tigerbeetle-node 0.5.2 → 0.6.0

package/src/tigerbeetle/src/storage.zig

@@ -6,8 +6,6 @@ const assert = std.debug.assert;
 const log = std.log.scoped(.storage);
 
 const IO = @import("io.zig").IO;
-const is_darwin = builtin.target.isDarwin();
-
 const config = @import("config.zig");
 const vsr = @import("vsr.zig");
 
@@ -307,232 +305,4 @@ pub const Storage = struct {
         assert(buffer.len > 0);
         assert(offset + buffer.len <= self.size);
     }
-
-    // Static helper functions to handle data file creation/opening/allocation:
-
-    /// Opens or creates a journal file:
-    /// - For reading and writing.
-    /// - For Direct I/O (if possible in development mode, but required in production mode).
-    /// - Obtains an advisory exclusive lock to the file descriptor.
-    /// - Allocates the file contiguously on disk if this is supported by the file system.
-    /// - Ensures that the file data (and file inode in the parent directory) is durable on disk.
-    ///   The caller is responsible for ensuring that the parent directory inode is durable.
-    /// - Verifies that the file size matches the expected file size before returning.
-    pub fn open(
-        dir_fd: os.fd_t,
-        relative_path: [:0]const u8,
-        size: u64,
-        must_create: bool,
-    ) !os.fd_t {
-        assert(relative_path.len > 0);
-        assert(size >= config.sector_size);
-        assert(size % config.sector_size == 0);
-
-        // TODO Use O_EXCL when opening as a block device to obtain a mandatory exclusive lock.
-        // This is much stronger than an advisory exclusive lock, and is required on some platforms.
-
-        var flags: u32 = os.O.CLOEXEC | os.O.RDWR | os.O.DSYNC;
-        var mode: os.mode_t = 0;
-
-        // TODO Document this and investigate whether this is in fact correct to set here.
-        if (@hasDecl(os, "O_LARGEFILE")) flags |= os.O.LARGEFILE;
-
-        var direct_io_supported = false;
-        if (config.direct_io) {
-            direct_io_supported = try Storage.fs_supports_direct_io(dir_fd);
-            if (direct_io_supported) {
-                if (!is_darwin) flags |= os.O.DIRECT;
-            } else if (config.deployment_environment == .development) {
-                log.warn("file system does not support Direct I/O", .{});
-            } else {
-                // We require Direct I/O for safety to handle fsync failure correctly, and therefore
-                // panic in production if it is not supported.
-                @panic("file system does not support Direct I/O");
-            }
-        }
-
-        if (must_create) {
-            log.info("creating \"{s}\"...", .{relative_path});
-            flags |= os.O.CREAT;
-            flags |= os.O.EXCL;
-            mode = 0o666;
-        } else {
-            log.info("opening \"{s}\"...", .{relative_path});
-        }
-
-        // This is critical as we rely on O_DSYNC for fsync() whenever we write to the file:
-        assert((flags & os.O.DSYNC) > 0);
-
-        // Be careful with openat(2): "If pathname is absolute, then dirfd is ignored." (man page)
-        assert(!std.fs.path.isAbsolute(relative_path));
-        const fd = try os.openatZ(dir_fd, relative_path, flags, mode);
-        // TODO Return a proper error message when the path exists or does not exist (init/start).
-        errdefer os.close(fd);
-
-        // TODO Check that the file is actually a file.
-
-        // On darwin, use F_NOCACHE on direct_io to disable the page cache as O_DIRECT doesn't exit.
-        if (is_darwin and config.direct_io and direct_io_supported) {
-            _ = try os.fcntl(fd, os.F.NOCACHE, 1);
-        }
-
-        // Obtain an advisory exclusive lock that works only if all processes actually use flock().
-        // LOCK_NB means that we want to fail the lock without waiting if another process has it.
-        os.flock(fd, os.LOCK.EX | os.LOCK.NB) catch |err| switch (err) {
-            error.WouldBlock => @panic("another process holds the data file lock"),
-            else => return err,
-        };
-
-        // Ask the file system to allocate contiguous sectors for the file (if possible):
-        // If the file system does not support `fallocate()`, then this could mean more seeks or a
-        // panic if we run out of disk space (ENOSPC).
-        if (must_create) try Storage.allocate(fd, size);
-
-        // The best fsync strategy is always to fsync before reading because this prevents us from
-        // making decisions on data that was never durably written by a previously crashed process.
-        // We therefore always fsync when we open the path, also to wait for any pending O_DSYNC.
-        // Thanks to Alex Miller from FoundationDB for diving into our source and pointing this out.
-        try os.fsync(fd);
-
-        // We fsync the parent directory to ensure that the file inode is durably written.
-        // The caller is responsible for the parent directory inode stored under the grandparent.
-        // We always do this when opening because we don't know if this was done before crashing.
-        try os.fsync(dir_fd);
-
-        const stat = try os.fstat(fd);
-        if (stat.size != size) @panic("data file inode size was truncated or corrupted");
-
-        return fd;
-    }
-
-    /// Allocates a file contiguously using fallocate() if supported.
-    /// Alternatively, writes to the last sector so that at least the file size is correct.
-    pub fn allocate(fd: os.fd_t, size: u64) !void {
-        log.info("allocating {}...", .{std.fmt.fmtIntSizeBin(size)});
-        Storage.fallocate(fd, 0, 0, @intCast(i64, size)) catch |err| switch (err) {
-            error.OperationNotSupported => {
