[Store] Add hard pin mechanism for eviction-protected objects

[he-yufeng]

RFC: #1645
Related: #1621

Implements the Hard Pin feature (P0 scope from the RFC) — objects created with ReplicateConfig.with_hard_pin = true are guaranteed to never be evicted by BatchEvict().

This is the companion to PR #1662 which covers Upsert. Hard Pin is independent and doesn't conflict with those changes.

What changed

replica.h — ReplicateConfig gains a with_hard_pin bool (default false).

master_service.h — ObjectMetadata gets a hard_pinned field set at creation time. Added IsHardPinned() accessor. MetadataAccessorRW::Create forwards the flag.

master_service.cpp:

• PutStart: passes config.with_hard_pin through to ObjectMetadata constructor
• BatchEvict: hard-pinned objects are skipped in all 4 eviction loops (first pass candidate collection, first pass eviction, second pass A, second pass B)
• SerializeMetadata: appends hard_pinned bool to the serialized array
• DeserializeMetadata: reads hard_pinned if present, defaults to false for old snapshots

Tests — 3 new test cases:

• HardPinObjectNotEvicted: fills memory, waits for lease expiry + eviction, confirms hard-pinned object survives. Also verifies explicit Remove() still works.
• HardPinWithSoftPinEvictionOrder: mixed hard pin + soft pin + normal objects under pressure — hard-pinned object always survives.
• HardPinDefaultIsFalse: sanity check that the default path is unaffected.

Design decisions

• Boolean, not timeout — model weights need indefinite protection. A timeout-based approach is the exact anti-pattern we're replacing (per RFC discussion).
• Backward compatible serialization — old snapshots without the hard_pinned field deserialize correctly (defaults to false). New snapshots include it as an extra array element.
• Remove still works — hard pin only protects against automatic eviction. Explicit Remove() is unaffected, matching the RFC's design intent.

Module

• Mooncake Store (mooncake-store)

Type of Change

• New feature

Checklist

• I have performed a self-review of my own code.
• I have formatted my own code using ./scripts/code_format.sh before submitting.
• I have updated the documentation.
• I have added tests to prove my changes are effective.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements a critical 'hard pin' feature for the Mooncake Store, allowing specific objects to be permanently protected from automatic eviction. This enhancement ensures the stability of essential data, such as model weights, by preventing their removal during memory pressure, thereby improving the reliability and predictability of the store's behavior. The changes are carefully integrated to maintain compatibility and are thoroughly tested.

Highlights

• Hard Pin Mechanism: Introduced a 'hard pin' mechanism that prevents objects from being automatically evicted by the BatchEvict() process. Objects created with ReplicateConfig.with_hard_pin = true are guaranteed to persist in memory.
• Object Metadata Extension: The ObjectMetadata structure now includes a hard_pinned boolean field and an IsHardPinned() accessor to track the pin status of an object.
• Eviction Logic Update: Modified the BatchEvict function to explicitly skip any objects marked as hard-pinned across all eviction passes, ensuring they are never removed due to memory pressure.
• Serialization Backward Compatibility: Updated metadata serialization and deserialization to include the new hard_pinned flag while maintaining backward compatibility with older snapshots that do not contain this field.
• Comprehensive Testing: Added three new test cases to validate the hard pin functionality, covering scenarios like hard-pinned objects surviving eviction, interaction with soft-pinned objects, and default behavior.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request successfully implements the hard-pin mechanism for eviction-protected objects, aligning with the RFC's P0 scope. The changes are well-integrated across the ReplicateConfig structure, ObjectMetadata class, and the MasterService's eviction and serialization logic. Backward compatibility for deserialization is correctly handled, and the addition of comprehensive test cases ensures the new functionality behaves as expected. The overall implementation is robust and addresses the design goals effectively.

[gemini-code-assist]

The comment for array_size calculation could be made clearer. Currently, it lists replicas_count + hard_pinned, which might be misinterpreted as hard_pinned being added to replicas_count. It would be more precise to list hard_pinned as a separate fixed field, making it clear that 8 is the base count of fixed fields before adding the variable replicas_count.

