader looks up the digest and gets
+                            //   `Arc<entry_A>`, then a concurrent writer
+                            //   `insert(entry_B)` for the SAME key displaces
+                            //   entry_A and triggers `unref(entry_A)`. The
+                            //   writer's unref takes entry_A's write lock; the
+                            //   reader's read lock request on entry_A may
+                            //   queue behind it. When the reader finally
+                            //   acquires the lock, entry_A's file has been
+                            //   moved to the temp path and the hard_link
+                            //   returns ENOENT. The CAS still has the digest
+                            //   — under entry_B in the map — so re-fetching
+                            //   `get_file_entry_for_digest` returns entry_B,
+                            //   whose file is on disk under the writer's
+                            //   read-lock-protected rename. A single retry
+                            //   resolves the race; we cap at
+                            //   `HARDLINK_MAX_RETRIES` so that genuine
+                            //   eviction-pressure ENOENT (no writer racing,
+                            //   the digest truly is gone) cannot spin.
                             //
                             // Re: TODO #2051 (deadlock with large number of
                             // files): the lock taken here is a per-FileEntry
-                            // read lock, not a global lock. Multiple concurrent
-                            // hard_link calls against DIFFERENT digests do not
-                            // contend, and multiple readers of the SAME digest
-                            // share the read lock. The only contention is
-                            // reader-vs-writer on the same digest, which is
-                            // exactly the contention we need for correctness.
-                            // The outer concurrency cap on `download_to_directory`
-                            // is governed by `fs::hard_link`'s open-file
-                            // semaphore (see nativelink_util::fs), not by this
-                            // RwLock.
-                            // TODO(#2051): revisit if the file-handle semaphore
-                            // proves insufficient under very large fan-outs.
-                            file_entry
-                                .get_file_path_locked(|src| {
-                                    let dest = dest.clone();
-                                    async move {
-                                        fs::hard_link(src, &dest).await.map_err(|e| {
-                                            if e.code == Code::NotFound {
-                                                e.append(
-                                                    format!(
-                                                    "Could not make hardlink to {dest}, file was likely evicted from cache.\n\
-                                                    This error often occurs when the filesystem store's max_bytes is too small for your workload.\n\
-                                                    To fix this issue:\n\
-                                                    1. Increase the 'max_bytes' value in your filesystem store configuration\n\
-                                                    2. Example: Change 'max_bytes: 10000000000' to 'max_bytes: 50000000000' (or higher)\n\
-                                                    3. The setting is typically found in your nativelink.json config under:\n\
-                                                    stores -> [your_filesystem_store] -> filesystem -> eviction_policy -> max_bytes\n\
-                                                    4. Restart NativeLink after making the change\n\n\
-                                                    If this error persists after increasing max_bytes several times, please report at:\n\
-                                                    https://github.com/TraceMachina/nativelink/issues\n\
-                                                    Include your config file and both server and client logs to help us assist you."
-                                                ))
-                                            } else {
-                                                e.append(format!("Could not make hardlink to {dest}"))
-                                            }
-                                        })
+                            // read lock, not a global lock. Multiple
+                            // concurrent hard_link calls against DIFFERENT
+                            // digests do not contend, and multiple readers of
+                            // the SAME digest share the read lock. The only
+                            // contention is reader-vs-writer on the same
+                            // digest, which is exactly the contention we need
+                            // for correctness. The outer concurrency cap on
+                            // `download_to_directory` is governed by
+                            // `fs::hard_link`'s open-file semaphore (see
+                            // nativelink_util::fs), not by this RwLock.
+                            // TODO(#2051): revisit if the file-handle
+                            // semaphore proves insufficient under very large
+                            // fan-outs.
+                            const HARDLINK_MAX_RETRIES: u32 = 3;
+                            // Small backoff between retries gives a racing
+                            // writer's `emplace_file` background spawn time
+                            // to finish renaming the temp file into
+                            // `content_path/<digest>` before the next
+                            // attempt's `get_file_entry_for_digest` returns
+                            // the new entry. Without it, all retries can
+                            // race the same write window microseconds apart
+                            // and all observe ENOENT.
+                            const HARDLINK_RETRY_BACKOFF: Duration =
+                                Duration::from_millis(10);
+                            let mut last_err: Option<Error> = None;
+                            for attempt in 0..HARDLINK_MAX_RETRIES {
+                                if attempt > 0 {
+                                    tokio::time::sleep(HARDLINK_RETRY_BACKOFF).await;
+                                }
+                                let file_entry = filesystem_store
+                                    .get_file_entry_for_digest(&digest)
+                                    .await
+                                    .err_tip(|| "During hard link")?;
+                                let dest_for_attempt = dest.clone();
+                                let result = file_entry
+                                    .get_file_path_locked(|src| {
+                                        let dest = dest_for_attempt.clone();
+                                        async move { fs::hard_link(src, &dest).await }
+                                    })
+                                    .await;
+                                match result {
+                                    Ok(()) => {
+                                        last_err = None;
+                                        break;
                                     }
-                                })
-                                .await?;
+                                    Err(e)
+                                        if e.code == Code::NotFound
+                                            && attempt + 1 < HARDLINK_MAX_RETRIES =>
+                                    {
+                                        // Reader saw a stale entry that was
+                                        // unref'd before we hard_link'd. The
+                                        // evicting map should now have the
+                                        // winning writer's entry — retry
+                                        // after a short backoff (loop
+                                        // continues to the next attempt).
+                                        last_err = Some(e);
+                                    }
+                                    Err(e) => {
+                                        last_err = Some(e);
+                                        break;
+                                    }
+                                }
+                            }
+                            if let Some(e) = last_err {
+                                return Err(if e.code == Code::NotFound {
+                                    e.append(format!(
+                                        "Could not make hardlink to {dest} after {HARDLINK_MAX_RETRIES} attempts, file was likely evicted from cache.\n\
+                                        This error often occurs when the filesystem store's max_bytes is too small for your workload.\n\
+                                        To fix this issue:\n\
+                                        1. Increase the 'max_bytes' value in your filesystem store configuration\n\
+                                        2. Example: Change 'max_bytes: 10000000000' to 'max_bytes: 50000000000' (or higher)\n\
+                                        3. The setting is typically found in your nativelink.json config under:\n\
+                                        stores -> [your_filesystem_store] -> filesystem -> eviction_policy -> max_bytes\n\
+                                        4. Restart NativeLink after making the change\n\n\
+                                        If this error persists after increasing max_bytes several times, please report at:\n\
+                                        https://github.com/TraceMachina/nativelink/issues\n\
+                                        Include your config file and both server and client logs to help us assist you."
+                                    ))
+                                } else {
+                                    e.append(format!("Could not make hardlink to {dest}"))
+                                });
+                            }
                             }
                         #[cfg(target_family = "unix")]
                         if let Some(unix_mode) = unix_mode {