upstream: coalesce load balancer rebuilds during batch host updates#43346
Merged
Conversation
wdauchy
force-pushed
the
eds_batch
branch
9 times, most recently
from
10ac01a to
ca9dd67
Compare
wdauchy
force-pushed
the
eds_batch
branch
2 times, most recently
from
bdd832d to
d894e3d
Compare
During EDS batch updates that modify multiple priorities, all load balancers in the inheritance chain (LoadBalancerBase, ZoneAwareLoadBalancerBase, EdfLoadBalancerBase) do expensive per-priority work for every individual priority update via PriorityUpdateCb. This includes: - LoadBalancerBase: recalculating per-priority health state and panic mode - ZoneAwareLoadBalancerBase: rebuilding locality-weighted routing structures - EdfLoadBalancerBase: rebuilding EDF schedulers at O(n log n) per HostsSource For clusters with ~5k endpoints undergoing bulk IP changes during rollouts, this causes significant CPU spikes on the main thread as each priority update triggers redundant recalculations across the full LB stack. The fix leverages the existing MemberUpdateCb which fires once after the entire batch completes (unlike PriorityUpdateCb which fires per priority). Instead of doing work immediately in PriorityUpdateCb, each LB level now marks the priority as dirty. The actual work happens in MemberUpdateCb, coalescing all dirty priorities into a single pass. Signed-off-by: William Dauchy <william.dauchy@datadoghq.com>
wdauchy
changed the title
wdauchy
requested review from
nezdolik,
tonya11en and
wbpcode
as code owners
Member
|
Hi @nezdolik, could we borrow some your EDS expertise for this PR's review as well? Thanks! |
Contributor
Author
|
/retest transients |
4 similar comments
Contributor
Author
|
/retest transients |
Contributor
Author
|
/retest transients |
Contributor
Author
|
/retest transients |
Contributor
Author
|
/retest transients |
botengyao
reviewed
Feb 22, 2026
Member
botengyao
left a comment
botengyao
left a comment
There was a problem hiding this comment.
lgtm in high level, thanks for the improvment!
Merging main will pass the CI, also could you also add a changelog?
/wait
| priority_update_cb_ = priority_set_.addPriorityUpdateCb( | ||
| [this](uint32_t, const HostVector&, const HostVector&) { refresh(); }); | ||
| member_update_cb_ = | ||
| priority_set_.addMemberUpdateCb([this](const HostVector&, const HostVector&) { refresh(); }); |
Member
There was a problem hiding this comment.
refresh() reads per_priority_load_ and per_priority_panic_ from LoadBalancerBase. So there are 2 callbacks that are in order, but it could break for future's refactor. Could we make this ordering-independent by pulling the dirty-priority processing into a protected idempotent helper, and calling it both from both?
Contributor
Author
There was a problem hiding this comment.
good point, you're right that relying on callback registration order is fragile. I've added a processDirtyPriorities() protected method on LoadBalancerBase that's idempotent (no-op if dirty set is empty). ThreadAwareLoadBalancerBase now calls it before refresh() in its own MemberUpdateCb, so even if the ordering changes in a future refactor, it will always have up-to-date per_priority_load_ and per_priority_panic_ state.
| total_healthy_hosts_); | ||
| recalculatePerPriorityPanic(); | ||
| stashed_random_.clear(); | ||
| dirty_priorities_.insert(priority); |
Member
There was a problem hiding this comment.
I would suggest adding a runtime guard for this.
Contributor
Author
There was a problem hiding this comment.
done, added envoy.reloadable_features.coalesce_lb_rebuilds_on_batch_update with a changelog entry. when the guard is off, the original behavior is preserved (work done inline in PriorityUpdateCb). the flag is checked once at LB construction time so there's no per-update overhead.
Contributor
Author
|
/retest transients |
|
CC @envoyproxy/coverage-shephards: FYI only for changes made to |
Contributor
Author
|
/retest transients |
botengyao
reviewed
Feb 22, 2026
Member
botengyao
left a comment
botengyao
left a comment
There was a problem hiding this comment.
lgtm in high level, thanks for the great contribution!
| source/extensions/internal_redirect/safe_cross_scheme: 81.3 | ||
| source/extensions/internal_redirect/allow_listed_routes: 85.7 | ||
| source/extensions/internal_redirect/previous_routes: 89.3 | ||
| source/extensions/load_balancing_policies/common: 96.3 |
Member
There was a problem hiding this comment.
what can we do to fill the 0.3?