-                log.warn("file system does not support fallocate(), an ENOSPC will panic", .{});
-                log.info("allocating by writing to the last sector of the file instead...", .{});
-
-                const sector_size = config.sector_size;
-                const sector: [sector_size]u8 align(sector_size) = [_]u8{0} ** sector_size;
-
-                // Handle partial writes where the physical sector is less than a logical sector:
-                const offset = size - sector.len;
-                var written: usize = 0;
-                while (written < sector.len) {
-                    written += try os.pwrite(fd, sector[written..], offset + written);
-                }
-            },
-            else => return err,
-        };
-    }
-
-    fn fallocate(fd: i32, mode: i32, offset: i64, length: i64) !void {
-        // https://stackoverflow.com/a/11497568
-        // https://api.kde.org/frameworks/kcoreaddons/html/posix__fallocate__mac_8h_source.html
-        // http://hg.mozilla.org/mozilla-central/file/3d846420a907/xpcom/glue/FileUtils.cpp#l61
-        if (is_darwin) {
-            const F_ALLOCATECONTIG = 0x2; // allocate contiguous space
-            const F_ALLOCATEALL = 0x4; // allocate all or nothing
-            const F_PEOFPOSMODE = 3; // use relative offset from the seek pos mode
-            const F_VOLPOSMODE = 4; // use the specified volume offset
-            _ = F_VOLPOSMODE;
-
-            const fstore_t = extern struct {
-                fst_flags: c_uint,
-                fst_posmode: c_int,
-                fst_offset: os.off_t,
-                fst_length: os.off_t,
-                fst_bytesalloc: os.off_t,
-            };
-
-            var store = fstore_t{
-                .fst_flags = F_ALLOCATECONTIG | F_ALLOCATEALL,
-                .fst_posmode = F_PEOFPOSMODE,
-                .fst_offset = 0,
-                .fst_length = offset + length,
-                .fst_bytesalloc = 0,
-            };
-
-            // try to pre-allocate contiguous space and fall back to default non-continugous
-            var res = os.system.fcntl(fd, os.F.PREALLOCATE, @ptrToInt(&store));
-            if (os.errno(res) != .SUCCESS) {
-                store.fst_flags = F_ALLOCATEALL;
-                res = os.system.fcntl(fd, os.F.PREALLOCATE, @ptrToInt(&store));
-            }
-
-            switch (os.errno(res)) {
-                .SUCCESS => {},
-                .ACCES => unreachable, // F_SETLK or F_SETSIZE of F_WRITEBOOTSTRAP
-                .BADF => return error.FileDescriptorInvalid,
-                .DEADLK => unreachable, // F_SETLKW
-                .INTR => unreachable, // F_SETLKW
-                .INVAL => return error.ArgumentsInvalid, // for F_PREALLOCATE (offset invalid)
-                .MFILE => unreachable, // F_DUPFD or F_DUPED
-                .NOLCK => unreachable, // F_SETLK or F_SETLKW
-                .OVERFLOW => return error.FileTooBig,
-                .SRCH => unreachable, // F_SETOWN
-                .OPNOTSUPP => return error.OperationNotSupported, // not reported but need same error union
-                else => |errno| return os.unexpectedErrno(errno),
-            }
-
-            // now actually perform the allocation
-            return os.ftruncate(fd, @intCast(u64, length)) catch |err| switch (err) {
-                error.AccessDenied => error.PermissionDenied,
-                else => |e| e,
-            };
-        }
-
-        while (true) {
-            const rc = os.linux.fallocate(fd, mode, offset, length);
-            switch (os.linux.getErrno(rc)) {
-                .SUCCESS => return,
-                .BADF => return error.FileDescriptorInvalid,
-                .FBIG => return error.FileTooBig,
-                .INTR => continue,
-                .INVAL => return error.ArgumentsInvalid,
-                .IO => return error.InputOutput,
-                .NODEV => return error.NoDevice,
-                .NOSPC => return error.NoSpaceLeft,
-                .NOSYS => return error.SystemOutdated,
-                .OPNOTSUPP => return error.OperationNotSupported,
-                .PERM => return error.PermissionDenied,
-                .SPIPE => return error.Unseekable,
-                .TXTBSY => return error.FileBusy,
-                else => |errno| return os.unexpectedErrno(errno),
-            }
-        }
-    }
-
-    /// Detects whether the underlying file system for a given directory fd supports Direct I/O.
-    /// Not all Linux file systems support `O_DIRECT`, e.g. a shared macOS volume.
-    fn fs_supports_direct_io(dir_fd: std.os.fd_t) !bool {
-        if (!@hasDecl(std.os, "O_DIRECT") and !is_darwin) return false;
-
-        const path = "fs_supports_direct_io";
-        const dir = std.fs.Dir{ .fd = dir_fd };
-        const fd = try os.openatZ(dir_fd, path, os.O.CLOEXEC | os.O.CREAT | os.O.TRUNC, 0o666);
-        defer os.close(fd);
-        defer dir.deleteFile(path) catch {};
-
-        // F_NOCACHE on darwin is the most similar option to O_DIRECT on linux.
-        if (is_darwin) {
-            _ = os.fcntl(fd, os.F.NOCACHE, 1) catch return false;
-            return true;
-        }
-
-        while (true) {
-            const res = os.system.openat(dir_fd, path, os.O.CLOEXEC | os.O.RDONLY | os.O.DIRECT, 0);
-            switch (os.linux.getErrno(res)) {
-                0 => {
-                    os.close(@intCast(os.fd_t, res));
-                    return true;
-                },
-                os.linux.EINTR => continue,
-                os.linux.EINVAL => return false,
-                else => |err| return os.unexpectedErrno(err),
-            }
-        }
-    }
 };

