iris: add TASK_STATE_MISSING; stop worker-reconciled KILLED from cascading to jobs

[rjpower]

A StartTasks to PollTasks race could cause the worker to kill a just-submitted task as unexpected and echo KILLED on the next poll, which the controller promoted to JOB_STATE_KILLED and cascaded across the whole pool. This adds TASK_STATE_MISSING as a worker-only wire signal, pops reconciliation-killed attempts from self._tasks so subsequent polls report MISSING, and maps MISSING to WORKER_FAILED in the controller so the task retries via its preemption budget.

Fixes #5041

[claude]

Claude finished @rjpower's task in 12m 26s —— View job

---

Code review

No high-signal issues found. Checked for bugs, correctness, and AGENTS.md compliance.

What I verified

• Call-site signature changes are consistent:
  • _reconcile_expected_tasks return type changed from list[tuple[str, int]] to list[TaskAttempt]; both call sites (handle_heartbeat, handle_poll_tasks) updated.
  • _missing_task_status now requires error; the sole call site passes "Task not found on worker".
• del self._tasks[key] during iteration is safely wrapped with list(self._tasks.items()).
• New proto value TASK_STATE_MISSING = 11 is non-colliding and reflected in job_pb2.py and job_pb2.pyi.
• Controller-side translation (task_updates_from_proto) applies to both heartbeat and UpdateTaskStatus push paths (service.py:2642), so the MISSING→WORKER_FAILED mapping is uniform.
• Thread name uses attempt.task_id (a JobName); JobName.__str__ returns the canonical wire format, so the f-string produces the same value as before.
• The terminal-attempt guard in apply_task_updates (transitions.py:1823) drops late-arriving state updates on already-terminal attempts, which bounds the fix's exposure to push/heartbeat interleaving.
• test_heartbeat_without_adoption_reports_missing correctly exercises the not-found → MISSING path.
  • Branch: fix/missing-task-state-5041

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c307c67747

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Delay removing unexpected attempts until kill is initiated

Deleting the attempt from self._tasks inside reconciliation before kill execution can misclassify successful work as missing. In the StartTasks→PollTasks race, an attempt can become terminal between this deletion and the later _kill_attempt(...) call; _kill_attempt then no-ops on terminal states, but the worker has already dropped tracking for that attempt. On the next poll (when the controller finally includes that task in expected_tasks), the worker reports MISSING, which the controller maps to WORKER_FAILED and retries, causing duplicate execution and potentially incorrect outcomes for short-lived tasks.

Useful? React with 👍 / 👎.

[ravwojdyla]

The transient/special TASK_STATE_MISSING feels a bit hacky - but I also don't have a better idea. Nice to have this improved!

[ravwojdyla]

We should log here, no? To leave trace for future debugging.

[rjpower]

yes, good call, I should do a pass and add a lot more logging to Iris in general.

[ravwojdyla]

I should do a pass and add a lot more logging to Iris in general.

+1

[rjpower]

@claude pls add logging as discussed in the comments.

[rjpower]

I think MISSING will make more sense with a followup PR. That should move us to something like:

• Remove the StartTask & StopTask
• Poll takes { tasks-to-start, tasks-that-should-be-running, tasks-to-stop }
• The worker does the same reconciliation we do now for heartbeats

If something isn't in the "running" set, then it really is missing, and we can log it as such. Maybe the previous RPC got dropped, or there's a worker bug, but either way we can flag the discrepancy. This will still be better than our old heartbeat loop because the task scheduling can happen at different cadence, and on demand.

Alternatively we can just move the Poll RPC onto the scheduler thread, removing the race condition. I'll file an issue to follow-up...

[claude]

Claude finished @rjpower's task in 3m 38s —— View job

---

Added logging on both ends of the MISSING → WORKER_FAILED path

• Read transitions.py context around line 207
• Reviewed worker.py reconciliation logging
• Added logger.info in task_updates_from_proto (transitions.py:210) on the MISSING → WORKER_FAILED translation, including task id, attempt id, and error
• Added logger.warning in _reconcile_expected_tasks (worker.py:856) when the worker emits MISSING because an expected task is not present locally — so we have a trace on the emit side too
• Ran ./infra/pre-commit.py --all-files --fix → OK
• Ran uv run pytest lib/iris/tests/cluster/worker/test_worker.py → 41 passed
• Ran uv run pytest lib/iris/tests/cluster/controller/test_transitions.py → 121 passed
• Committed and pushed as d789744d5

Only touched logging — no behavior changes. The reconciliation-kill log at worker.py:948-952 ("Killing task … no longer in expected_tasks") was already present, which together with the two new logs gives a clean trace: worker reconciles → worker emits MISSING → controller translates to WORKER_FAILED.
• Branch: fix/missing-task-state-5041

[rjpower]

I'm going to unify these 2 PRs into a cleaner approach...

[rjpower]

🤖 Superseded by #5090, which removes the race itself rather than translating its downstream effects: PollTasks now runs inline in the scheduling loop, so a poll's expected_tasks snapshot is always taken after the same iteration's StartTasks commits. The worker-reported MISSING translation in this PR is no longer needed for #5041, though the TASK_STATE_MISSING enum + translation could still be cherry-picked separately as a defensive signal for genuine worker state loss across restarts. Closing for now.