Suggested change

	size_t array_size = 8; // client_id, put_start_time, size, lease_timeout,
	// has_soft_pin_timeout, soft_pin_timeout,
	// replicas_count + hard_pinned
	size_t array_size = 8; // client_id, put_start_time, size, lease_timeout,
	// has_soft_pin_timeout, soft_pin_timeout,
	// replicas_count, hard_pinned

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 96.03175% with 5 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
mooncake-store/include/master_service.h	50.00%	2 Missing ⚠️
mooncake-store/src/master_service.cpp	89.47%	2 Missing ⚠️
mooncake-store/include/replica.h	0.00%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

Adds Hard Pin support to Mooncake Store so objects created with ReplicateConfig.with_hard_pin=true are never evicted by MasterService::BatchEvict(), and persists this state via snapshot serialization.

Changes:

• Extend ReplicateConfig and ObjectMetadata with a hard-pin boolean, and thread it through object creation (PutStart / MetadataAccessorRW::Create).
• Update BatchEvict() to skip hard-pinned objects across all eviction passes.
• Persist/restore hard_pinned in msgpack metadata serialization, and add unit tests covering eviction behavior.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

File	Description
mooncake-store/include/replica.h	Adds with_hard_pin to replication config and logs it in operator<<.
mooncake-store/include/master_service.h	Stores hard-pin state in ObjectMetadata and exposes IsHardPinned().
mooncake-store/src/master_service.cpp	Threads hard-pin through PutStart, skips hard-pinned objects during eviction, and appends hard-pin to metadata serialization.
mooncake-store/tests/master_service_test.cpp	Adds tests intended to validate hard-pin eviction behavior and defaults.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

DeserializeMetadata() correctly parses the optional hard_pinned flag and passes it into the temporary ObjectMetadata instance, but the restore path in DeserializeShard() reconstructs shard metadata by emplacing a new ObjectMetadata from metadata_ptr without forwarding hard_pinned, so hard-pinned objects will come back as not hard pinned after restoring a snapshot. Please ensure the shard-level reconstruction preserves hard_pinned (either pass it into the constructor or set the field under lock after emplace).

[Copilot]

SerializeMetadata() packs metadata.hard_pinned directly, but hard_pinned is annotated GUARDED_BY(lock). This introduces a new unguarded access to a guarded field. Either read it via IsHardPinned() / SpinLocker (ideally snapshot the guarded fields once under the lock and then pack), or make hard_pinned immutable (e.g., const bool) so it doesn’t need the per-object lock.

Suggested change

	packer.pack(metadata.hard_pinned);
	packer.pack(metadata.IsHardPinned());

[stmatengss]

Consider this comment

[stmatengss]

Use IsHardPinned instead?

[he-yufeng]

Removed the comment, and switched to IsHardPinned() as you suggested.

[he-yufeng]

Done — also caught another direct access in DeserializeShard (L3495) and fixed that too.

[Copilot]

This test doesn’t currently demonstrate “lease expiry + eviction under memory pressure”: PutEnd() sets the initial lease to 0 (expired immediately), and the test never grants a lease (via GetReplicaList/ExistKey) before sleeping. Also, the test never asserts that eviction actually happened (e.g., that at least one non-pinned filler key was evicted). Consider explicitly granting leases to the non-pinned objects, waiting for expiry, and asserting that some filler keys are gone while the hard-pinned key remains.

[Copilot]

Despite the name/comment (“eviction priority”), this test only asserts that the hard-pinned key exists; it doesn’t verify that eviction occurred or that non-pinned keys are evicted before soft-pinned keys (or that soft-pinned keys are evicted when allowed). To make the test meaningful, add assertions that some normal_* keys disappear after eviction, and (if you want to validate ordering) that soft_pinned survives the first-pass eviction and is only evicted in the soft-pin-allowed pass under pressure.

[Copilot]

hard_pinned is set only at creation time and never mutated elsewhere (no assignments beyond the constructor). Keeping it GUARDED_BY(lock) forces IsHardPinned() to take the spinlock on every eviction scan. Consider making hard_pinned immutable (e.g., const bool) and not guarded, so eviction and serialization can read it without lock overhead and without thread-safety annotation violations.

Suggested change

	SpinLocker locker(&lock);
	return hard_pinned;
	}
	return hard_pinned;
	}

[stmatengss]

Please update docs as well and fix master_service.cpp L3565. others LGTM

[he-yufeng]

Updated — added Hard Pin section to mooncake-store.md docs (after Soft Pin) and updated both ReplicateConfig struct references. Also fixed L3565 and another direct access in DeserializeShard.

[stmatengss]

Could we avoid hardcoding here? Use size_t array_size = sizeof(struct xxx) + sizeof(struct xxx)