package/src/tigerbeetle/src/test/cluster.zig

@@ -6,7 +6,8 @@ const config = @import("../config.zig");
 
 const StateChecker = @import("state_checker.zig").StateChecker;
 
-const MessagePool = @import("../message_pool.zig").MessagePool;
+const message_pool = @import("../message_pool.zig");
+const MessagePool = message_pool.MessagePool;
 const Message = MessagePool.Message;
 
 const Network = @import("network.zig").Network;
@@ -197,12 +198,8 @@ pub const Cluster = struct {
             var it = message_bus.pool.free_list;
             while (it) |message| : (it = message.next) messages_in_pool += 1;
         }
-        {
-            var it = message_bus.pool.header_only_free_list;
-            while (it) |message| : (it = message.next) messages_in_pool += 1;
-        }
 
-        const total_messages = config.message_bus_messages_max + config.message_bus_headers_max;
+        const total_messages = message_pool.messages_max_replica;
         assert(messages_in_network + messages_in_pool == total_messages);
 
         replica.* = try Replica.init(

package/src/tigerbeetle/src/test/message_bus.zig

@@ -6,12 +6,13 @@ const config = @import("../config.zig");
 const MessagePool = @import("../message_pool.zig").MessagePool;
 const Message = MessagePool.Message;
 const Header = @import("../vsr.zig").Header;
+const ProcessType = @import("../vsr.zig").ProcessType;
 
 const Network = @import("network.zig").Network;
 
 const log = std.log.scoped(.message_bus);
 
