[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article-deep-evm-29-semaphores-async-rust-deadlock-fire-forget":3},{"article":4,"author":51},{"id":5,"category_id":6,"title":7,"slug":8,"excerpt":9,"content_md":10,"content_html":11,"locale":12,"author_id":13,"published":14,"published_at":15,"meta_title":16,"meta_description":17,"focus_keyword":18,"og_image":19,"canonical_url":19,"robots_meta":20,"created_at":15,"updated_at":15,"tags":21,"category_name":31,"related_articles":32},"d0000000-0000-0000-0000-000000000301","a0000000-0000-0000-0000-000000000006","Deep EVM #29: Semaphores in Async Rust — Deadlock Hunting and Fire-and-Forget Patterns","deep-evm-29-semaphores-async-rust-deadlock-fire-forget","A deep dive into tokio::sync::Semaphore for backpressure control, fire-and-forget write patterns, deadlock diagnosis with tracing and tokio-console, and production-hardened solutions using RAII permits and acquire timeouts.","## Why Semaphores in Async Rust\n\nWhen you run a high-throughput pipeline — an MEV bot processing 180,000 arbitrage chains per block, an API server handling 10,000 concurrent requests, or an ETL job writing millions of rows — you inevitably hit a resource ceiling. Database connection pools exhaust. RPC providers rate-limit you. Memory balloons because you spawned 50,000 tokio tasks, each holding a chain's worth of data.\n\nThe naive approach is unbounded concurrency: `tokio::spawn` for every unit of work and hope the runtime sorts it out. It does not. In production, we observed 15.4 GB memory usage from 2.7 million spawned tasks, each holding a `Vec\u003CHop>` plus simulation context. The fix was batched concurrency with semaphore-based backpressure, which brought memory down to 0.8 GB.\n\nA semaphore is the right primitive when you need to limit the number of concurrent operations without serializing them entirely. Unlike a mutex (which allows exactly one), a semaphore allows N concurrent accessors. This makes it perfect for:\n\n- **Database write concurrency**: limit to the connection pool size (e.g., 20 concurrent writes)\n- **RPC rate limiting**: cap outgoing requests to avoid 429 responses from providers\n- **Memory backpressure**: prevent unbounded task spawning by gating on available permits\n- **Batch processing**: control how many simulation batches run in parallel against a shared node\n\n## tokio::sync::Semaphore Basics\n\nThe `tokio::sync::Semaphore` is a counting semaphore designed for async code. It maintains an internal counter of available permits. Tasks acquire permits before proceeding and release them when done.\n\n```rust\nuse std::sync::Arc;\nuse tokio::sync::Semaphore;\n\n\u002F\u002F Allow up to 20 concurrent database writes\nlet semaphore = Arc::new(Semaphore::new(20));\n\nfor chain in chains_to_persist {\n let sem = semaphore.clone();\n let db_pool = db_pool.clone();\n\n tokio::spawn(async move {\n \u002F\u002F Acquire a permit — blocks if all 20 are in use\n let _permit = sem.acquire().await.unwrap();\n\n \u002F\u002F Do the write — permit is held for this scope\n sqlx::query(\"UPDATE chains SET profit = $1 WHERE id = $2\")\n .bind(chain.profit)\n .bind(chain.id)\n .execute(&db_pool)\n .await\n .ok();\n\n \u002F\u002F _permit is dropped here — automatically released\n });\n}\n```\n\nKey API surface:\n\n- `Semaphore::new(permits)` — create with N permits\n- `acquire(&self)` — async, waits until a permit is available, returns `SemaphorePermit` (RAII guard)\n- `try_acquire(&self)` — non-async, returns `Err(TryAcquireError)` immediately if no permits available\n- `acquire_owned(self: Arc\u003CSelf>)` — returns `OwnedSemaphorePermit` that owns the `Arc`, useful when the permit must outlive the borrow\n- `add_permits(&self, n)` — dynamically increase the permit count\n- `close(&self)` — close the semaphore; all pending `acquire` calls return `Err(AcquireError)`\n- `available_permits(&self)` — inspect current count (useful for metrics)\n\nThe critical design choice: `acquire()` returns an RAII guard. When the guard is dropped, the permit is released. This means you get automatic cleanup even on panics, early returns, and `?