fix(prefill-router): persist endpoint after handshake so decode rebuild reactivates

[yifjiang]

Summary

Fixes a routing-chain stall in the disaggregated frontend that turns transient decode-pod restarts into permanent inference outages. After all decode pods in a namespace briefly disappear (canary livenessProbe kills two replicas in quick succession, or a manual rollout), every subsequent inference request returns:

HTTP 500 ValueError: Disaggregated params are required for decode mode

…until the frontend pod itself is restarted. Pods stay 1/1 Running, prefill workers are clean, but routing has degenerated to aggregated mode (bare requests forwarded to decode workers) and stays that way.

The PR also addresses a corner case discovered during fix iteration: decode registers before prefill, then is removed before prefill ever arrives — leaving a stale DecodeWaiting entry that orphans the next decode rebuild.

Two patterns, both fixed

Pattern 1 — decode-rebuild stall after handshake completes

decode registers → prefill registers → handshake completes (map empty)
→ all decode pods removed (canary kills both, or kubectl delete)
→ new decode pods register → rebuild's PrefillRouter stalls in DecodeWaiting forever

Post-handshake the activator map was empty, so the rebuild's register_prefill_router fell into the None branch, created a fresh DecodeWaiting(tx), and waited forever (prefill workers hadn't changed; nobody calls activate_prefill_router again). PrefillRouter::generate falls back to aggregated mode and forwards bare requests to decode → trtllm 500s, vllm/sglang silent agg-mode degradation.

Pattern 2 — stale DecodeWaiting after decode-first race

decode registers first → activator stores DecodeWaiting(sender)
→ decode WorkerSet removed before prefill ever arrives
→ activator state preserved on decode teardown (good for Pattern 1's PrefillReady cache)
  …but DecodeWaiting's receiver is now dead (held by the dropped PrefillRouter)
→ new decode pod registers → register_prefill_router sees stale DecodeWaiting → returns None
→ rebuilt WorkerSet has no PrefillRouter

How to reproduce

Both patterns can be exercised on a single Kubernetes namespace running 1 prefill + 1–2 decode workers + a frontend. No special engine config required.

Pattern 1 reproducer (decode-rebuild stall)

Setup: 1P + 2D + canary livenessProbe wired to /health. Required env on each worker: DYN_HEALTH_CHECK_ENABLED=true, DYN_CANARY_WAIT_TIME=10, DYN_HEALTH_CHECK_REQUEST_TIMEOUT=3, plus livenessProbe: {httpGet: {path: /health, port: system}, failureThreshold: 6, periodSeconds: 10}. Apply the DGD and wait for all 4 pods Ready, then 60 s for worker discovery to settle.

# Pre-trigger sanity probe
curl -X POST http://<frontend>/v1/chat/completions -d '{...}'    # → HTTP 200

# Trigger: kubectl-delete BOTH decodes simultaneously
kubectl delete pod decodeworker-0 decodeworker-1 --grace-period=0 --force

# Wait ~2 min for replacement decodes to be Ready, then probe again:
curl -X POST http://<frontend>/v1/chat/completions -d '{...}'
# without fix: HTTP 500 ValueError: Disaggregated params are required for decode mode
# with fix:    HTTP 200 ✓

In production this trigger fires when the canary livenessProbe kills both decode replicas in close succession (we observed ~1.5 min apart on a real incident), bringing the namespace's decode count to 0 briefly.

Pattern 2 reproducer (decode-first race / stale DecodeWaiting)

Setup: 1P + 1D + frontend. Make the PREFILL image temporarily invalid (e.g., nvcr.io/.../dynamo-trtllm:DOESNOTEXIST) so it never registers; decode + frontend images are real. Apply the DGD and wait for frontend + decode Ready (prefill stays in ImagePullBackOff). The activator now holds DecodeWaiting — decode arrived first, is waiting for prefill to register.