-pub const Process = union(enum) {
+pub const Process = union(ProcessType) {
     replica: u8,
     client: u128,
 };
@@ -35,7 +36,7 @@ pub const MessageBus = struct {
         network: *Network,
     ) !MessageBus {
         return MessageBus{
-            .pool = try MessagePool.init(allocator),
+            .pool = try MessagePool.init(allocator, @as(ProcessType, process)),
             .network = network,
             .cluster = cluster,
             .process = process,
@@ -61,7 +62,7 @@ pub const MessageBus = struct {
 
     pub fn tick(_: *MessageBus) void {}
 
-    pub fn get_message(bus: *MessageBus) ?*Message {
+    pub fn get_message(bus: *MessageBus) *Message {
         return bus.pool.get_message();
     }
 

package/src/tigerbeetle/src/test/network.zig

@@ -28,7 +28,7 @@ pub const Network = struct {
         message: *Message,
 
         pub fn deinit(packet: *const Packet, path: PacketSimulatorPath) void {
-            const source_bus = &packet.network.busses.items[path.source];
+            const source_bus = &packet.network.buses.items[path.source];
             source_bus.unref(packet.message);
         }
     };
@@ -43,7 +43,7 @@ pub const Network = struct {
     options: NetworkOptions,
     packet_simulator: PacketSimulator(Packet),
 
-    busses: std.ArrayListUnmanaged(MessageBus),
+    buses: std.ArrayListUnmanaged(MessageBus),
     processes: std.ArrayListUnmanaged(u128),
 
     pub fn init(
@@ -55,8 +55,8 @@ pub const Network = struct {
         const process_count = client_count + replica_count;
         assert(process_count <= std.math.maxInt(u8));
 
-        var busses = try std.ArrayListUnmanaged(MessageBus).initCapacity(allocator, process_count);
-        errdefer busses.deinit(allocator);
+        var buses = try std.ArrayListUnmanaged(MessageBus).initCapacity(allocator, process_count);
+        errdefer buses.deinit(allocator);
 
         var processes = try std.ArrayListUnmanaged(u128).initCapacity(allocator, process_count);
         errdefer processes.deinit(allocator);
@@ -71,18 +71,18 @@ pub const Network = struct {
             .allocator = allocator,
             .options = options,
             .packet_simulator = packet_simulator,
-            .busses = busses,
+            .buses = buses,
             .processes = processes,
         };
     }
 
     pub fn deinit(network: *Network) void {
-        // TODO: deinit the busses themselves when they gain a deinit()
-        network.busses.deinit(network.allocator);
+        // TODO: deinit the buses themselves when they gain a deinit()
+        network.buses.deinit(network.allocator);
         network.processes.deinit(network.allocator);
     }
 
-    /// Returns the address (index into Network.busses)
+    /// Returns the address (index into Network.buses)
     pub fn init_message_bus(network: *Network, cluster: u32, process: Process) !*MessageBus {
         const raw_process = switch (process) {
             .replica => |replica| replica,
@@ -97,9 +97,9 @@ pub const Network = struct {
         const bus = try MessageBus.init(network.allocator, cluster, process, network);
 
         network.processes.appendAssumeCapacity(raw_process);
-        network.busses.appendAssumeCapacity(bus);
+        network.buses.appendAssumeCapacity(bus);
 
-        return &network.busses.items[network.busses.items.len - 1];
+        return &network.buses.items[network.buses.items.len - 1];
     }
 
     pub fn send_message(network: *Network, message: *Message, path: Path) void {
@@ -131,18 +131,15 @@ pub const Network = struct {
     }
 
     pub fn get_message_bus(network: *Network, process: Process) *MessageBus {
-        return &network.busses.items[network.process_to_address(process)];
+        return &network.buses.items[network.process_to_address(process)];
     }
 
     fn deliver_message(packet: Packet, path: PacketSimulatorPath) void {
         const network = packet.network;
 
-        const target_bus = &network.busses.items[path.target];
+        const target_bus = &network.buses.items[path.target];
 
-        const message = target_bus.get_message() orelse {
-            log.debug("deliver_message: target message bus has no free messages, dropping", .{});
-            return;
-        };
+        const message = target_bus.get_message();
         defer target_bus.unref(message);
 
         std.mem.copy(u8, message.buffer, packet.message.buffer);

package/src/tigerbeetle/src/test/state_checker.zig

@@ -8,12 +8,13 @@ const Cluster = @import("cluster.zig").Cluster;
 const Network = @import("network.zig").Network;
 const StateMachine = @import("state_machine.zig").StateMachine;
 