Contributor
Author
There was a problem hiding this comment.
for this patch I honestly don't know, that's why I ended up doing this. I think load balancing policies could deserve more tests, but do we want to add them in this pr?
Contributor
Author
There was a problem hiding this comment.
ok I will try a last stretch
Contributor
Author
There was a problem hiding this comment.
now fixed, sorry for the lazyness I had earlier :))
nezdolik
reviewed
Feb 23, 2026
Member
nezdolik
left a comment
nezdolik
left a comment
There was a problem hiding this comment.
Thanks for great improvement, had just one question
| } | ||
|
|
||
| if (locality_weighted_balancing_) { | ||
| rebuildLocalityWrrForPriority(priority); |
Member
There was a problem hiding this comment.
is there any co-dependency between regenerateLocalityRoutingStructures() and rebuildLocalityWrrForPriority() in order of invocation? E.g. in original code regenerateLocalityRoutingStructures() is invoked before rebuildLocalityWrrForPriority().
Contributor
Author
There was a problem hiding this comment.
good catch. there's no data co-dependency between the two, regenerateLocalityRoutingStructures() writes to locality_routing_state_/residual_capacity_ while rebuildLocalityWrrForPriority() writes to locality_wrr_, so they don't read each other's output. that said, you're right the original code had regenerateLocalityRoutingStructures() first, so I've restored that ordering in both the new and fallback paths to stay consistent with the original behavior.
nezdolik
approved these changes
Feb 23, 2026
botengyao
added a commit
that referenced
this pull request
Mar 2, 2026
…43697) Fixes a crash introduced by #43346. When a thread-aware load balancer is initialized mid-batch, the per-priority panic tracking vectors have not been resized yet because the batch member update callback hasn't fired. This causes an out-of-bounds read during the LB refresh loop. 1. Process any dirty priorities to properly size vectors if the load balancer is initialized mid-batch. 2. Add a bounds check `ASSERT` to prevent silent out-of-bounds bit vector reads. 3. Add an initialization regression test to prevent this pattern from breaking in the future. Commit Message: Additional Description: Risk Level: low (already guarded by `envoy.reloadable_features.coalesce_lb_rebuilds_on_batch_update`). Testing: Docs Changes: Release Notes: Signed-off-by: Boteng Yao <boteng@google.com>
bmjask
pushed a commit
to bmjask/envoy
that referenced
this pull request
Mar 14, 2026
…nvoyproxy#43346) Commit Message: During EDS batch updates that modify multiple priorities, all load balancers in the inheritance chain (LoadBalancerBase, ZoneAwareLoadBalancerBase, EdfLoadBalancerBase) do expensive per-priority work for every individual priority update via PriorityUpdateCb. This includes: - LoadBalancerBase: recalculating per-priority health state and panic mode - ZoneAwareLoadBalancerBase: rebuilding locality-weighted routing structures - EdfLoadBalancerBase: rebuilding EDF schedulers at O(n log n) per HostsSource For clusters with ~5k endpoints undergoing bulk IP changes during rollouts, this causes significant CPU spikes on the main thread as each priority update triggers redundant recalculations across the full LB stack. The fix leverages the existing MemberUpdateCb which fires once after the entire batch completes (unlike PriorityUpdateCb which fires per priority). Instead of doing work immediately in PriorityUpdateCb, each LB level now marks the priority as dirty. The actual work happens in MemberUpdateCb, coalescing all dirty priorities into a single pass. ThreadAwareLoadBalancerBase (used by RingHash and Maglev) is also updated to call refresh() from MemberUpdateCb instead of PriorityUpdateCb, ensuring it reads per-priority state after LoadBalancerBase has processed dirty priorities. Additionally, MockPrioritySet callback ordering is fixed to match real PrioritySetImpl behavior (PriorityUpdateCb fires before MemberUpdateCb). Additional Description: Risk Level: medium Testing: unit tests updated, new test for batch callback behavior Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: William Dauchy <william.dauchy@datadoghq.com> Signed-off-by: bjmask <11672696+bjmask@users.noreply.github.com>
bmjask
pushed a commit
to bmjask/envoy
that referenced
this pull request
Mar 14, 2026