` operator bailouts — as long as the guard lives on the stack.\n\n## Fire-and-Forget Write Pattern\n\nIn high-throughput systems, you often want to persist data without blocking the hot path. The pattern: spawn a background task that acquires a semaphore permit, performs the write, and releases. The caller does not await the result.\n\nIn a well-architected system, this is implemented as a decorator that wraps the inner storage service:\n\n```rust\nuse std::sync::Arc;\nuse tokio::sync::Semaphore;\n\npub struct AsyncChainStore\u003CS: ChainStore> {\n inner: Arc\u003CS>,\n semaphore: Arc\u003CSemaphore>,\n}\n\nimpl\u003CS: ChainStore + Send + Sync + 'static> AsyncChainStore\u003CS> {\n pub fn new(inner: Arc\u003CS>, max_concurrent_writes: usize) -> Self {\n Self {\n inner,\n semaphore: Arc::new(Semaphore::new(max_concurrent_writes)),\n }\n }\n\n \u002F\u002F\u002F Fire-and-forget: persist chain profits without blocking the caller.\n \u002F\u002F\u002F Backpressure is enforced by the semaphore — if all permits are\n \u002F\u002F\u002F taken, the spawned task waits, but the caller returns immediately.\n pub fn save_profits_async(&self, chains: Vec\u003CChainProfit>) {\n let inner = self.inner.clone();\n let sem = self.semaphore.clone();\n\n tokio::spawn(async move {\n \u002F\u002F Acquire permit — this is where backpressure happens\n let _permit = match sem.acquire().await {\n Ok(p) => p,\n Err(_) => {\n tracing::warn!(\"semaphore closed, dropping write\");\n return;\n }\n };\n\n if let Err(e) = inner.batch_update_profits(&chains).await {\n tracing::error!(\n error = %e,\n count = chains.len(),\n \"fire-and-forget write failed\"\n );\n }\n \u002F\u002F _permit dropped here — next queued task proceeds\n });\n }\n}\n```\n\nThis decorator pattern (R-004 in our codebase conventions) keeps the inner `ChainStore` pure — it knows nothing about concurrency control. The decorator handles semaphore management, error logging, and task spawning. The ServiceLocator wires them together:\n\n```rust\n\u002F\u002F In locator\u002Fmod.rs\nlet chain_store = Arc::new(PgChainStore::new(db_pool.clone()));\nlet async_chain_store = AsyncChainStore::new(chain_store, 20);\n```\n\nWhy not just use the database pool's built-in connection limit? Because the semaphore gives you a separate knob. Your pool might have 50 connections, but you want fire-and-forget writes to use at most 20, reserving 30 for latency-critical reads. The semaphore enforces this partitioning at the application level.\n\n## Deadlock Scenarios\n\nSemaphore deadlocks are insidious because they don't cause a panic or an error — the program simply stops making progress. Here are the patterns we've encountered in production.\n\n### Scenario 1: Permit Not Released on Early Return\n\n```rust\nasync fn process_batch(sem: &Semaphore, batch: &[Chain]) -> Result\u003C()> {\n let permit = sem.acquire().await?;\n\n \u002F\u002F Early return if batch is empty — BUT permit is still held!