STORM-2359: Add progress-based tuple timeout (topology.message.progress.timeout.secs)

[Gowtham-Gowts]

Summary

Adds topology.message.progress.timeout.secs — an opt-in config that changes
tuple expiry from wall-clock-since-emit to time-since-last-bolt-progress.

When set, a tuple tree is only expired if no bolt has acked any tuple in the
tree for N seconds. Tuple trees actively being processed (even if queued under
backpressure) are rescued from RotatingMap rotation as long as forward progress
is being made.

topology.message.timeout.secs remains the hard upper-bound, unchanged.

Motivation

Raised on dev@ (June 2026):
https://lists.apache.org/thread/tjcso52j1tjk6d344vjfmkd9ngy6k2rb

Users face an inherent tradeoff:

• Short timeout → orphans reclaimed quickly, but live tuples fail under backpressure
• Long timeout → backpressure-safe, but orphan reclamation is slow after worker failure

This config dissolves that tradeoff. Discussed with rzo1 on the issue tracker:
#6141

Changes

File	Change
Config.java	New TOPOLOGY_MESSAGE_PROGRESS_TIMEOUT_SECS constant
Acker.java	lastProgressTime in AckObject; rescueRecentlyActiveEntries()
RotatingMap.java	peekOldestBucket() package-private method
Executor.java	WARN log for STORM-3514 dangerous config combo
AckerProgressTimeoutTest.java	5 new unit tests
RotatingMapPeekTest.java	6 new unit tests
conf/defaults.yaml	null default entry with comment
docs/Guaranteeing-message-processing.md	New section

Backward Compatibility

• Off by default — topology.message.progress.timeout.secs is null.
  Zero behavior change for all existing topologies.
• No Thrift IDL changes
• No new stream IDs
• No bolt or spout API changes
• Memory cost: +8 bytes per in-flight tuple tree (one long field)

Related Issues

• STORM-2359: [STORM-2359] Revising Message Timeouts #6141
• STORM-3314: [STORM-3314] Acker redesign #7096
• STORM-3514: [STORM-3514] "topology.enable.message.timeouts: false" has no effect on ackers #7296

[rzo1]

@GGraziadei would appreciate your look for a review here too. Thx.

[GGraziadei]

Hi @Gowtham-Gowts,
I went through the change carefully and also exercised it on a LocalCluster. My conclusion is that, as currntly wired, the feature does not change the tuple fate: a tuple making continuous progress is still failed at the wall-clock topology.message.timeout.secs.

I think the design needs one more piece to actually work, and the scope should be stated more narrowly.
Message timeouts are not enforced by the acker's pending map, they are enforced on the spout
side.

• SpoutExecutor holds its own RotatingMap pending (2 buckets, this foundamental)
• The acker's pending map is created with no callback; when it evicts a tree it simply drops the XOR state to free memory. It never fails and never signals the spout.

So re-inserting an entry into the acker's own map has no effect on whether the spout fails the
tuple. The spout independently times out at message.timeout.secs and replays. The only mechanism
that extends the spout's timer is ACKER_RESET_TIMEOUT_STREAM_ID.
This PR never emits it.

A second, structural reason the rescue can't bite today: both maps are ticked at
message.timeout.secs (StormCommon.java L267 for the acker, L282 for the spout), but the acker
has 3 buckets, and the spout has 2: The spout always fails before the acker would ever evict.

The acker's extra bucket is already the safety margin that guarantees the acker doesn't forget a tree, the spout still tracks, so the rescue extends retention of trees the spout has, by then, already abandoned.

Original STORM-2359 design

https://issues.apache.org/jira/browse/STORM-2359 (there are lots of attachments)
This is worth aligning with, since the issue history covers exactly this ground. In the 2017/2019
discussion, @srdo prototyped "reinserting tuples in the acker's pending upon acks" (this PR's
rescue) and reported no throughput regression, so the primitive is sound. But the full design moved
the timeout into the acker and added a periodic spout acker sync (anchor-id diff) so the
spout could still detect loss; the acker-internal reset alone was understood not to reach the spout's
pending. The work was abandoned due to performance (critical-path tracking, memory) and the
sync-protocol complexity, i.e. precisely the parts this PR omits.

@rzo1, this looks like an architectural block rather than a bug fix. The rescue mechanism can't reach the spout's pending map as currently wired. Please let me know your thoughts on how to align this with the broader design or the previous STORM-2359 findings/discussion.

[rzo1]

Please let me know your thoughts on how to align this with the broader design or the previous STORM-2359 findings/discussion.

I would suppose that there was no bigger discussion rather a question if this can be picked up again. Sometimes it is just better to discuss on a PR proposal instead of an issue, so you actually can see the intention of a change. I am open to re-start the discussion regarding architecture (which would be most likely sth related to a 4.x or sth.)

Didn't had a look at the PR yet (since busy with other stuff recently), but I would trust your judgement here ;-)

[srdo]

Hi. Not to involve myself too much in the current design discussion, but I just wanted to add a bit of context that is missing from the original ticket, so you don't draw the wrong conclusions from the discussion we had there :)

As a reminder, here is the original design:

The idea is to track the anchor ids of each non-system message that enters an executor in/out queue. For the inbound queue, the anchor is no longer in progress when the associated tuple is acked or failed. For the outbound queue (pendingEmits in the Executor), the anchor is no longer in progress when the associated tuple gets flushed from pendingEmits.

Occasionally a thread will check the set of in-progress anchors for the worker and send reset messages for all of them to the relevant ackers. In order to avoid sending too many messages, this thread snapshots the anchor set when it runs, and only sends reset messages for anchors that have been in progress sufficiently long in that worker.

Since there may be more than one tuple per anchor, anchors are tracked as a count in a multiset, rather than just presence in a set.

The concern at the time was that adding this tracking of anchor ids would be too expensive. The reason we needed it was that the executor in/out queues did not support looking at the queue contents from the resetter thread, so we needed separate tracking of the anchors, because the resetter thread would be unable to look at the contents of those queues directly.

The reason it was abandoned was partially that I lost interest, and partially that there was a side discussion going on regarding redesigning the acking infrastructure entirely in https://issues.apache.org/jira/browse/STORM-3314, which would have required an alternative approach.

That side discussion was abandoned later though.

Support for looking at the executor queues was added to JCTools later, in JCTools/JCTools#229. Ignore the title, the change is actually adding iterator support, not an unorderedSnapshot method. With those changes, it's possible the original design could be tractable now.