[Store] L2->L1 promotion-on-hit

[yzhan1]

Description

Adds the L2→L1 promotion-on-hit feature: when a key whose only complete replica lives on a peer client's local SSD (LOCAL_DISK) is read enough times to clear an admission threshold, the master enqueues a promotion task and the holder client's next FileStorage heartbeat stages a fresh MEMORY replica via Transfer Engine. Symmetric counterpart to offload-on-evict: offload moves cold data DRAM→SSD on eviction, promotion moves rediscovered-warm data SSD→DRAM on access.

The trigger lives inside MasterService::GetReplicaList. A CountMinSketch tracks per-key access frequency; gates filter out cases where promotion would be wasteful or unsafe (no LOCAL_DISK source, MEMORY already present, DRAM under high-watermark pressure, queue saturated, or task already in-flight for the same key). When all gates pass, the master records a PromotionTask in the per-shard map (refcnt-pinning the source replica) and pushes the key onto the holder's per-LocalDiskSegment promotion_objects map. The holder's FileStorage heartbeat thread drains a bounded batch from that map, calls PromotionAllocStart to stage a PROCESSING MEMORY replica, reads the bytes from local SSD, RDMA-WRITEs them via PromotionWrite, and notifies the master. NotifyPromotionSuccess flips the new replica COMPLETE and decrements the source LOCAL_DISK refcnt. A reaper drops expired tasks; orphaned PROCESSING replicas are reaped via the standard discarded-replicas path.

Failure handling matches offload's posture: per-key failures are logged and skipped, and the master-side reaper handles task TTL expiry on its own schedule.

Key design points addressed in this PR

• Concurrent-Put disambiguation in NotifyPromotionSuccess. The PromotionTask stores the ReplicaID of the staged MEMORY replica captured during PromotionAllocStart. NotifyPromotionSuccess commits exactly that replica via GetReplicaByID, so a parallel Put creating its own PROCESSING MEMORY replica on the same key cannot be confused with ours.
• Heartbeat liveness. Each promotion task does a synchronous SSD read + RDMA write whose wall time scales with object size (64 MB–1 GB tensors are common in KV-cache workloads). MasterService::PromotionObjectHeartbeat returns at most kMaxPerHeartbeat = 1 task per call and leaves the rest queued; the client processes whatever the master returned and never blocks beyond a single task. Leftovers are preserved by construction — no silent drops.
• Sketch / threshold type safety. The CountMinSketch uses 8-bit saturating counters (max 255), so promotion_admission_threshold is clamped to [0, 255] at config parse time with a warning, giving the gate a stable comparison contract.

Config knobs (default off)

• --promotion_on_hit=true — feature flag
• --promotion_admission_threshold=N — reads per key before the gate fires (default 2; clamped to ≤255)
• --promotion_queue_limit=N — soft per-shard cap on in-flight promotion tasks (default 50000)

Module

• Transfer Engine (mooncake-transfer-engine)
• Mooncake Store (mooncake-store)
• Mooncake EP (mooncake-ep)
• Integration (mooncake-integration)
• P2P Store (mooncake-p2p-store)
• Python Wheel (mooncake-wheel)
• PyTorch Backend (mooncake-pg)
• Mooncake RL (mooncake-rl)
• CI/CD
• Docs
• Other

Type of Change

• Bug fix
• New feature
• Refactor
• Breaking change
• Documentation update
• Other

How Has This Been Tested?

Master-side unit tests (mooncake-store/tests/promotion_on_hit_test.cpp, 13 tests):

• Gate behavior: feature off, no LOCAL_DISK source, MEMORY already present
• Error returns: unknown client/key on Heartbeat / AllocStart / Notify
• State machine: dedup of racing readers, stale task reaper, key removed mid-promotion
• Cap gates: promotion_queue_limit rejects beyond saturation; PromotionObjectHeartbeat returns ≤kMaxPerHeartbeat per call and preserves leftover work (HeartbeatBoundedBatchPreservesLeftovers)
• Multi-segment routing: cross-host LOCAL_DISK→MEMORY allocation, preferred_segments honored

Client-side unit tests (mooncake-store/tests/file_storage_promotion_test.cpp, 9 tests, FakeClient mocks the master RPCs):

• Empty queue / heartbeat error paths
• Per-key error isolation: AllocStart / BatchLoad / TransferWrite / Notify failures don't abort the batch
• NonPositiveSize / SegmentNotFound / hard-error propagation
• FakeClient mirrors the master's bounded-batch heartbeat semantics, so the drain shape exercised matches production

Snapshot tests (mooncake-store/tests/ha/snapshot/master_service_promotion_test_for_snapshot.cpp, 5 tests):

• LOCAL_DISK replica round-trip, mixed MEMORY+LOCAL_DISK, multiple holders, in-flight task safety

