← Back to Blog
EN中文

Refactoring and Reflections: Cooperative Cancellation in Industrial-Grade Infrastructure

In building high-throughput, low-latency distributed systems, gracefully terminating a running complex task is often more challenging than starting it.

If a task involves network I/O, disk writes, or complex computation logic, brutally killing the thread is not only dangerous (leading to resource leaks like unclosed file handles or unreleased locks) but can also cause data inconsistency.

A certain industrial-grade distributed infrastructure library provides a "Cooperative Cancellation Token" design based on the Future/Promise mechanism. This is a classic pattern worth dissecting through clean-room reconstruction to understand its design philosophy and trade-offs.

What is Cooperative Cancellation?

"Cooperative" means that task termination is not forced externally, but actively checked and responded to by the task itself.

Think of it like a meeting. If the boss simply kills the lights (forced termination), chaos ensues—laptops stay open, water spills. The "cooperative" approach is the boss glancing at their watch and giving a nod (setting a signal). Everyone understands, packs up, and leaves orderly.

In code, this typically involves two roles:

  1. Initiator (Source): Holds the "switch" and decides when to issue a cancellation request.
  2. Executor (Token): Holds the "token" and periodically checks the token status at critical execution points (Checkpoints).

Deep Dive: Future-Based Signal Propagation

A core design highlight of this infrastructure library is: Reusing existing asynchronous infrastructure (Future/Promise) for cancellation notification.

It didn't invent a complex set of locks or condition variables specifically for cancellation logic. Instead, it leveraged the mature Promise<void> and Future<void> within its async framework.

Mechanism Breakdown

  • Source (CancellationTokenSource): Internally holds a Promise<void>. When Cancel() is called, it sets the status to ready via Promise::SetValue().
  • Token (CancellationToken): Internally holds a corresponding Future<void>.
  • Check (IsCancellationRequested): Essentially checks if this Future is already Ready.

Trade-off Analysis

This design isn't without cost. We must view it dialectically from an architectural perspective:

Pros:

  1. Unified Semantics: The cancellation operation becomes a standard asynchronous event. You can wait for a "cancellation signal" just like waiting for a network packet.
  2. Seamless Integration: Since the underlying mechanism is a Future, any combinator supporting Futures (like WaitAny, WhenAll) can naturally handle cancellation logic. For example, you can easily write WaitAny(NetworkFuture, CancellationFuture) to implement logic like "either the network request completes or the task is canceled," without writing extra polling code.

Cons:

  1. Resource Overhead: Each Token is associated with a Future shared state block. If the system has millions of tiny tasks, each allocated an independent Token, the memory overhead could be significant.
  2. Chain Complexity: If the task hierarchy is deep, efficiently deriving child Tokens (Linked Tokens) becomes a challenge.

Clean Room Reconstruction: A Rust Perspective

To demonstrate this "Source-Token Separation" and "Shared State" design pattern more purely, we perform a clean-room reconstruction using Rust.

In this demonstration, we strip away the complex Future wrappers and return to the most essential Atomic Shared State to showcase its core interaction logic.

Note: This code is a retelling and demonstration of the design pattern, not a production-grade implementation.

use std::sync::Arc;
use std::sync::atomic::{AtomicBool, Ordering};
use std::thread;
use std::time::Duration;

/// The Core of Cooperative Cancellation: Shared State
/// Source holds write access, Token holds read access
pub struct MyCancellationTokenSource {
    shared: Arc<AtomicBool>,
}

impl MyCancellationTokenSource {
    pub fn new() -> Self {
        Self {
            shared: Arc::new(AtomicBool::new(false)),
        }
    }

    /// Dispatch a read-only token to the task executor
    pub fn token(&self) -> MyCancellationToken {
        MyCancellationToken {
            shared: self.shared.clone(),
        }
    }

    /// Initiator: Press the stop button
    pub fn cancel(&self) {
        self.shared.store(true, Ordering::SeqCst);
    }
}

pub struct MyCancellationToken {
    shared: Arc<AtomicBool>, // Shared atomic boolean
}

impl MyCancellationToken {
    /// Task Executor: Non-blocking check
    pub fn is_cancellation_requested(&self) -> bool {
        self.shared.load(Ordering::SeqCst)
    }

    /// Task Executor: Simulate semantics of "throw exception/error if cancelled"
    pub fn check(&self) -> Result<(), String> {
        if self.is_cancellation_requested() {
            Err("Operation cancelled".to_string())
        } else {
            Ok(())
        }
    }
}

fn main() {
    let source = MyCancellationTokenSource::new();
    let token = source.token();

    println!("[Main] Starting worker thread...");
    let handle = thread::spawn(move || {
        for i in 0..10 {
            // Key Point: Cooperative Check
            // The task must actively ask "Do I need to continue?" at appropriate times
            if let Err(e) = token.check() {
                println!("[Worker] Detected cancellation: {}", e);
                return;
            }
            
            println!("[Worker] Processing step {}...", i);
            thread::sleep(Duration::from_millis(200));
        }
        println!("[Worker] Task completed successfully.");
    });

    // Simulate running for a while then cancelling
    thread::sleep(Duration::from_millis(700));
    println!("[Main] Requesting cancellation...");
    source.cancel();

    handle.join().unwrap();
    println!("[Main] Program exited.");
}

Code Interpretation

  1. Ownership Separation: MyCancellationTokenSource is responsible for producing Tokens and modifying state; MyCancellationToken only reads the state. This design adheres to the "Single Responsibility Principle," preventing task executors from accidentally modifying the cancellation state.
  2. Atomicity Guarantee: Using AtomicBool with Ordering::SeqCst (Sequential Consistency) ensures visibility in multi-threaded environments. In real industrial-grade libraries, this is often optimized with Memory Barriers or lighter atomic operations (like Relaxed with specific synchronization points) for performance.
  3. Check Semantics: The check() method in the demo simulates the ThrowIfCancellationRequested() behavior in the original library. In Rust, we use Result instead of exceptions, which aligns better with Rust's explicit error handling philosophy.

Conclusion

Cooperative cancellation is a cornerstone for building robust distributed systems. A certain industrial-grade infrastructure library elegantly solved the problem of cancellation signal propagation and composition by reusing the Future mechanism.

Through the Rust reconstruction, we clearly see the core idea behind it: Unidirectional Signal Flow based on Shared State.

In practical engineering, we don't need to reinvent the wheel, but understanding the "cooperative" essence and the cost of "polling checks" when using these mechanisms helps us write more elegant and efficient concurrent code.