…nvoyproxy#43697) Fixes a crash introduced by envoyproxy#43346. When a thread-aware load balancer is initialized mid-batch, the per-priority panic tracking vectors have not been resized yet because the batch member update callback hasn't fired. This causes an out-of-bounds read during the LB refresh loop. 1. Process any dirty priorities to properly size vectors if the load balancer is initialized mid-batch. 2. Add a bounds check `ASSERT` to prevent silent out-of-bounds bit vector reads. 3. Add an initialization regression test to prevent this pattern from breaking in the future. Commit Message: Additional Description: Risk Level: low (already guarded by `envoy.reloadable_features.coalesce_lb_rebuilds_on_batch_update`). Testing: Docs Changes: Release Notes: Signed-off-by: Boteng Yao <boteng@google.com> Signed-off-by: bjmask <11672696+bjmask@users.noreply.github.com>
bvandewalle
pushed a commit
to bvandewalle/envoy
that referenced
this pull request
Mar 17, 2026
…nvoyproxy#43346) Commit Message: During EDS batch updates that modify multiple priorities, all load balancers in the inheritance chain (LoadBalancerBase, ZoneAwareLoadBalancerBase, EdfLoadBalancerBase) do expensive per-priority work for every individual priority update via PriorityUpdateCb. This includes: - LoadBalancerBase: recalculating per-priority health state and panic mode - ZoneAwareLoadBalancerBase: rebuilding locality-weighted routing structures - EdfLoadBalancerBase: rebuilding EDF schedulers at O(n log n) per HostsSource For clusters with ~5k endpoints undergoing bulk IP changes during rollouts, this causes significant CPU spikes on the main thread as each priority update triggers redundant recalculations across the full LB stack. The fix leverages the existing MemberUpdateCb which fires once after the entire batch completes (unlike PriorityUpdateCb which fires per priority). Instead of doing work immediately in PriorityUpdateCb, each LB level now marks the priority as dirty. The actual work happens in MemberUpdateCb, coalescing all dirty priorities into a single pass. ThreadAwareLoadBalancerBase (used by RingHash and Maglev) is also updated to call refresh() from MemberUpdateCb instead of PriorityUpdateCb, ensuring it reads per-priority state after LoadBalancerBase has processed dirty priorities. Additionally, MockPrioritySet callback ordering is fixed to match real PrioritySetImpl behavior (PriorityUpdateCb fires before MemberUpdateCb). Additional Description: Risk Level: medium Testing: unit tests updated, new test for batch callback behavior Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: William Dauchy <william.dauchy@datadoghq.com>
bvandewalle
pushed a commit
to bvandewalle/envoy
that referenced
this pull request
Mar 17, 2026
…nvoyproxy#43697) Fixes a crash introduced by envoyproxy#43346. When a thread-aware load balancer is initialized mid-batch, the per-priority panic tracking vectors have not been resized yet because the batch member update callback hasn't fired. This causes an out-of-bounds read during the LB refresh loop. 1. Process any dirty priorities to properly size vectors if the load balancer is initialized mid-batch. 2. Add a bounds check `ASSERT` to prevent silent out-of-bounds bit vector reads. 3. Add an initialization regression test to prevent this pattern from breaking in the future. Commit Message: Additional Description: Risk Level: low (already guarded by `envoy.reloadable_features.coalesce_lb_rebuilds_on_batch_update`). Testing: Docs Changes: Release Notes: Signed-off-by: Boteng Yao <boteng@google.com>
fishcakez
pushed a commit
to fishcakez/envoy
that referenced
this pull request
Mar 25, 2026
…nvoyproxy#43346) Commit Message: During EDS batch updates that modify multiple priorities, all load balancers in the inheritance chain (LoadBalancerBase, ZoneAwareLoadBalancerBase, EdfLoadBalancerBase) do expensive per-priority work for every individual priority update via PriorityUpdateCb. This includes: - LoadBalancerBase: recalculating per-priority health state and panic mode - ZoneAwareLoadBalancerBase: rebuilding locality-weighted routing structures - EdfLoadBalancerBase: rebuilding EDF schedulers at O(n log n) per HostsSource For clusters with ~5k endpoints undergoing bulk IP changes during rollouts, this causes significant CPU spikes on the main thread as each priority update triggers redundant recalculations