End-to-end Python tests (mooncake-wheel/tests/test_promotion_on_hit.py, 2 tests in CI):

• Positive: 96×1 MiB workload overflows 32 MiB segment → eviction creates LOCAL_DISK-only keys → repeated store.get clears admission threshold → MEMORY replica reappears → bit-exact bytes verified pre- AND post-promotion AND the post-promotion read is proven to serve from MEMORY (not LOCAL_DISK SSD) by snapshotting MooncakeDistributedStore.get_offload_rpc_read_count() around the read and asserting zero delta
• Negative: below-watermark workload stays MEMORY-only (guards against spurious promotion / auto-LOCAL_DISK regressions)

Gated behind TEST_PROMOTION_ON_HIT in scripts/run_tests.sh.

Opt-in latency benchmark (BenchPromotionLatency class in the same file, skipped by default; run with MC_BENCH_PROMOTION_LATENCY=1):

The CI test proves MEMORY served the post-promotion read via the offload-RPC counter delta. For a richer empirical view, the benchmark times every read with time.perf_counter, samples LATENCY_SAMPLES reads per phase (default 1000), and reports p50/p95/p99 with a per-percentile speedup table. Pre-promotion reads bail the moment a read serves from MEMORY (detected via the same counter) so the LOCAL_DISK distribution stays uncontaminated.

Observed numbers from a docker-tmpfs run with 1 MiB objects, N=1000 samples:

	n	p50	p95	p99	min	max
Pre-promotion (LOCAL_DISK via offload-RPC)	1000	0.52 ms	0.68 ms	0.81 ms	0.40 ms	6.10 ms
Post-promotion (MEMORY direct)	1000	0.24 ms	0.34 ms	0.42 ms	0.18 ms	2.36 ms
Speedup		2.1×	2.0×	1.9×

The speedup holds across the distribution — MEMORY's win isn't a median trick. The 1.3× p50 assertion baked into the bench has comfortable headroom over the observed 2×. On docker tmpfs (no real SSD, no RDMA NIC) much of the per-read wall-time is Python/C++ marshalling overhead, so the SSD-vs-DRAM cost gap is compressed; on real hardware (NVMe + RDMA) the ratio is typically 10–50×.

The same numbers replicated at N=10000 with MOONCAKE_OFFLOAD_HEARTBEAT_INTERVAL_SECONDS=30 (so the worker doesn't race a longer pre-loop): p50/p95/p99 changed by ≤0.02 ms vs the N=1000 run, confirming N=1000 is the right default for stable tail percentiles.

Follow-ups (not in this PR)

• Async promotion worker. Today the heartbeat thread serially executes the SSD read + RDMA write + notify per task with kMaxPerHeartbeat=1 to stay inside the client-liveness window. If real workloads show the resulting drain rate (≈ 1 promotion / heartbeat interval) becomes a bottleneck, an obvious next step is a dedicated worker thread that pulls from a bounded queue: the heartbeat enqueues, the worker drains independently, and the cap can be relaxed. ~180 LOC + tests; deferred unless needed.

Checklist

• I have performed a self-review of my own code.
• I have formatted my own code using ./scripts/code_format.sh before submitting.
• I have updated the documentation.
• I have added tests to prove my changes are effective.

[gemini-code-assist]

Code Review

This pull request introduces a 'promotion-on-hit' feature that asynchronously promotes objects from local SSD (L2) back to DRAM (L1) when they are frequently accessed. The implementation includes master-side gating logic using a Count-Min Sketch, new RPC endpoints for promotion orchestration, and a client-side execution loop in FileStorage. Feedback focuses on critical concurrency and performance issues: processing too many promotion tasks in a single heartbeat could block the client, and the current replica commitment logic in NotifyPromotionSuccess is ambiguous and could lead to data corruption if concurrent Put operations occur. Additionally, a type mismatch between the frequency sketch and the admission threshold was identified.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 83.39286% with 186 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
mooncake-store/tests/promotion_on_hit_test.cpp	93.84%	32 Missing ⚠️
mooncake-store/src/master.cpp	0.00%	29 Missing ⚠️
mooncake-store/src/file_storage.cpp	54.09%	28 Missing ⚠️
...oncake-store/tests/file_storage_promotion_test.cpp	86.01%	20 Missing ⚠️
mooncake-store/src/master_client.cpp	0.00%	18 Missing ⚠️
mooncake-store/src/rpc_service.cpp	15.78%	16 Missing ⚠️
mooncake-store/src/master_service.cpp	93.00%	14 Missing ⚠️
mooncake-store/src/client_service.cpp	0.00%	12 Missing ⚠️
mooncake-integration/store/store_py.cpp	0.00%	7 Missing ⚠️
mooncake-store/include/master_config.h	50.00%	6 Missing ⚠️
... and 3 more

📢 Thoughts on this report? Let us know!

