[Scheduled Actions V2] Invoker logic

[lina-temporal]

What changed?

The Invoker (start workflow) logic is added for HSM scheduler.

A few differences between workflow scheduler and HSM scheduler execution logic:

• A ProcessBuffer task is 1:1 with a call to ProcessBuffer; draining is not attempted more than once on the same task.
• Any time processing indicates that a delay must be taken (rate limiter, exponential backoff..), another ProcessBuffer task is scheduled to wake after the delay. ProcessBuffer is used to drive retries.
  • In the event that some external event must occur for execution to continue (such as a running workflow closing), the Executor is transitioned to waiting/idle, and no further action will be taken until another state machine wakes it back up.
• Each BufferedStart has its own Attempt and BackoffTime to manage retries. The Execute task is therefore idempotent.
  • HSM Scheduler can therefore continue to accept API calls while a BufferedStart is retrying, and each individual BufferedStart can make retry progress without having to hold a workflow lock.
• startWorkflow, terminateWorkflow, and cancelWorkflow are no longer called within local activities. Instead, they are called with a short (5 sec) deadline within the Execute task.
• A single Execute task is generated whenever there are BufferedStarts, CancelWorkflows, or TerminateWorkflows available for execution. An Execute task will only ever make a single attempt on each work item before rescheduling a ProcessBuffer task.
  • Execute task completion will always schedule a ProcessBuffer task after completing work (unless the Execute task was a no-op). This is to avoid a race condition between reading the Invoker's current state, and choosing a transition (because applying a transition necessitates mutating the state field, which I'd rather just leave as-is).

Still missing in HSM Invoker:

• Workflow Watcher support. This is something we don't plan to touch until the CHASM port over.
  • This implies LastCompletionResult also isn't wired up
• Rate Limiter support

How did you test it?

• New tests
• go test -v && make lint

Potential risks

• HSM scheduler isn't presently deployed

[lina-temporal]

I'm not sure about how everyone else feels, but this name makes my eyes bleed. At the same time, I didn't want to be inconsistent with other HSM naming. Maybe the path of least resistance is to just use a few synonyms for this? Like, starterTaskExecutor (and rename the state machine to Starter.. or something like that). Really open to suggestions. Ditto for renaming the tasks. In general I'm not satisfied with the naming.

[bergundy]

It's not just a starter though, right? Will this also e.g. terminate workflows? You can call it an invoker maybe?

[lina-temporal]

True, it also terminates/cancels as needed. Invoker works for me!

[lina-temporal]

I don't think there's anything blocking me from passing the search attributes through to StartWorkflowExecution, I just hadn't closed off the TODO. Will follow up.

[bergundy]

Rate Limiter support. The existing rate limiter acts per-namespace (given it is part of per-NS worker), and I'm not sure of the right way to wire that into an HSM executor (which is scoped wider than a single namespace).

You can keep a rate limiter in the executor. If the rate limiter is out of tokens, you'll have to back off either by failing the task, or committing any pending progress and adding a persistent timer task. It's dependent on how long you need to wait for the next token. Do not wait on the rate limiter in the shared executor.

[bergundy]

Shouldn't this always be the time of the first buffered start (chronologically)? I'm a bit rusty on the details so please correct me if I'm wrong. I'm just worried that this will invalidate a pending task if the event's buffered starts are further in the future.

[lina-temporal]

Shouldn't this always be the time of the first buffered start (chronologically)?

Yes, it should; that's what Deadline gets set to. I suppose we could get rid of Deadline and just compute it within the transition, though, I'll make that change.

I'm just worried that this will invalidate a pending task if the event's buffered starts are further in the future.

Is only one pending timer task allowed? If so, yes, that could happen presently.

[bergundy]

nit:

Suggested change

	// Copyright (c) 2020 Temporal Technologies Inc. All rights reserved.
	//
	// Copyright (c) 2020 Uber Technologies, Inc.
	// Copyright (c) 2025 Temporal Technologies Inc. All rights reserved.

[lina-temporal]

I'll follow up in a separate PR with this since it's from make generate.

[bergundy]

It's not just a starter though, right? Will this also e.g. terminate workflows? You can call it an invoker maybe?