across the full LB stack. The fix leverages the existing MemberUpdateCb which fires once after the entire batch completes (unlike PriorityUpdateCb which fires per priority). Instead of doing work immediately in PriorityUpdateCb, each LB level now marks the priority as dirty. The actual work happens in MemberUpdateCb, coalescing all dirty priorities into a single pass. ThreadAwareLoadBalancerBase (used by RingHash and Maglev) is also updated to call refresh() from MemberUpdateCb instead of PriorityUpdateCb, ensuring it reads per-priority state after LoadBalancerBase has processed dirty priorities. Additionally, MockPrioritySet callback ordering is fixed to match real PrioritySetImpl behavior (PriorityUpdateCb fires before MemberUpdateCb). Additional Description: Risk Level: medium Testing: unit tests updated, new test for batch callback behavior Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: William Dauchy <william.dauchy@datadoghq.com>
fishcakez
pushed a commit
to fishcakez/envoy
that referenced
this pull request
Mar 25, 2026
…nvoyproxy#43697) Fixes a crash introduced by envoyproxy#43346. When a thread-aware load balancer is initialized mid-batch, the per-priority panic tracking vectors have not been resized yet because the batch member update callback hasn't fired. This causes an out-of-bounds read during the LB refresh loop. 1. Process any dirty priorities to properly size vectors if the load balancer is initialized mid-batch. 2. Add a bounds check `ASSERT` to prevent silent out-of-bounds bit vector reads. 3. Add an initialization regression test to prevent this pattern from breaking in the future. Commit Message: Additional Description: Risk Level: low (already guarded by `envoy.reloadable_features.coalesce_lb_rebuilds_on_batch_update`). Testing: Docs Changes: Release Notes: Signed-off-by: Boteng Yao <boteng@google.com>
henrymwang
pushed a commit
to DataDog/envoy
that referenced
this pull request
Apr 13, 2026
…nvoyproxy#43346) Commit Message: During EDS batch updates that modify multiple priorities, all load balancers in the inheritance chain (LoadBalancerBase, ZoneAwareLoadBalancerBase, EdfLoadBalancerBase) do expensive per-priority work for every individual priority update via PriorityUpdateCb. This includes: - LoadBalancerBase: recalculating per-priority health state and panic mode - ZoneAwareLoadBalancerBase: rebuilding locality-weighted routing structures - EdfLoadBalancerBase: rebuilding EDF schedulers at O(n log n) per HostsSource For clusters with ~5k endpoints undergoing bulk IP changes during rollouts, this causes significant CPU spikes on the main thread as each priority update triggers redundant recalculations across the full LB stack. The fix leverages the existing MemberUpdateCb which fires once after the entire batch completes (unlike PriorityUpdateCb which fires per priority). Instead of doing work immediately in PriorityUpdateCb, each LB level now marks the priority as dirty. The actual work happens in MemberUpdateCb, coalescing all dirty priorities into a single pass. ThreadAwareLoadBalancerBase (used by RingHash and Maglev) is also updated to call refresh() from MemberUpdateCb instead of PriorityUpdateCb, ensuring it reads per-priority state after LoadBalancerBase has processed dirty priorities. Additionally, MockPrioritySet callback ordering is fixed to match real PrioritySetImpl behavior (PriorityUpdateCb fires before MemberUpdateCb). Additional Description: Risk Level: medium Testing: unit tests updated, new test for batch callback behavior Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: William Dauchy <william.dauchy@datadoghq.com>
henrymwang
pushed a commit
to DataDog/envoy
that referenced
this pull request
Apr 13, 2026
…nvoyproxy#43697) Fixes a crash introduced by envoyproxy#43346. When a thread-aware load balancer is initialized mid-batch, the per-priority panic tracking vectors have not been resized yet because the batch member update callback hasn't fired. This causes an out-of-bounds read during the LB refresh loop. 1. Process any dirty priorities to properly size vectors if the load balancer is initialized mid-batch. 2. Add a bounds check `ASSERT` to prevent silent out-of-bounds bit vector reads. 3. Add an initialization regression test to prevent this pattern from breaking in the future. Commit Message: Additional Description: Risk Level: low (already guarded by `envoy.reloadable_features.coalesce_lb_rebuilds_on_batch_update`). Testing: Docs Changes: Release Notes: Signed-off-by: Boteng Yao <boteng@google.com>