[Srinivasoo7]

Hi @yzhan1

Overall the implementation follows as per the RFC.

I'm curious about the following issues:

1. Promoted MEMORY replicas are appended after the existing LOCAL_DISK replica, but Client::Get still selects the first COMPLETE replica.

PromotionAllocStart appends the new PROCESSING MEMORY replica via metadata.AddReplicas, and NotifyPromotionSuccess only marks that appended replica COMPLETE.
However, normal Get still calls FindFirstCompleteReplica, which returns the first COMPLETE descriptor in master order. For a LOCAL_DISK-only key, the original LOCAL_DISK replica remains first, so after promotion, future Gets can still read from SSD instead of the new MEMORY replica. This means the main RFC goal, "subsequent Gets avoid SSD", is not guaranteed.

Ideal fix here would be to either return/prefer MEMORY replicas before LOCAL_DISK in GetReplicaList, insert the promoted MEMORY replica before the LOCAL_DISK source, or update client replica selection to prefer MEMORY over LOCAL_DISK?

Also, it would be nice to add a test that proves the post-promotion read actually selects MEMORY, not just that MEMORY metadata exists.

2. ProcessPromotionTasks drains all pending promotion objects but only processes one.

PromotionObjectHeartbeat moves the whole per-client promotion_objects map out of the master. Then FileStorage::ProcessPromotionTasks has kMaxPromotionsPerTick = 1 and breaks after the first item.
The remaining items are no longer in the client pending map, so they will not be retried on later heartbeats; their master promotion_tasks entries stay pinned until the stale-task reaper expires them. Under a burst of hot LOCAL_DISK keys, most queued promotions can be dropped and source refcounts remain pinned until timeout.

Could you keep unprocessed tasks queued, return only a bounded batch from the heartbeat, or process the full drained map with a byte/task budget that preserves leftovers?

[LujhCoconut]

Overall, this pr makes sense to me from a design perspective. As a nice-to-have, would it be possible to supplement the results with a few more metrics? This would further strengthen the empirical validation, though it's by no means a blocker.

[LujhCoconut]

Thank you for your patience. Overall, this PR looks quite complete to me. My final suggestion is regarding code quality:

[Nit] The const_cast in PromotionAllocStart to backfill alloc_id is safe at runtime, but the const qualifier on the map value type declares an intent of immutability that the two-phase emplace-then-mutate pattern contradicts. Removing const from promotion_tasks's value type would make the declaration match the actual usage and eliminate the cast, reducing the reasoning burden for future readers. No behavioral change.

- std::unordered_map<std::string, const PromotionTask> promotion_tasks;
+ std::unordered_map<std::string, PromotionTask> promotion_tasks;

- const_cast<PromotionTask&>(task_it->second).alloc_id = new_id;  
+ task_it->second.alloc_id = new_id;

The shard RW lock is already held in both TryPushPromotionQueue (emplace) and PromotionAllocStart (backill), so mutability is safely scoped.

Note that offloading_tasks is declared as const OffloadingTask because it's fully initialized at emplace time and never mutated afterward. PromotionTask is different due to the two-phase alloc_id backfill, so the const qualifier is unnecessarily restrictive here.

[yzhan1]

@LujhCoconut thanks! I will revise based on your comment. Also have some perf tests that I'd like to add and some other minor bugs I'm fixing. Will address and push shortly

[stmatengss]

'''
ERROR: test_mooncake_backend_cpu (unittest.loader._FailedTest.test_mooncake_backend_cpu)

ImportError: Failed to import test module: test_mooncake_backend_cpu
Traceback (most recent call last):
File "/home/runner/work/Mooncake/Mooncake/test_env/lib/python3.12/site-packages/mooncake/pg.py", line 10, in
backend_module = importlib.import_module("mooncake.pg" + version_suffix)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/hostedtoolcache/Python/3.12.13/x64/lib/python3.12/importlib/init.py", line 90, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "", line 1387, in _gcd_import
File "", line 1360, in _find_and_load
File "", line 1324, in _find_and_load_unlocked
ModuleNotFoundError: No module named 'mooncake.pg_2_12_0'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/opt/hostedtoolcache/Python/3.12.13/x64/lib/python3.12/unittest/loader.py", line 137, in loadTestsFromName
module = import(module_name)
^^^^^^^^^^^^^^^^^^^^^^^
File "/home/runner/work/Mooncake/Mooncake/mooncake-wheel/tests/test_mooncake_backend_cpu.py", line 7, in
from mooncake import pg
File "/home/runner/work/Mooncake/Mooncake/test_env/lib/python3.12/site-packages/mooncake/pg.py", line 12, in
raise ImportError(
ImportError: Mooncake PG was not built against torch==2.12.0.
Open an issue at https://github.com/kvcache-ai/Mooncake/issues.
'''