# Trigger: kubectl-delete the decode pod while still DecodeWaiting
kubectl delete pod decodeworker-0 --grace-period=0 --force

# Wait for replacement decode Ready. Now patch the prefill image to valid:
kubectl patch dgd <name> --type=json -p \
  '[{"op":"replace","path":"/spec/services/PrefillWorker/extraPodSpec/mainContainer/image","value":"nvcr.io/.../dynamo-trtllm:<real-tag>"}]'

# Wait for prefill Ready, then probe:
curl -X POST http://<frontend>/v1/chat/completions -d '{...}'
# without fix: HTTP 500 ValueError: Disaggregated params are required for decode mode
# with fix:    HTTP 200 ✓

Frontend log signatures

State	Cold-start handshake	After teardown	Recovery
Without fix (P1)	Activated prefill router + Activating prefill router	Removed WorkerSet (no remaining instances in namespace)	(silent — no second Activating prefill router ever)
With fix (P1)	same	same	Activating prefill router + Prefill router activated successfully (cache hand-off)
Without fix (P2)	No prefill endpoint for namespace yet, storing sender	Removed WorkerSet	ERROR Decode WorkerSet already registered for this prefill router — rebuilt WorkerSet has no PrefillRouter
With fix (P2)	same	Removed stale DecodeWaiting activator on decode WorkerSet teardown (debug)	second Activating prefill router after prefill arrives

Fix (8 commits)

Commit	What
cde9b578a6	activate_prefill_router DecodeWaiting branch: persist PrefillReady after waking the original receiver
ec33872bdb	watcher: scope remove_prefill_activator to prefill-component teardown only
07142a7d6a	refactor PrefillReady(oneshot::Receiver<Endpoint>) → PrefillReady(Endpoint); consumer hands out fresh receiver synthesized from cache and re-inserts atomically
d4088241c0	PrefillReady(Endpoint) → PrefillReady(Box<Endpoint>) for clippy::large_enum_variant
3bc7891aff	cargo fmt for boxed inserts
ef1dadcdf5	add remove_decode_prefill_waiter helper + watcher decode-teardown call — Pattern 2 fix
47b6f0b91c	refactor both functions to Entry API for atomic per-key state transitions; ungate decode-waiter cleanup on removed.is_some() (addresses dynamo-ops review)
96ecac2204	cargo fmt for entry-API refactor

State-machine invariants are now unambiguous:

• DecodeWaiting(sender) = a live decode router is waiting on the receiver — cleared on decode teardown
• PrefillReady(Box<Endpoint>) = a prefill endpoint is cached for future decode rebuilds — cleared only on prefill teardown

Verification

End-to-end verified on head-tot-rc13-pr8965-2026-05-02-x86-b200:

#	Reproducer	Result
1	burst-sweep, canary OFF	3/3 RECOVERY at T+30 / 90 / 120 s ✅
2	multi-decode restart (Pattern 1)	10 / 10 ✅
3	decode-first race (Pattern 2)	5 / 5 ✅
4	burst-sweep, canary ON	3/3 RECOVERY at T+60 / 120 / 180 s ✅

Without these fixes, Patterns 1 and 2 produce 100% HTTP 500 Disaggregated params required for decode mode (trtllm) or silent agg-mode degradation (vllm/sglang). The latest two commits (entry-API atomicity + ungated cleanup) are logic-equivalent to the prior verified head; re-verification on a fresh image build pending.

Test plan

• Manual reproduction on a real Kubernetes cluster across all four reproducers — confirms each fires before the fix and recovers after.
• Unit test for the new PrefillReady-branch refresh-and-reactivate behavior. Currently blocked on the existing test-mod note ("activate_prefill_router requires an Endpoint, so we test the registration state machine and cleanup only" — model_manager.rs:1094-1095). A small #[cfg(test)] shim that constructs a stub Endpoint would unblock this.
• Integration test in tests/fault_tolerance/ mirroring test_canary_rank_pause.py: spin up a real engine + decode worker, kill the decode rank, wait for restart, send an inference request, assert it returns 200.
• Run with --enforce-disagg to confirm the existing strict-mode error path still fires correctly when prefill is actually gone (this PR shouldn't change that).

Related

The rebuild trigger pattern was first observed in production with head-tot-rc13-pr13495 on the GB200 NVCF disagg shadow function: canary livenessProbe killed both decode replicas within ~1.5 minutes of each other, bringing the namespace's decode count to 0 briefly. After the new pods came up healthy, every subsequent request hit this bug for the next 75 minutes until the function was redeployed via NVCF version cutover.