krinkinmu
pushed a commit
to grnmeira/envoy
that referenced
this pull request
Apr 20, 2026
…nvoyproxy#43346) Commit Message: During EDS batch updates that modify multiple priorities, all load balancers in the inheritance chain (LoadBalancerBase, ZoneAwareLoadBalancerBase, EdfLoadBalancerBase) do expensive per-priority work for every individual priority update via PriorityUpdateCb. This includes: - LoadBalancerBase: recalculating per-priority health state and panic mode - ZoneAwareLoadBalancerBase: rebuilding locality-weighted routing structures - EdfLoadBalancerBase: rebuilding EDF schedulers at O(n log n) per HostsSource For clusters with ~5k endpoints undergoing bulk IP changes during rollouts, this causes significant CPU spikes on the main thread as each priority update triggers redundant recalculations across the full LB stack. The fix leverages the existing MemberUpdateCb which fires once after the entire batch completes (unlike PriorityUpdateCb which fires per priority). Instead of doing work immediately in PriorityUpdateCb, each LB level now marks the priority as dirty. The actual work happens in MemberUpdateCb, coalescing all dirty priorities into a single pass. ThreadAwareLoadBalancerBase (used by RingHash and Maglev) is also updated to call refresh() from MemberUpdateCb instead of PriorityUpdateCb, ensuring it reads per-priority state after LoadBalancerBase has processed dirty priorities. Additionally, MockPrioritySet callback ordering is fixed to match real PrioritySetImpl behavior (PriorityUpdateCb fires before MemberUpdateCb). Additional Description: Risk Level: medium Testing: unit tests updated, new test for batch callback behavior Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: William Dauchy <william.dauchy@datadoghq.com>
krinkinmu
pushed a commit
to grnmeira/envoy
that referenced
this pull request
Apr 20, 2026
…nvoyproxy#43697) Fixes a crash introduced by envoyproxy#43346. When a thread-aware load balancer is initialized mid-batch, the per-priority panic tracking vectors have not been resized yet because the batch member update callback hasn't fired. This causes an out-of-bounds read during the LB refresh loop. 1. Process any dirty priorities to properly size vectors if the load balancer is initialized mid-batch. 2. Add a bounds check `ASSERT` to prevent silent out-of-bounds bit vector reads. 3. Add an initialization regression test to prevent this pattern from breaking in the future. Commit Message: Additional Description: Risk Level: low (already guarded by `envoy.reloadable_features.coalesce_lb_rebuilds_on_batch_update`). Testing: Docs Changes: Release Notes: Signed-off-by: Boteng Yao <boteng@google.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Commit Message:
During EDS batch updates that modify multiple priorities, all load
balancers in the inheritance chain (LoadBalancerBase, ZoneAwareLoadBalancerBase,
EdfLoadBalancerBase) do expensive per-priority work for every individual
priority update via PriorityUpdateCb. This includes:
For clusters with ~5k endpoints undergoing bulk IP changes during rollouts,
this causes significant CPU spikes on the main thread as each priority
update triggers redundant recalculations across the full LB stack.
The fix leverages the existing MemberUpdateCb which fires once after the
entire batch completes (unlike PriorityUpdateCb which fires per priority).
Instead of doing work immediately in PriorityUpdateCb, each LB level now
marks the priority as dirty. The actual work happens in MemberUpdateCb,
coalescing all dirty priorities into a single pass.
ThreadAwareLoadBalancerBase (used by RingHash and Maglev) is also updated
to call refresh() from MemberUpdateCb instead of PriorityUpdateCb, ensuring
it reads per-priority state after LoadBalancerBase has processed dirty
priorities.
Additionally, MockPrioritySet callback ordering is fixed to match real
PrioritySetImpl behavior (PriorityUpdateCb fires before MemberUpdateCb).
Additional Description:
Risk Level: medium
Testing: unit tests updated, new test for batch callback behavior
Docs Changes: n/a
Release Notes: n/a
Platform Specific Features: n/a
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]