\n if batch.is_empty() {\n return Ok(()); \u002F\u002F permit dropped here — actually fine in this case\n }\n\n \u002F\u002F The real danger: storing the permit in a struct that outlives the scope\n let ctx = ProcessingContext {\n permit: Some(permit), \u002F\u002F permit moved into struct\n batch,\n };\n\n \u002F\u002F If process() stores ctx somewhere long-lived, permit is leaked\n process(ctx).await?;\n Ok(())\n}\n```\n\nThe RAII guard protects you against most early returns. The danger comes when you move the permit into a struct that escapes the expected lifetime — stored in a `HashMap`, sent through a channel, or held in a `static`.\n\n### Scenario 2: Nested Acquire (Self-Deadlock)\n\n```rust\nasync fn simulate_and_persist(\n sem: &Semaphore,\n chain: &Chain,\n) -> Result\u003C()> {\n let _outer = sem.acquire().await?; \u002F\u002F Takes 1 of N permits\n\n let result = simulate(chain).await?;\n\n \u002F\u002F BUG: acquiring the SAME semaphore inside a held permit\n let _inner = sem.acquire().await?; \u002F\u002F If N=1, deadlock. If N>1, reduces throughput\n persist(result).await?;\n\n Ok(())\n}\n```\n\nWith `N=1`, this is an instant deadlock. With `N>1`, it works until load increases and all permits are held by tasks waiting for their inner acquire. The fix: use separate semaphores for separate concerns, or restructure to avoid nested acquisition.\n\n### Scenario 3: Permit Held Across Await Points in Select\n\n```rust\nasync fn process_with_timeout(sem: &Semaphore) -> Result\u003C()> {\n let permit = sem.acquire().await?;\n\n tokio::select! {\n result = do_work() => {\n result?;\n }\n _ = tokio::time::sleep(Duration::from_secs(30)) => {\n tracing::warn!(\"timeout, but permit is still held until drop\");\n \u002F\u002F If do_work() is cancelled but its future holds resources\n \u002F\u002F that reference the permit indirectly, you get a leak\n }\n }\n \u002F\u002F permit dropped here — this is actually correct\n \u002F\u002F BUT: if do_work() spawns a sub-task that captures the permit, the\n \u002F\u002F cancellation of do_work() does NOT cancel the sub-task\n Ok(())\n}\n```\n\nThe `select!` macro cancels the losing branch by dropping its future, but any tasks spawned inside that future continue running. If those tasks captured a reference to the permit (or a clone of an `OwnedSemaphorePermit`), the permit is not released when expected.\n\n## Diagnosing Semaphore Deadlocks\n\nWhen your system stops making progress, how do you identify a semaphore deadlock versus a slow dependency?\n\n### Tracing-Based Diagnosis\n\nInstrument acquire\u002Frelease with structured logging:\n\n```rust\nlet permits_before = semaphore.available_permits();\ntracing::debug!(\n available = permits_before,\n \"acquiring semaphore permit\"\n);\n\nlet _permit = semaphore.acquire().await?;\n\ntracing::debug!(\n available = semaphore.available_permits(),\n \"acquired semaphore permit\"\n);\n```\n\nIf your logs show \"acquiring\" but never \"acquired\", all permits are held somewhere. Correlate with the last N \"acquired\" log entries to find who is holding them.\n\n### Prometheus Metrics\n\nExpose a gauge metric for available permits:\n\n```rust\nuse metrics::gauge;\n\n\u002F\u002F In your decorator or middleware\ngauge!(\"semaphore_available_permits\", semaphore.available_permits() as f64);\n```\n\nA gauge that drops to zero and stays there is a deadlock. A gauge that hovers near zero but fluctuates is contention (high load, possibly needs more permits).\n\n### tokio-console\n\n`tokio-console` is a diagnostic tool that attaches to a running tokio application and shows task states in real time:\n\n```bash\ncargo add --dev console-subscriber\n```\n\n```rust\n\u002F\u002F In main.rs (debug builds only)\n#[cfg(debug_assertions)]\nconsole_subscriber::init();\n```\n\nRun `tokio-console` in another terminal and look for tasks stuck in \"Idle\" state on a semaphore acquire. The tool shows you exactly which task is waiting and for how long.