-const MessagePool = @import("../message_pool.zig").MessagePool;
+const message_pool = @import("../message_pool.zig");
+const MessagePool = message_pool.MessagePool;
 const Message = MessagePool.Message;
 
 const RingBuffer = @import("../ring_buffer.zig").RingBuffer;
 
-const RequestQueue = RingBuffer(u128, config.message_bus_messages_max - 1);
+const RequestQueue = RingBuffer(u128, config.client_request_queue_max);
 const StateTransitions = std.AutoHashMap(u128, u64);
 
 const log = std.log.scoped(.state_checker);

package/src/tigerbeetle/src/tigerbeetle.zig

@@ -204,12 +204,14 @@ pub const CommitTransfersResult = packed struct {
 };
 
 comptime {
-    if (builtin.target.os.tag != .linux and !builtin.target.isDarwin()) {
-        @compileError("linux or macos required for io");
+    const target = builtin.target;
+
+    if (target.os.tag != .linux and !target.isDarwin() and target.os.tag != .windows) {
+        @compileError("linux, windows or macos is required for io");
     }
 
     // We require little-endian architectures everywhere for efficient network deserialization:
-    if (builtin.target.cpu.arch.endian() != .Little) {
+    if (target.cpu.arch.endian() != .Little) {
         @compileError("big-endian systems not supported");
     }
 }

package/src/tigerbeetle/src/time.zig

@@ -1,9 +1,12 @@
 const std = @import("std");
 const builtin = @import("builtin");
-const assert = std.debug.assert;
-const is_darwin = builtin.target.isDarwin();
 const config = @import("./config.zig");
 
+const os = std.os;
+const assert = std.debug.assert;
+const is_darwin = builtin.target.os.tag.isDarwin();
+const is_windows = builtin.target.os.tag == .windows;
+
 pub const Time = struct {
     const Self = @This();
 
@@ -19,19 +22,44 @@ pub const Time = struct {
     /// system administrator manually changes the clock.
     pub fn monotonic(self: *Self) u64 {
         const m = blk: {
+            // Uses QueryPerformanceCounter() on windows due to it being the highest precision timer
+            // available while also accounting for time spent suspended by default:
+            // https://docs.microsoft.com/en-us/windows/win32/api/realtimeapiset/nf-realtimeapiset-queryunbiasedinterrupttime#remarks
+            if (is_windows) {
+                // QPF need not be globally cached either as it ends up being a load from read-only
+                // memory mapped to all processed by the kernel called KUSER_SHARED_DATA (See "QpcFrequency")
+                // https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/ns-ntddk-kuser_shared_data
+                // https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/api/ntexapi_x/kuser_shared_data/index.htm
+                const qpc = os.windows.QueryPerformanceCounter();
+                const qpf = os.windows.QueryPerformanceFrequency();
+
+                // 10Mhz (1 qpc tick every 100ns) is a common QPF on modern systems.
+                // We can optimize towards this by converting to ns via a single multiply.
+                // https://github.com/microsoft/STL/blob/785143a0c73f030238ef618890fd4d6ae2b3a3a0/stl/inc/chrono#L694-L701
+                const common_qpf = 10_000_000;
+                if (qpf == common_qpf) break :blk qpc * (std.time.ns_per_s / common_qpf);
+
+                // Convert qpc to nanos using fixed point to avoid expensive extra divs and overflow.
+                const scale = (std.time.ns_per_s << 32) / qpf;
+                break :blk @truncate(u64, (@as(u96, qpc) * scale) >> 32);
+            }
+
             // Uses mach_continuous_time() instead of mach_absolute_time() as it counts while suspended.
             // https://developer.apple.com/documentation/kernel/1646199-mach_continuous_time
             // https://opensource.apple.com/source/Libc/Libc-1158.1.2/gen/clock_gettime.c.auto.html
             if (is_darwin) {
                 const darwin = struct {
-                    const mach_timebase_info_t = std.os.darwin.mach_timebase_info_data;
-                    extern "c" fn mach_timebase_info(info: *mach_timebase_info_t) std.os.darwin.kern_return_t;
+                    const mach_timebase_info_t = os.darwin.mach_timebase_info_data;
+                    extern "c" fn mach_timebase_info(info: *mach_timebase_info_t) os.darwin.kern_return_t;
                     extern "c" fn mach_continuous_time() u64;
                 };
 
