[Store] Support storage hierarchy with offload-on-evict mode

[hnts03-moreh]

Description

Add opt-in offload-on-evict mode to Mooncake Store, which defers LOCAL_DISK offload from PutEnd time to BatchEvict time, forming a proper DRAM→LOCAL_DISK storage hierarchy.

Today (enable_ssd_offload=true): every PutEnd synchronously queues the key for offload, so the FileStorage heartbeat writes every put to disk — even hot keys that never leave DRAM. Disk I/O is incurred up front regardless of access pattern.

With this change (MOONCAKE_OFFLOAD_ON_EVICT=1): keys stay in DRAM only until watermark pressure causes BatchEvict to select them. BatchEvict queues the selected MEMORY replicas for offload (pinning them via refcnt), the heartbeat completes the disk write, and the next eviction cycle frees the MEMORY replica via the existing has_local_disk_replica shortcut. Hot keys that are never evicted never touch disk.

Semantics summary:

env var	effect
MOONCAKE_OFFLOAD_ON_EVICT=1	defer offload from PutEnd to BatchEvict; requires enable_offload=true in master config
MOONCAKE_OFFLOAD_FORCE_EVICT=1	allow data-lossy force-eviction when the per-cycle offload cap is exceeded; requires MOONCAKE_OFFLOAD_ON_EVICT=1; default OFF (data-preserving mode)

Neither env var is read through the JSON config schema — they are read once in the MasterService constructor via std::getenv. This keeps the surface area minimal for an experimental flag. If the feature is adopted as the default, promoting it to a proper config field is straightforward.

Backward compatibility: when neither env var is set, behavior is unchanged — the PutEnd offload block and the BatchEvict eviction paths both take their original fast path. All 16 existing eviction / offload tests pass unchanged.

Scope: LOCAL_DISK replicas (FileStorage-based) only. DISK replicas (root_fs_dir path, created by Client::PutToLocalFile at PutEnd) are written client-side, outside the Master's offload queue, and are not affected by this change. Deferring them is possible but requires client-side changes and is left as future work.

Module

• Transfer Engine (mooncake-transfer-engine)
• Mooncake Store (mooncake-store)
• Mooncake EP (mooncake-ep)
• Integration (mooncake-integration)
• P2P Store (mooncake-p2p-store)
• Python Wheel (mooncake-wheel)
• PyTorch Backend (mooncake-pg)
• Mooncake RL (mooncake-rl)
• CI/CD
• Docs
• Other

Type of Change

• Bug fix
• New feature
• Refactor
• Breaking change
• Documentation update
• Other

How Has This Been Tested?

New tests in this PR

• C++ unit tests — mooncake-store/tests/offload_on_evict_test.cpp, 9 cases across all four env-var combinations:
  • A (neither set): PutEnd still queues offload; existing eviction works.
  • B (ON_EVICT=1): PutEnd skips the queue; eviction queues offload; PushOffloadingQueue failure falls back to direct eviction.
  • C (ON_EVICT=1 + FORCE_EVICT=1): PutEnd skips; eviction still makes progress under the force-evict cap.
  • D (FORCE_EVICT=1 only): treated as if unset — requires ON_EVICT=1 to take effect.
• Python-binding integration test — mooncake-wheel/tests/test_offload_on_eviction.py, test_small_workload_no_disk_replica: asserts that a workload below the eviction watermark produces zero LOCAL_DISK replicas. This is the behavioral difference from the default enable_ssd_offload path (which would produce disk replicas for every put).

Existing tests (regression)

Run on hnts03/support-storage-hierarchy after the changes:

• eviction_strategy_test: 4/4 PASS
• master_service_test --gtest_filter='*Evict*': 8/8 PASS
• master_service_ssd_test --gtest_filter='*Evict*': 4/4 PASS

No behavioral change when the new env vars are unset.

End-to-end empirical verification

Validated against a running mooncake_master with the Python client binding (enable_ssd_offload=true, MOONCAKE_OFFLOAD_ON_EVICT=1):

• Workload: 50 MB DRAM segment, 100 keys × 1 MB (2x overflow), heartbeat interval = 1 s.
• Result: 96 / 100 keys offloaded to LOCAL_DISK via the eviction path; 100 / 100 keys readable bit-exact afterwards.
• Master log confirmed feature activation (Offload-on-evict mode enabled) and our new diagnostic ([EVICT] N objects deferred for disk offload).

Checklist

• I have performed a self-review of my own code.
• I have formatted my own code using ./scripts/code_format.sh before submitting.
• I have updated the documentation.
• I have added tests to prove my changes are effective.

[gemini-code-assist]

Code Review

This pull request introduces an "offload-on-evict" mechanism that defers data offloading to local disk until eviction time, aimed at reducing disk I/O for hot data. The implementation includes new configuration flags, logic within the BatchEvict function to handle deferred offloading or force-eviction, and corresponding unit and integration tests. Review feedback highlights a critical data integrity issue where objects might be lost if the offloading queue is full, suggests replacing magic numbers with named constants, and recommends several performance optimizations regarding logging, timestamp retrieval, and replica management during eviction.