[bergundy]

Any reason to export this field?

[lina-temporal]

Nope, will fix.

[dnr]

It needed to be exported in the workflow impl because it was serialized as an local activity result. I don't know what's required here.

[bergundy]

Please stop grouping types, it's not a good practice. It generally messes with the generated docs.

[dnr]

Please stop recommending against a perfectly good style that's already pervasive in the codebase without a team agreement that we want to deprecate it.

[bergundy]

Does this actually drain the entire buffer? I only see one action being returned here. (I don't have deep familiarity with the code so will just defer to you to confirm).

[lina-temporal]

Does this actually drain the entire buffer? I only see one action being returned here.

It depends on the overlap policy; if something like OVERLAP_ALL is specified, it'll drain the buffer. It drains as much of the buffer as possible; I guess I could rename the calling function from drainBuffer to processBuffer as well.

[dnr]

I'd agree with that rename.. "drainBuffer" sounds like it'll be empty when it returns

[bergundy]

Wondering why you start the workflow with the frontend client and terminate it with the history client. Why not be consistent here?

[lina-temporal]

This is what the existing workflow scheduler does; I believe that StartWorkflowExecution goes through frontend to make sure metering is applied, which wouldn't matter for terminateWorkflow/cancelWorkflow. Though, I'm not sure the reason to have the other two not go through frontend - @dnr ?

[dnr]

Yes, it goes through frontend for metering, and also namespace rps limit for safety.

Terminate/cancel could also, but I had already written them to go to history and it didn't seem worth changing at the time. I don't know if terminate/cancel are metered.. if they are, and if there's not a special case to exclude calls from schedules, that would be a visible metering change, so please check with someone who knows that stuff if you want to do that.

[bergundy]

Note, you're not cloning here, when you change the code to release the lock, you'll want to clone.
I probably wouldn't return the whole structs in these load functions, instead take only what is relevant for the executor functionality.

[bergundy]

Ideally we'd use the standard errors package instead of performing string comparisons.

[bergundy]

Not sure I understand why you need this translation here. Why can't you use the original error? What's the value in wrapping with ApplicationError? That's an SDK concept and isn't relevant here.

[lina-temporal]

It was to classify errors as retryable/non-retryable in a single point. Existing scheduler uses application errors to signal that from the local activities. If it's not a common pattern, I'll get rid of it here.

[dnr]

👍 temporal.ApplicationError is an sdk thing, don't use it (or any error wrapping) here

[dnr]

Please stop recommending against a perfectly good style that's already pervasive in the codebase without a team agreement that we want to deprecate it.

[dnr]

It needed to be exported in the workflow impl because it was serialized as an local activity result. I don't know what's required here.

[dnr]

I'd agree with that rename.. "drainBuffer" sounds like it'll be empty when it returns

[dnr]

We should add a counter in ScheduleInfo for this case

[lina-temporal]

Will do.

[lina-temporal]

Going to add a TODO and add a follow-up PR so I don't have to block this PR on waiting for API approvals.

[lina-temporal]

I think that this should fit into ScheduleInfo.MissedCatchupWindow. I'll use that.

[dnr]

This is good for now, when "scheduler1" is deprecated and removed, it might be worth taking a look to see if scheduler1.ProcessBuffer can be refactored to be a more natural fit here

[dnr]

You should set callerinfo on this context (and all other client contexts) to get proper prioritization and stuff. Search for headers.SetCallerInfo for examples. The workflow impl gets this from pernsworkermanager

[lina-temporal]

Thanks, will fix.

[dnr]

Yes, it goes through frontend for metering, and also namespace rps limit for safety.

Terminate/cancel could also, but I had already written them to go to history and it didn't seem worth changing at the time. I don't know if terminate/cancel are metered.. if they are, and if there's not a special case to exclude calls from schedules, that would be a visible metering change, so please check with someone who knows that stuff if you want to do that.

[dnr]

👍 temporal.ApplicationError is an sdk thing, don't use it (or any error wrapping) here

[dnr]

This looks great.

Have you looked at the old workflow_test.go that much? Most of the detailed behaviors of the old impl are actually tested there; the functional tests are much more limited. Obviously it would be a bunch of work to port over, and a bunch is not applicable, but I think it would be pretty valuable to preserve most of those cases.