Pre-fix mitigations (without kubectl access in NVCF): raise DYN_HEALTH_CHECK_REQUEST_TIMEOUT above prefill P99 (≥ 130 s for the prod 480B), or drop the canary livenessProbe entirely. Both remove the trigger but don't fix the underlying state-machine gap.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Refactor
  • Optimized internal routing state machine to improve endpoint caching efficiency and reduce unnecessary re-registrations during system operations.
  • Enhanced worker set deletion cleanup logic to ensure more precise resource management and system stability.

[github-actions]

🌿 Fern Docs Preview: https://nvidia-preview-81d7f35c-99c9-4cb0-a5c9-2c8140580363.docs.buildwithfern.com/dynamo/dev

[coderabbitai]

Walkthrough

Refactors the prefill/decode rendezvous state machine from storing oneshot::Receiver to caching actual Endpoint objects. Updates deletion cleanup logic to distinguish whether a WorkerSet was removed and whether the removed component is the PREFILL component, applying cache clearing only when appropriate.

Changes

Cohort / File(s)	Summary
State Machine Refactoring lib/llm/src/discovery/model_manager.rs	Refactors prefill/decode rendezvous from storing oneshot::Receiver to caching Endpoint objects. register_prefill_router now creates fresh oneshot channels on cache hits and reinserts cached endpoints. activate_prefill_router caches endpoints after DecodeWaiting handshake and refreshes cached endpoint with potential deactivated decode-side reactivation. Removes oneshot sender/channel plumbing in non-cached paths.
Cleanup Logic Refinement lib/llm/src/discovery/watcher.rs	Updates deletion cleanup to distinguish whether a WorkerSet was actually removed and whether the removed component is PREFILL. Activator cache is now cleared only when both conditions are met (deletion occurred and component supports prefill), while preserving decode-side deactivation behavior.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~40 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(prefill-router): persist endpoint after handshake so decode rebuild reactivates' accurately summarizes the main change: persisting the prefill endpoint after handshake to enable decode rebuild reactivation, directly addressing the core fix for the routing-chain stall.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description is comprehensive and follows the template structure with all required sections: Overview (Summary), Details (detailed pattern analysis, reproducers, fix breakdown, verification), and Related Issues references. It includes root cause, reproduction steps, verification results, and a thorough test plan.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@lib/llm/src/discovery/model_manager.rs`:
- Around line 49-56: The PrefillActivationState enum's PrefillReady(Endpoint)
variant must be boxed to satisfy clippy::large_enum_variant; change it to
PrefillReady(Box<Endpoint>) in the enum definition (PrefillActivationState) and
update all places that construct or pattern-match it: when destructuring
PrefillReady(endpoint) dereference the box (e.g., *endpoint) to access Endpoint,
when sending or cloning use (*endpoint).clone() or clone the inner value, and
when constructing PrefillReady wrap the endpoint with Box::new(...) (e.g.,
PrefillReady(Box::new(endpoint.clone()))). Ensure every usage site that
previously assumed owning Endpoint is adjusted to handle Box<Endpoint>.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b96ab0fc-15c7-4fd0-b6ad-b5c3d592177f

📥 Commits

Reviewing files that changed from the base of the PR and between 67dc080 and 07142a7.

📒 Files selected for processing (2)

• lib/llm/src/discovery/model_manager.rs
• lib/llm/src/discovery/watcher.rs

[PeaBrane]

LGTM. The state-machine change looks right to me: the initial decode-first and prefill-first rendezvous paths still work, and keeping the prefill endpoint cached across decode WorkerSet rebuilds addresses the stall without adding request-path overhead.

One follow-up I’d like to see, if practical: a regression/integration test for decode-first activation followed by a decode WorkerSet rebuild while prefill stays alive, asserting that the rebuilt decode side activates immediately from the cached PrefillReady endpoint. The new DecodeWaiting cleanup tests cover one half of the lifecycle; this would lock down the core behavior this PR is fixing.