\n\n## Production-Hardened Solutions\n\n### Solution 1: Always Use OwnedSemaphorePermit with Arc\n\nWhen spawning tasks, prefer `acquire_owned()` over `acquire()`. The owned variant takes `Arc\u003CSemaphore>` and returns a permit that does not borrow the semaphore — it owns a clone of the `Arc`. This avoids lifetime issues entirely:\n\n```rust\nlet semaphore = Arc::new(Semaphore::new(20));\n\nfor item in items {\n let permit = semaphore.clone().acquire_owned().await?;\n\n tokio::spawn(async move {\n \u002F\u002F permit is moved into the task — no borrow issues\n do_work(item).await;\n drop(permit); \u002F\u002F explicit drop for clarity, or let scope handle it\n });\n}\n```\n\n### Solution 2: Acquire with Timeout\n\nNever wait indefinitely for a permit in production. Use `tokio::time::timeout` to detect deadlocks early:\n\n```rust\nuse tokio::time::{timeout, Duration};\n\nlet permit = timeout(\n Duration::from_secs(30),\n semaphore.acquire(),\n).await\n .map_err(|_| anyhow!(\"semaphore acquire timed out — possible deadlock\"))?\n .map_err(|_| anyhow!(\"semaphore closed\"))?;\n```\n\nWhen the timeout fires, log the available permits, the number of waiting tasks, and a stack trace. This gives you immediate visibility into the deadlock without bringing down the process.\n\n### Solution 3: Structured Concurrency with JoinSet\n\nInstead of unbounded `tokio::spawn`, use `tokio::task::JoinSet` to maintain ownership of spawned tasks and pair it with a semaphore:\n\n```rust\nuse tokio::task::JoinSet;\n\nlet semaphore = Arc::new(Semaphore::new(20));\nlet mut join_set = JoinSet::new();\n\nfor batch in batches {\n let permit = semaphore.clone().acquire_owned().await?;\n let db_pool = db_pool.clone();\n\n join_set.spawn(async move {\n let result = process_batch(&db_pool, &batch).await;\n drop(permit); \u002F\u002F release before the JoinSet collects\n result\n });\n}\n\n\u002F\u002F Drain all tasks — collect errors instead of silently losing them\nwhile let Some(result) = join_set.join_next().await {\n match result {\n Ok(Ok(())) => {}\n Ok(Err(e)) => tracing::error!(error = %e, \"batch processing failed\"),\n Err(e) => tracing::error!(error = %e, \"task panicked\"),\n }\n}\n```\n\nThis pattern ensures: (1) bounded concurrency via semaphore, (2) no silent task failures, (3) the parent task knows when all children complete, (4) permits are always released even if a task panics (because `JoinSet::join_next` returns `JoinError` for panicked tasks, and the permit is dropped with the task's state).\n\n### Solution 4: Separate Semaphores for Separate Concerns\n\nNever share a single semaphore across unrelated operations. In our MEV pipeline, we use separate semaphores for:\n\n```rust\npub struct ConcurrencyLimits {\n \u002F\u002F\u002F Limits concurrent RPC simulation calls to the node\n pub simulation: Arc\u003CSemaphore>,\n \u002F\u002F\u002F Limits concurrent database writes for chain persistence\n pub db_writes: Arc\u003CSemaphore>,\n \u002F\u002F\u002F Limits concurrent mempool subscription handlers\n pub mempool: Arc\u003CSemaphore>,\n}\n\nimpl ConcurrencyLimits {\n pub fn new() -> Self {\n Self {\n simulation: Arc::new(Semaphore::new(4)), \u002F\u002F node can handle 4 parallel batches\n db_writes: Arc::new(Semaphore::new(20)), \u002F\u002F 20 of 50 pool connections\n mempool: Arc::new(Semaphore::new(100)), \u002F\u002F 100 concurrent tx handlers\n }\n }\n}\n```\n\nThis eliminates the nested acquire deadlock entirely — a task acquires `simulation` permit, then `db_writes` permit, and these are independent pools.