I'm thinking ones like TestUpdateBetweenNominalAndJitter, TestUpdateNotRetroactive, TestBackfillInclusiveStartEnd, and maybe even TestHugeBackfillBuffer though that would probably need more modification.

At least, maybe use it as inspiration for future tests :)

[lina-temporal]

Yes, good idea! I'll port over the tests you called out and give workflow_test.go another pass to see what else might make sense.

[lina-temporal]

I gave the existing tests in workflow_test a more thorough look. At a high level, I think that most of these cases actually are covered in the new tests, just broken up closer to each component. Some of the Update specs that deal with behavior we'll implement synchronously (like clearing the buffer when a schedule's action changes), so they aren't represented yet. Others, such as TestLotsOfIterations, the CAN tests, and the Signal tests, are obsolete given the state machine architecture. The ExitScheduleWorkflow tests I'd consider analogously covered by the "empty buffer"/"no work to do" tests.

• I've brought a few more test cases over relevant to the Invoker
• TestUpdateBetweenNominalAndJitter: this tests this branch in existing scheduler, which maps to this branch in SpecProcessor. I've added the test case to SpecProcessor.
• TestUpdateNotRetroactive: I think this test case will come later, with the update handler, since we'll be processing updates synchronously where possible.
• TestBackfillInclusiveStartEnd: I'll make sure this is in the spec for the Backfiller.
• TestHugeBackfillBuffer: ditto

[dnr]

Suggested change

	require.Equal(e.T(), 0, len(executor.BufferedStarts))
	require.Empty(e.T(), executor.BufferedStarts)

reads nicer

[bergundy]

nit: This comment is unclear to me, could you please clarify?

[lina-temporal]

Reworded to, "Number of recent actions taken (workflow execution results) recorded in the ScheduleInfo metadata."

[bergundy]

It may cause problems at 10 seconds since the call takes up an executor in the history service. We may be able to put this on the outbound queue if it becomes an issue. In any case the fact that it's configurable is great. May want to ask @yycptt and @prathyushpv if they see an issue with this.

[bergundy]

I would say we move this to the hsmtest (or maybe it already exists there) but it's really not critical since we will rewrite all of this soon.

[bergundy]

Fix the comment and the variable name here and anywhere else.

[bergundy]

nit: 2025 and remove Uber.

[lina-temporal]

Done as a separate PR.

[bergundy]

Note that you'll likely want to check if there's anything to discard just before completing the task as more actions may get invalidated by then.

[lina-temporal]

I agree that more actions could become invalid (even if just by virtue of them falling past the startWorkflowDeadline, after this loop completes), but I don't see why that's worth optimizing against, considering even if we checked discards right before we write the task's completion transition, we'd still be racing against the startWorkflowDeadline wall clock. Maybe I'm not following the condition you're calling out?

[bergundy]

Note that once a request is put in the buffer you should execute it to completion it since you're risking creating orphans with task retries.

Not 100% sure what the implication of these orphaned workflows would be. At minimum it may affect counts that we maintain.

[lina-temporal]

Note that once a request is put in the buffer you should execute it to completion it since you're risking creating orphans with task retries.

Yep, that is how it's set up; we invalidate within the ProcessBufferTask, but once an action is in scope for ExecuteTask, we'll drive it to completion. processBuffer is the last chance we have to back out of a stale workflow start.

[bergundy]

Why?

[lina-temporal]

The rate that we're trying to limit is "schedules kicked off" moreso than "RPS we're calling StartWorkflowExecution at", it's intended to reflect the customer-facing "max actions taken per second" limit on a schedule.

[yycptt]

this is an interesting topic. We will need to discuss this for existing APS and also the new OPS limiter. For OPS, we would like to limit cancel & terminate as well.

[lina-temporal]

Another thing I'd like to raise is if we still want to rate limit the scheduler itself, versus relying on backpressure from APS limits on StartWorkflowExecution/cancel, terminate. This would be a good knob to simplify for our customers, not to mention operations.

[dnr]

Yeah I thought the consensus was to let the operations themselves get limited (either at frontend or history or both) and drop any additional limiting. (Also the transactions on the scheduler entity itself count against APS and OPS, right?)

