impl(bigtable): add a generic RateLimiter

[dbolduc]

Part of the work for #12959

Add a generic interface for rate limiting. Put it in bigtable, because that is the only place it is needed for now. We can always move it to common if the need arises.

We do not include any Bigtable specific logic (e.g. how to update the rate given a response) in this interface. We will add another class for that later.

---

This change is 

[codecov]

Codecov Report

Attention: 1 lines in your changes are missing coverage. Please review.

Comparison is base (4028827) 92.99% compared to head (094d05b) 92.99%.

Additional details and impacted files

@@           Coverage Diff            @@
##             main   #13060    +/-   ##
========================================
  Coverage   92.99%   92.99%            
========================================
  Files        2128     2131     +3     
  Lines      185258   185383   +125     
========================================
+ Hits       172272   172397   +125     
  Misses      12986    12986            

Files	Coverage Δ
google/cloud/bigtable/internal/rate_limiter.cc	100.00% <100.00%> (ø)
google/cloud/bigtable/internal/rate_limiter.h	100.00% <100.00%> (ø)
...oogle/cloud/bigtable/internal/rate_limiter_test.cc	99.01% <99.01%> (ø)

... and 6 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[devbww]

Why shared_ptr?

[dbolduc]

I was copying

google-cloud-cpp/google/cloud/spanner/internal/session.h

Line 40 in 09cfff7

std::shared_ptr<Clock> clock = std::make_shared<Clock>())

I think part of the reason is that our FakeClock has a std::mutex in it.

google-cloud-cpp/google/cloud/testing_util/fake_clock.h

Line 59 in 09cfff7

mutable std::mutex mu_;

[devbww]

I think the issue there is the way the Session constructor defaults clock. You don't have that problem, and so could take Clock* clock with a lifetime caveat. Tests should all have a single clock that lasts the lifetime of the test, and non-tests should have a single, global-extent clock, period. No need for shared ownership in either case.

[dbolduc]

Hm I think I would rather avoid the caveats and leave it as a shared_ptr.

[devbww]

s/**/*/

[dbolduc]

why?

I know /** is a doxygen / javadoc thing. I find it simpler to write comments the same way for public and private APIs.

[devbww]

Why? Because it is better to be intentional than to act by default. And, it is better to make things easier to read than to write. But, your choice.

[dbolduc]

I think we use /** more often than /* for internal documentation. I am not going to change these.

it is better to make things easier to read than to write

Agreed. Don't think it applies here.

[coryan]

I would start with something like:

The caller needs to acquire a "permit" to perform the operation under rate limits. This class limits the number of
permits issued per period of time, effectively limiting the operation rate.
The caller may acquire more than one permit at a time, if it needs to perform a burst of the operation under rate limit.
More permits become available as time passes, with some maximum to limit the size of bursts.

I think "token" or "credit" is a more common name than "permit", but is not like any of the three is universally accepted.

You may want to quote: https://en.wikipedia.org/wiki/Flow_control_(data)#Open-loop_flow_control or whatever ATM networks called their flow control mechanism.

[dbolduc]

I would start with something like:

Thanks, it is what I was trying to say, but clearer.

or whatever ATM networks called their flow control mechanism.

Why do you know these things?

[coryan]

This seems like a dangerous function. Do you really need it? If not, consider it removing it.

Consider a different name, maybe set_future_period().

[dbolduc]

Do you really need it?

Yeah, I really need it. I need to be able to change the rate on the fly as the server tells me to speed up / slow down.

Consider a different name

meh

[coryan]

s/Inc.LLC/

[dbolduc]

Fixed in the three files.

[coryan]

Some comments have periods, others don't.

[dbolduc]

Fixed by only having one comment.

[coryan]

Suggested change

	if (next_ <= now) {
	if (next_ > now) {
	auto wait = next_ - now;
	next_ += permits * period_;
	return wait;
	}

[dbolduc]

moot now, but if (next > now) was the simpler of the branches. Thanks.

[coryan]

Maybe this should return the actual number of permits granted and the sleep time? Right now it assumes the caller is using the class correctly, without opportunity for early wake ups from a sleep.

[dbolduc]

Maybe this should return the actual number of permits granted and the sleep time?

I do not know what you mean. This class always grants all of the permits it is asked for.

I think you are saying: return how many of the requested permits can be granted immediately?

I don't want to do that. If the caller can split up the work, they should split up the calls to acquire().

Right now it assumes the caller is using the class correctly

Yeah.

[devbww]

s/>/>=/

[You might also consider just using the absolute value.]

[dbolduc]

Let's go with absolute value.

[devbww]

Now consider s/permits/cycles/ (which I like) or s/permits/tokens/ (which may be more familiar).

[dbolduc]

We are going with "tokens".

[devbww]

Why? Because it is better to be intentional than to act by default. And, it is better to make things easier to read than to write. But, your choice.

[devbww]

Why not accept the same period types as the constructor? (Or, alternatively, why not restrict the constructor type to Clock::duration? And if you do that, move this implementation to the .cc file.)

[dbolduc]

Fixed, thanks.

why not restrict the constructor type to Clock::duration?

1. I'd rather duration_cast than make any assumptions about Clock::duration
2. I'd rather do the duration_cast in this class, than have the caller do it.

[devbww]

It seems strange that these cases are so different, when you'd like to think that next_ == now could go either way and have the same effect.

Consider accounting for stored_permits_ within next_ (e.g., (stored_permits_ == 1, next_ == t) => (next_ == t - period_). Then, perhaps, all these distinctions disappear.

[dbolduc]

I am frankly embarrassed by how much simpler the code is. Thanks for the help.

[devbww]

I think the issue there is the way the Session constructor defaults clock. You don't have that problem, and so could take Clock* clock with a lifetime caveat. Tests should all have a single clock that lasts the lifetime of the test, and non-tests should have a single, global-extent clock, period. No need for shared ownership in either case.

[devbww]

I entered this comment before, but I don't see it now, so I must have done something wrong. Sorry if it shows up twice.

It looks like you could do some strength reduction by storing max_stored_tokens * period instead of max_stored_tokens_ by itself.

[dbolduc]

Done.

Changed the interface to accept the "smoothing interval". This seems nicer than storing some volume that must be updated every time we change the rate. (I am open to other names).

Changed the implementation to start with an empty bank. (This made the tests nicer. I don't think it's a big deal either way).