\n\n## Performance: Semaphore Overhead\n\nIs the semaphore itself a bottleneck? In practice, no. `tokio::sync::Semaphore` is implemented with an atomic counter and an intrusive linked list of waiters. Acquiring an uncontested permit is a single `fetch_sub` — nanoseconds. Even under contention, the overhead is the waker notification (also nanoseconds) versus the milliseconds your actual I\u002FO takes.\n\nWe benchmarked semaphore overhead in our pipeline:\n\n| Operation | Without Semaphore | With Semaphore (20 permits) |\n|-----------|-------------------|-----------------------------|\n| 10,000 DB writes | 1,340ms (all concurrent, pool exhaustion errors) | 1,580ms (controlled, zero errors) |\n| 500 RPC simulations | 8,200ms (node overloaded, timeouts) | 9,100ms (4 at a time, zero timeouts) |\n| Memory (2.7M tasks) | 15.4 GB | 0.8 GB (batched with JoinSet) |\n\nThe 10-15% wall-clock overhead is negligible compared to eliminating errors, timeouts, and OOM crashes.\n\n## Conclusion\n\nSemaphores in async Rust are deceptively simple — `acquire`, do work, drop the permit. The complexity emerges in production: permits leaked into long-lived structs, nested acquires across call stacks, permits held across `select!` cancellation boundaries.\n\nThe defensive playbook:\n\n1. **Always** use `acquire_owned()` when spawning tasks\n2. **Always** wrap acquire in a timeout\n3. **Never** nest acquires on the same semaphore\n4. **Separate** semaphores for separate resource pools\n5. **Instrument** available permits with metrics and tracing\n6. **Use JoinSet** instead of unbounded `tokio::spawn` to maintain structured concurrency\n\nThese patterns have held up across millions of blocks processed, hundreds of thousands of concurrent tasks, and zero deadlocks in production since adopting them.","\u003Ch2 id=\"why-semaphores-in-async-rust\">Why Semaphores in Async Rust\u003C\u002Fh2>\n\u003Cp>When you run a high-throughput pipeline — an MEV bot processing 180,000 arbitrage chains per block, an API server handling 10,000 concurrent requests, or an ETL job writing millions of rows — you inevitably hit a resource ceiling. Database connection pools exhaust. RPC providers rate-limit you. Memory balloons because you spawned 50,000 tokio tasks, each holding a chain’s worth of data.\u003C\u002Fp>\n\u003Cp>The naive approach is unbounded concurrency: \u003Ccode>tokio::spawn\u003C\u002Fcode> for every unit of work and hope the runtime sorts it out. It does not. In production, we observed 15.4 GB memory usage from 2.7 million spawned tasks, each holding a \u003Ccode>Vec<Hop>\u003C\u002Fcode> plus simulation context. The fix was batched concurrency with semaphore-based backpressure, which brought memory down to 0.8 GB.\u003C\u002Fp>\n\u003Cp>A semaphore is the right primitive when you need to limit the number of concurrent operations without serializing them entirely. Unlike a mutex (which allows exactly one), a semaphore allows N concurrent accessors. This makes it perfect for:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Database write concurrency\u003C\u002Fstrong>: limit to the connection pool size (e.g., 20 concurrent writes)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>RPC rate limiting\u003C\u002Fstrong>: cap outgoing requests to avoid 429 responses from providers\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Memory backpressure\u003C\u002Fstrong>: prevent unbounded task spawning by gating on available permits\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Batch processing\u003C\u002Fstrong>: control how many simulation batches run in parallel against a shared node\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch2 id=\"tokio-sync-semaphore-basics\">tokio::sync::Semaphore Basics\u003C\u002Fh2>\n\u003Cp>The \u003Ccode>tokio::sync::Semaphore\u003C\u002Fcode> is a counting semaphore designed for async code. It maintains an internal counter of available permits. Tasks acquire permits before proceeding and release them when done.