[gemini-code-assist]

This line causes unconditional force-eviction (and thus data loss) if PushOffloadingQueue fails (e.g., due to KEYS_ULTRA_LIMIT), even when offload_force_evict_ is set to false. To preserve data integrity in the default mode, eviction should only proceed if the object is already being offloaded (tracked in offloading_tasks) or if force-evict is explicitly enabled.

        if (shard->offloading_tasks.count(key) > 0 || offload_force_evict_) {
            return metadata.size * evict_replicas(metadata);
        }
        return 0;

[hnts03-moreh]

It was a real oversight. The fallback now only force-evicts when MOONCAKE_OFFLOAD_FORCE_EVICT=1 is explicitly set. Otherwise it returns 0 (skip), letting the outer eviction loop retry on the next cycle after the offload queue drains. Updated the corresponding test case (ComboB_FallbackWhenNoLocalDiskSegment→ ComboB_NoFallbackWithoutForceEvict) to verify the new data-preserving default.

[gemini-code-assist]

The multiplier 0.5 is a magic number. It would be better to define this as a named constant (e.g., kOffloadCapRatio) or make it a configurable parameter in MasterServiceConfig to improve maintainability and clarity.

[hnts03-moreh]

Extracted to constexpr double kOffloadCapRatio = 0.5 with a comment explaining the intent. Promoting it to a runtime-configurable parameter is tracked as a follow-up.

[gemini-code-assist]

This warning log is inside a loop that iterates over all objects in a shard. If a large number of objects reach the offload cap simultaneously, this could lead to log flooding and impact performance. Consider using LOG_EVERY_N(WARNING, 100) or summarizing the force-evictions at the end of the cycle.

[hnts03-moreh]

Moved the per-key warning out of the loop. Force-eviction counts are now aggregated and reported as a single summary LOG(WARNING) at the end of the BatchEvict cycle.

[gemini-code-assist]

For efficiency, the visitor should stop attempting to queue replicas once one has been successfully queued for the current key. Since VisitReplicas does not support early exit, adding a check at the beginning of the lambda is recommended.

            [this, &key, &shard, &queued, &now](Replica& replica) {
                if (queued) return;
                auto result = PushOffloadingQueue(key, replica);

[hnts03-moreh]

Added if (queued) return; at the top of the visitor lambda.

[gemini-code-assist]

Repeatedly calling std::chrono::system_clock::now() inside a loop can be expensive. It is better to use the now variable captured at the beginning of the BatchEvict function (line 3466).

Suggested change

	std::chrono::system_clock::now()});
	now});

[hnts03-moreh]

Now captures the outer now variable instead of calling system_clock::now() inside the lambda

[gemini-code-assist]

When replica_num > 1, pinning one replica for offload is sufficient to preserve the data. The remaining memory replicas (which still have refcnt == 0) can and should be evicted immediately to reclaim memory. Returning 0 here defers their eviction to the next cycle, which is less efficient.

Suggested change

	if (queued) {
	offload_queued_this_cycle++;
	offload_deferred_count++;
	return 0; // No memory freed yet
	}
	if (queued) {
	offload_queued_this_cycle++;
	offload_deferred_count++;
	return metadata.size * evict_replicas(metadata);
	}

[hnts03-moreh]

After pinning one replica for offload (refcnt=1), the remaining refcnt==0 MEMORY replicas are now evicted in the same cycle. This is safe because evict_replicas only touches replicas with refcnt == 0, and the pinned one survives. For the typical replica_num=1 case this is a no-op (the single replica is pinned), but it avoids wasting a cycle when replica_num > 1.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 92.08861% with 25 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
mooncake-store/src/master_service.cpp	80.24%	16 Missing ⚠️
mooncake-store/include/master_config.h	50.00%	4 Missing ⚠️
mooncake-store/src/master.cpp	0.00%	4 Missing ⚠️
mooncake-store/tests/offload_on_evict_test.cpp	99.55%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

[ykwd]

The parameters for the master should be passed via main in master.cpp, while only the client-side parameters should be configured through environment variables.

[hnts03-moreh]

@ykwd
Thanks for your review!
I've migrated both parameters from environment variables to proper MasterConfig fields.

Before:

MOONCAKE_OFFLOAD_ON_EVICT=1 MOONCAKE_OFFLOAD_FORCE_EVICT=1 mooncake_master ...

After (JSON config):

{
  "offload_on_evict": true,
  "offload_force_evict": false
}

After (CLI flags):

mooncake_master --offload_on_evict=true --offload_force_evict=false

Thanks!

[zhangzuo21]

No need to format CMakeLists.txt.

[hnts03-moreh]

@zhangzuo21
Rebased on latest main! The only intentional change is adding add_store_test(offload_on_evict_test ...) (1 line). The remaining formatting diffs are from the cmake-format pre-commit hook automatically reformatting existing lines. I can't suppress the hook without --no-verify.