[bergundy]

I wonder if this should already be set on the context passed to our task executors, worth checking. And see comment above about propagating that context.

[lina-temporal]

Looked into this. The outboundQueueActiveTaskExecutor provides the context to immediate tasks. Executable generates the context that goes to task executor queues, which does indeed call SetCallerInfo with the proper namespace. So, yes, it does! 👍 will update accordingly.

[bergundy]

Should this be counted as a completed start as it could be as a result of a retry?

[lina-temporal]

It wouldn't be as as result of a retry from the scheduler, though (or we wouldn't get already started back). This is supposed to account more for the case that something external to the scheduler kicked off our target action.

[yycptt]

Is it because each buffered start has a unique RequestID?

[lina-temporal]

Yep, starts have a unique/deterministic request ID.

[yycptt]

Glad we don't have to do this in CHASM world :)

[yycptt]

will this cause both tasks to be generated in one transaction? or upper layer actually guarantees that won't happen?

[lina-temporal]

HSM will append all MachineTransition TransitionOutputs to the node's opLog. When the MS transaction closes, MutableStateImpl.closeTransactionPrepareTasks calls taskGenerator.GenerateDirtySubStateMachineTasks which then compacts the root opLog into a list of tasks, and applies them on the current versioned transition as usual (w/ AddTasks or TrackStateMachineTimer). I believe that means they'd all land in one transaction.

[yycptt]

nit: slices.DeleteFunc()

[yycptt]

What's the purpose of those Node fields in Events definition? I don't see them being used anywhere.

[lina-temporal]

I think I had it in there early in development before I grasped how transitions were applied; I can't find it at all. Got rid of all the Node refs in Event (and also got rid of an unused event in Generator).

[yycptt]

do we need a deep copy for this field? or it's read only?

[lina-temporal]

It's read-only, and the spec itself shouldn't self-mutate, so we should be okay without a clone.

[yycptt]

Is it because each buffered start has a unique RequestID?

[yycptt]

do we need a metric for those dropped starts?

[lina-temporal]

Sure, we can add one; we do have ScheduleActionErrors but it'd be nice to see when retries are being exhausted; have we found the need for a separate metric for this with the existing scheduler or more just a nice to have?

[yycptt]

🤦 Two different "ActualTime"...

[lina-temporal]

Yeah; start.ActualTime is the scheduled time after jitter, whereas ActualTime is meant to be the time when it was actually kicked off. I suppose we could hide the detail by using start.ActualTime for both, but that might be a little confusing if a start was scheduled but failed to start for a period before success.

[dnr]

Sorry, the confusing names are my fault 😞

They're two separate contexts:

When talking about scheduled times, we have "Nominal" vs "Actual", "nominal" is what matches the schedule spec, "actual" is that plus jitter. So "actual" is the time when we want the thing to run.

When talking about what actually happened, the "actual" from above is when we want it to run, and then there's when it actually did run. So "actual" turns into ScheduleTime and then the "real" time turns into ActualTime. Of course I should have picked a third word. Or maybe we should call it ActualActualTime or ReallyRealTime 😆

[yycptt]

it looks like this timer logic is executed with the Scheduler locked, so we don't really need the deep copy here.

[lina-temporal]

Yeah, true. I'll update loadInvoker to take a shouldClone parameter since we also use it in the immediate task.

[yycptt]

Please help add some comments about the purpose of the LastProcessedTime field :)

[lina-temporal]

I recalled the reason - it's subtle, I'll update the comments. It's because of how the Invoker drives its backoffs. Invoker generates a timer task to wake on the earliest possible backoff, with a ProcessBufferTask. When the ProcessBufferTask runs, to handle pending backoffs, it simply moves the LastProcessedTime high water mark forward. With the MachineTransition that updates LastProcessedTime, tasks are generated, and since LastProcessedTime > BackoffTime for some start, an immediate ExecuteTask is generated.

The reason that we account for it separately in LastProcessedTime is to support replication and being able to re-generate tasks based on incoming state. This way, when we replicate the machine at a specific point in time, it'll generate an identical set of tasks regardless of when tasks were regenerated (as opposed to if we used say, env.Now()).