-                const now = darwin.mach_continuous_time();
+                // mach_timebase_info() called through libc already does global caching for us
+                // https://opensource.apple.com/source/xnu/xnu-7195.81.3/libsyscall/wrappers/mach_timebase_info.c.auto.html
                 var info: darwin.mach_timebase_info_t = undefined;
                 if (darwin.mach_timebase_info(&info) != 0) @panic("mach_timebase_info() failed");
+
+                const now = darwin.mach_continuous_time();
                 return (now * info.numer) / info.denom;
             }
 
@@ -40,8 +68,8 @@ pub const Time = struct {
             // CLOCK_BOOTTIME is the same as CLOCK_MONOTONIC but includes elapsed time during a suspend.
             // For more detail and why CLOCK_MONOTONIC_RAW is even worse than CLOCK_MONOTONIC,
             // see https://github.com/ziglang/zig/pull/933#discussion_r656021295.
-            var ts: std.os.timespec = undefined;
-            std.os.clock_gettime(std.os.CLOCK.BOOTTIME, &ts) catch @panic("CLOCK_BOOTTIME required");
+            var ts: os.timespec = undefined;
+            os.clock_gettime(os.CLOCK.BOOTTIME, &ts) catch @panic("CLOCK_BOOTTIME required");
             break :blk @intCast(u64, ts.tv_sec) * std.time.ns_per_s + @intCast(u64, ts.tv_nsec);
         };
 
@@ -54,11 +82,30 @@ pub const Time = struct {
     /// A timestamp to measure real (i.e. wall clock) time, meaningful across systems, and reboots.
     /// This clock is affected by discontinuous jumps in the system time.
     pub fn realtime(_: *Self) i64 {
-        // macos has supported clock_gettime() since 10.12:
-        // https://opensource.apple.com/source/Libc/Libc-1158.1.2/gen/clock_gettime.3.auto.html
+        if (is_windows) {
+            const kernel32 = struct {
+                extern "kernel32" fn GetSystemTimePreciseAsFileTime(
+                    lpFileTime: *os.windows.FILETIME,
+                ) callconv(os.windows.WINAPI) void;
+            };
+
+            var ft: os.windows.FILETIME = undefined;
+            kernel32.GetSystemTimePreciseAsFileTime(&ft);
+            const ft64 = (@as(u64, ft.dwHighDateTime) << 32) | ft.dwLowDateTime;
+
+            // FileTime is in units of 100 nanoseconds
+            // and uses the NTFS/Windows epoch of 1601-01-01 instead of Unix Epoch 1970-01-01.
+            const epoch_adjust = std.time.epoch.windows * (std.time.ns_per_s / 100);
+            return (@bitCast(i64, ft64) + epoch_adjust) * 100;
+        }
+
+        if (is_darwin) {
+            // macos has supported clock_gettime() since 10.12:
+            // https://opensource.apple.com/source/Libc/Libc-1158.1.2/gen/clock_gettime.3.auto.html
+        }
 
-        var ts: std.os.timespec = undefined;
-        std.os.clock_gettime(std.os.CLOCK.REALTIME, &ts) catch unreachable;
+        var ts: os.timespec = undefined;
+        os.clock_gettime(os.CLOCK.REALTIME, &ts) catch unreachable;
         return @as(i64, ts.tv_sec) * std.time.ns_per_s + ts.tv_nsec;
     }
 

package/src/tigerbeetle/src/vsr/client.zig

@@ -7,7 +7,8 @@ const vsr = @import("../vsr.zig");
 const Header = vsr.Header;
 
 const RingBuffer = @import("../ring_buffer.zig").RingBuffer;
-const Message = @import("../message_pool.zig").MessagePool.Message;
+const message_pool = @import("../message_pool.zig");
+const Message = message_pool.MessagePool.Message;
 
 const log = std.log.scoped(.client);
 
@@ -66,8 +67,7 @@ pub fn Client(comptime StateMachine: type, comptime MessageBus: type) type {
 
         /// A client is allowed at most one inflight request at a time at the protocol layer.
         /// We therefore queue any further concurrent requests made by the application layer.
-        /// We must leave one message free to receive with.
-        request_queue: RingBuffer(Request, config.message_bus_messages_max - 1) = .{},
+        request_queue: RingBuffer(Request, config.client_request_queue_max) = .{},
 
