RUBY-3364 fix connection pool thread starvation under oversubscription

[comandeo-mongo]

Summary

Fixes thread starvation in Mongo::Server::ConnectionPool when worker threads
significantly outnumber the pool size.

Root cause: mutex barging at the checkout predicate gate. A thread returning
from do_check_in re-enters retrieve_and_connect_connection while
unavailable_connections < max_size is still true, bypasses the wait loop
entirely, and takes the freshly-released connection before any thread blocked
in @size_cv.wait can re-acquire @lock. With 200 threads and a 5-connection
pool, 5 threads form a closed cycle and the other 195 starve for the entire
run (each completes 2 ops and hits the wait timeout once).

This is not non-FIFO condition variable behavior — MRI's ::ConditionVariable
signals waiters in insertion order. The barging happens at the mutex
re-acquisition boundary, not inside the CV. The full diagnosis and the
rationale for the minimal fix (vs. a larger per-waiter-CV redesign) is in
the design doc that accompanies this change.

Fix

Introduce per-gate waiter counters (@size_waiters, @max_connecting_waiters)
and require any thread that arrives with a non-zero counter to enter the
wait loop at least once, regardless of whether the predicate is currently
satisfied. Once a thread has served one wait cycle it is eligible on the
next iteration.

Preserves the existing architecture and synchronization primitives; no
changes to do_check_in signaling or @connection_requests counting.

Validation

workload	before	after
200 threads, pool=5, 10s queries, 30s run	min=2, max=17340, ~390 timeouts	min=584, max=585, 0 timeouts

All existing suites pass against a local replica set:

• spec/mongo/server/connection_pool_spec.rb + connection_pool/ subdir: 114 examples, 0 failures, 3 pending
• spec/spec_tests/cmap_spec.rb: 226 examples, 0 failures
• spec/integration/connection_pool_populator_spec.rb + connection_spec.rb: 23 examples, 0 failures, 10 pending
• bundle exec rubocop lib/mongo/server/connection_pool.rb spec/mongo/server/connection_pool_fairness_spec.rb: clean

Changes

• lib/mongo/server/connection_pool.rb: add @size_waiters / @max_connecting_waiters counters; gate both checkout waits on them
• spec/mongo/server/connection_pool_fairness_spec.rb: new regression test asserting per-thread service-count ratio and zero checkout timeouts under oversubscription. Verified to fail on the pre-fix code (ratio=0.0, min=1, max=~4000) and pass on the fixed code (ratio >= 0.99).
• profile/connection_pool_fairness.rb: fairness diagnostic harness kept under profile/ alongside driver_bench. Used to reproduce RUBY-3364 and to validate the fix; not run in default CI.

Test Plan

• CI green on all Evergreen variants
• Reviewer runs profile/connection_pool_fairness.rb locally and confirms even distribution
• Consider whether the ratio >= 0.5 threshold in the regression spec is appropriate for all CI variants (local observation is >= 0.99; 0.5 was chosen to absorb CI noise)

[Copilot]

Pull request overview

Addresses RUBY-3364 by improving fairness in Mongo::Server::ConnectionPool under heavy thread oversubscription, aiming to prevent long-lived starvation cycles.

Changes:

• Add per-gate waiter counters (@size_waiters, @max_connecting_waiters) and incorporate them into checkout gating logic.
• Add a new RSpec regression test to detect starvation/unfair service distribution under oversubscription.
• Add a profiling harness to reproduce and measure pool fairness characteristics outside CI.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
lib/mongo/server/connection_pool.rb	Introduces waiter counters and modifies checkout gate loops to reduce mutex barging/starvation.
spec/mongo/server/connection_pool_fairness_spec.rb	Adds a regression spec asserting no checkout timeouts and roughly even per-thread service.
profile/connection_pool_fairness.rb	Adds a standalone profiling script to measure fairness and wait-time distributions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Forcing a @size_cv.wait solely because @size_waiters > 0 can create a lost-wakeup/spurious-timeout scenario: a thread may enter the wait even though unavailable_connections < max_size is already true, and if no further @size_cv.signal occurs (e.g., multiple check-ins happened before this thread began waiting, leaving capacity available but no subsequent signals), it will sleep until deadline and raise a checkout timeout despite capacity being available. This fairness mechanism likely needs a handoff/ticket-style turnstile (or some form of waiter-to-waiter signaling) so a “queue tax” wait does not depend on an external signal when the predicate is already satisfied.

[comandeo-mongo]

Good catch. This is a real lost-wakeup: a newcomer entering during the wake-up window (observing a stale @size_waiters > 0 before the waking waiter has decremented it) can be parked on @size_cv with capacity available, and no further signal is guaranteed.

Fixed in b7b50f2: after a successful checkout updates @checked_out_connections, signal @size_cv if there is a waiter AND the gate predicate is satisfied for them. The predicate guard matters — an unconditional signal would wake a waiter whose predicate still fails, causing it to re-queue itself at the back of the FIFO and break the wait-queue-fairness CMAP spec test.

Reproduction test added in fa55ebd (white-box, instruments the pool CV to force the race window open). Verified it fails on the prior commit and passes after the fix.

[Copilot]

The same must_wait pattern on @max_connecting_cv can block even when a connection is already available (@available_connections.any?), and can similarly lead to a spurious timeout if the thread starts waiting after the last relevant signal and no further signals occur. Consider ensuring the fairness mechanism does not require an additional CV signal when the gate predicate is already satisfied (e.g., via an explicit FIFO/turnstile handoff among waiters).

[comandeo-mongo]

Same fix applied to @max_connecting_cv in wait_for_connection. Commit b7b50f2.

Predicate-guarded signal (@available_connections.any? || @pending_connections.length < @max_connecting) avoids the FIFO-reordering side effect that would otherwise surface on the CMAP wait-queue-fairness spec test.

[Copilot]

This harness enqueues a full per-operation row [tid, t1, t2, dur, err] into results for the entire run, then drains it into rows. Under fast operations (or longer durations), this can grow to a very large number of Ruby objects and can OOM the process, making the diagnostic unreliable. Consider aggregating statistics online (counts/histograms per thread) and only optionally storing full rows behind an env flag or sampling rate.

[comandeo-mongo]

Noted. Deferring to a follow-up. At the default workload (200 threads × 30s ≈ 120k rows, ~24 MB of Ruby objects) the harness is fine; it would need online aggregation for multi-minute runs. Since this script lives under profile/ and is run by humans for diagnostic purposes rather than in CI, the memory ceiling is acceptable for now. I will add a header note.

[Copilot]

The new must_wait gating can block even when max_size == 0 (unlimited pool). With max_size == 0, the size gate should never wait; however the current condition still waits whenever @size_waiters > 0, which can introduce unnecessary blocking and even checkout timeouts in an otherwise-unbounded pool. Consider bypassing the must_wait logic entirely when max_size == 0 (or folding it into must_wait so it is always false in this case).

Suggested change

	must_wait = @size_waiters > 0
	# Do not apply this gate to unlimited pools, where max_size == 0
	# means there is no size slot to wait for.
	must_wait = max_size != 0 && @size_waiters > 0

[comandeo-mongo]

Applied: must_wait = max_size != 0 && @size_waiters > 0. Commit b7b50f2.

max_connecting does not have an unlimited sentinel (it is always a positive integer), so no parallel change is needed for the second gate.