\u003C\u002Fp>\n\u003Cpre>\u003Ccode class=\"language-rust\">use std::sync::Arc;\nuse tokio::sync::Semaphore;\n\n\u002F\u002F Allow up to 20 concurrent database writes\nlet semaphore = Arc::new(Semaphore::new(20));\n\nfor chain in chains_to_persist {\n let sem = semaphore.clone();\n let db_pool = db_pool.clone();\n\n tokio::spawn(async move {\n \u002F\u002F Acquire a permit — blocks if all 20 are in use\n let _permit = sem.acquire().await.unwrap();\n\n \u002F\u002F Do the write — permit is held for this scope\n sqlx::query(\"UPDATE chains SET profit = $1 WHERE id = $2\")\n .bind(chain.profit)\n .bind(chain.id)\n .execute(&db_pool)\n .await\n .ok();\n\n \u002F\u002F _permit is dropped here — automatically released\n });\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Key API surface:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ccode>Semaphore::new(permits)\u003C\u002Fcode> — create with N permits\u003C\u002Fli>\n\u003Cli>\u003Ccode>acquire(&self)\u003C\u002Fcode> — async, waits until a permit is available, returns \u003Ccode>SemaphorePermit\u003C\u002Fcode> (RAII guard)\u003C\u002Fli>\n\u003Cli>\u003Ccode>try_acquire(&self)\u003C\u002Fcode> — non-async, returns \u003Ccode>Err(TryAcquireError)\u003C\u002Fcode> immediately if no permits available\u003C\u002Fli>\n\u003Cli>\u003Ccode>acquire_owned(self: Arc<Self>)\u003C\u002Fcode> — returns \u003Ccode>OwnedSemaphorePermit\u003C\u002Fcode> that owns the \u003Ccode>Arc\u003C\u002Fcode>, useful when the permit must outlive the borrow\u003C\u002Fli>\n\u003Cli>\u003Ccode>add_permits(&self, n)\u003C\u002Fcode> — dynamically increase the permit count\u003C\u002Fli>\n\u003Cli>\u003Ccode>close(&self)\u003C\u002Fcode> — close the semaphore; all pending \u003Ccode>acquire\u003C\u002Fcode> calls return \u003Ccode>Err(AcquireError)\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Ccode>available_permits(&self)\u003C\u002Fcode> — inspect current count (useful for metrics)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>The critical design choice: \u003Ccode>acquire()\u003C\u002Fcode> returns an RAII guard. When the guard is dropped, the permit is released. This means you get automatic cleanup even on panics, early returns, and \u003Ccode>?\u003C\u002Fcode> operator bailouts — as long as the guard lives on the stack.\u003C\u002Fp>\n\u003Ch2 id=\"fire-and-forget-write-pattern\">Fire-and-Forget Write Pattern\u003C\u002Fh2>\n\u003Cp>In high-throughput systems, you often want to persist data without blocking the hot path. The pattern: spawn a background task that acquires a semaphore permit, performs the write, and releases. The caller does not await the result.\u003C\u002Fp>\n\u003Cp>In a well-architected system, this is implemented as a decorator that wraps the inner storage service:\u003C\u002Fp>\n\u003Cpre>\u003Ccode class=\"language-rust\">use std::sync::Arc;\nuse tokio::sync::Semaphore;\n\npub struct AsyncChainStore<S: ChainStore> {\n inner: Arc<S>,\n semaphore: Arc<Semaphore>,\n}\n\nimpl<S: ChainStore + Send + Sync + 'static> AsyncChainStore<S> {\n pub fn new(inner: Arc<S>, max_concurrent_writes: usize) -> Self {\n Self {\n inner,\n semaphore: Arc::new(Semaphore::new(max_concurrent_writes)),\n }\n }\n\n \u002F\u002F\u002F Fire-and-forget: persist chain profits without blocking the caller.\n \u002F\u002F\u002F Backpressure is enforced by the semaphore — if all permits are\n \u002F\u002F\u002F taken, the spawned task waits, but the caller returns immediately.