         /// The number of ticks without a reply before the client resends the inflight request.
         /// Dynamically adjusted as a function of recent request round-trip time.
@@ -188,25 +188,25 @@ pub fn Client(comptime StateMachine: type, comptime MessageBus: type) type {
                 @tagName(operation),
             });
 
+            if (self.request_queue.full()) {
+                callback(user_data, operation, error.TooManyOutstandingRequests);
+                return;
+            }
+
             const was_empty = self.request_queue.empty();
 
-            self.request_queue.push(.{
+            self.request_queue.push_assume_capacity(.{
                 .user_data = user_data,
                 .callback = callback,
                 .message = message.ref(),
-            }) catch |err| switch (err) {
-                error.NoSpaceLeft => {
-                    callback(user_data, operation, error.TooManyOutstandingRequests);
-                    return;
-                },
-            };
+            });
 
             // If the queue was empty, then there is no request inflight and we must send this one:
             if (was_empty) self.send_request_for_the_first_time(message);
         }
 
         /// Acquires a message from the message bus if one is available.
-        pub fn get_message(self: *Self) ?*Message {
+        pub fn get_message(self: *Self) *Message {
             return self.message_bus.get_message();
         }
 
@@ -383,12 +383,12 @@ pub fn Client(comptime StateMachine: type, comptime MessageBus: type) type {
         }
 
         /// The caller owns the returned message, if any, which has exactly 1 reference.
-        fn create_message_from_header(self: *Self, header: Header) ?*Message {
+        fn create_message_from_header(self: *Self, header: Header) *Message {
             assert(header.client == self.id);
             assert(header.cluster == self.cluster);
             assert(header.size == @sizeOf(Header));
 
-            const message = self.message_bus.pool.get_header_only_message() orelse return null;
+            const message = self.message_bus.pool.get_message();
             defer self.message_bus.unref(message);
 
             message.header.* = header;
@@ -402,8 +402,7 @@ pub fn Client(comptime StateMachine: type, comptime MessageBus: type) type {
         fn register(self: *Self) void {
             if (self.request_number > 0) return;
 
-            var message = self.message_bus.get_message() orelse
-                @panic("register: no message available to register a session with the cluster");
+            const message = self.message_bus.get_message();
             defer self.message_bus.unref(message);
 
             // We will set parent, context, view and checksums only when sending for the first time:
@@ -422,37 +421,24 @@ pub fn Client(comptime StateMachine: type, comptime MessageBus: type) type {
 
             assert(self.request_queue.empty());
 
-            self.request_queue.push(.{
+            self.request_queue.push_assume_capacity(.{
                 .user_data = 0,
                 .callback = undefined,
                 .message = message.ref(),
-            }) catch |err| switch (err) {
-                error.NoSpaceLeft => unreachable, // This is the first request.
-            };
+            });
 
             self.send_request_for_the_first_time(message);
         }
 
         fn send_header_to_replica(self: *Self, replica: u8, header: Header) void {
-            const message = self.create_message_from_header(header) orelse {
-                log.err("{}: no header-only message available, dropping message to replica {}", .{
-                    self.id,
-                    replica,
-                });
-                return;
-            };
+            const message = self.create_message_from_header(header);
             defer self.message_bus.unref(message);
 
             self.send_message_to_replica(replica, message);
         }
 
         fn send_header_to_replicas(self: *Self, header: Header) void {
-            const message = self.create_message_from_header(header) orelse {
-                log.err("{}: no header-only message available, dropping message to replicas", .{
-                    self.id,
-                });
-                return;
-            };
+            const message = self.create_message_from_header(header);
             defer self.message_bus.unref(message);
 
             var replica: u8 = 0;

package/src/tigerbeetle/src/vsr/clock.zig

@@ -744,7 +744,7 @@ test "fuzz test" {
     const allocator = &arena_allocator.allocator;
     const ticks_max: u64 = 1_000_000;
     const clock_count: u8 = 3;
-    const SystemTime = @import("../time.zig").Time;
+    const SystemTime = @import("../test/time.zig").Time;
     var system_time = SystemTime{};
     var seed = @intCast(u64, system_time.realtime());
     var min_sync_error: u64 = 1_000_000_000;