\n pub fn save_profits_async(&self, chains: Vec<ChainProfit>) {\n let inner = self.inner.clone();\n let sem = self.semaphore.clone();\n\n tokio::spawn(async move {\n \u002F\u002F Acquire permit — this is where backpressure happens\n let _permit = match sem.acquire().await {\n Ok(p) => p,\n Err(_) => {\n tracing::warn!(\"semaphore closed, dropping write\");\n return;\n }\n };\n\n if let Err(e) = inner.batch_update_profits(&chains).await {\n tracing::error!(\n error = %e,\n count = chains.len(),\n \"fire-and-forget write failed\"\n );\n }\n \u002F\u002F _permit dropped here — next queued task proceeds\n });\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>This decorator pattern (R-004 in our codebase conventions) keeps the inner \u003Ccode>ChainStore\u003C\u002Fcode> pure — it knows nothing about concurrency control. The decorator handles semaphore management, error logging, and task spawning. The ServiceLocator wires them together:\u003C\u002Fp>\n\u003Cpre>\u003Ccode class=\"language-rust\">\u002F\u002F In locator\u002Fmod.rs\nlet chain_store = Arc::new(PgChainStore::new(db_pool.clone()));\nlet async_chain_store = AsyncChainStore::new(chain_store, 20);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Why not just use the database pool’s built-in connection limit? Because the semaphore gives you a separate knob. Your pool might have 50 connections, but you want fire-and-forget writes to use at most 20, reserving 30 for latency-critical reads. The semaphore enforces this partitioning at the application level.\u003C\u002Fp>\n\u003Ch2 id=\"deadlock-scenarios\">Deadlock Scenarios\u003C\u002Fh2>\n\u003Cp>Semaphore deadlocks are insidious because they don’t cause a panic or an error — the program simply stops making progress. Here are the patterns we’ve encountered in production.\u003C\u002Fp>\n\u003Ch3>Scenario 1: Permit Not Released on Early Return\u003C\u002Fh3>\n\u003Cpre>\u003Ccode class=\"language-rust\">async fn process_batch(sem: &Semaphore, batch: &[Chain]) -> Result<()> {\n let permit = sem.acquire().await?;\n\n \u002F\u002F Early return if batch is empty — BUT permit is still held!\n if batch.is_empty() {\n return Ok(()); \u002F\u002F permit dropped here — actually fine in this case\n }\n\n \u002F\u002F The real danger: storing the permit in a struct that outlives the scope\n let ctx = ProcessingContext {\n permit: Some(permit), \u002F\u002F permit moved into struct\n batch,\n };\n\n \u002F\u002F If process() stores ctx somewhere long-lived, permit is leaked\n process(ctx).await?;\n Ok(())\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>The RAII guard protects you against most early returns. The danger comes when you move the permit into a struct that escapes the expected lifetime — stored in a \u003Ccode>HashMap\u003C\u002Fcode>, sent through a channel, or held in a \u003Ccode>static\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Ch3>Scenario 2: Nested Acquire (Self-Deadlock)\u003C\u002Fh3>\n\u003Cpre>\u003Ccode class=\"language-rust\">async fn simulate_and_persist(\n sem: &Semaphore,\n chain: &Chain,\n) -> Result<()> {\n let _outer = sem.acquire().await?; \u002F\u002F Takes 1 of N permits\n\n let result = simulate(chain).await?;\n\n \u002F\u002F BUG: acquiring the SAME semaphore inside a held permit\n let _inner = sem.acquire().await?; \u002F\u002F If N=1, deadlock. If N>1, reduces throughput\n persist(result).await?;\n\n Ok(())\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>With \u003Ccode>N=1\u003C\u002Fcode>, this is an instant deadlock. With \u003Ccode>N>1\u003C\u002Fcode>, it works until load increases and all permits are held by tasks waiting for their inner acquire. The fix: use separate semaphores for separate concerns, or restructure to avoid nested acquisition.\u003C\u002Fp>\n\u003Ch3>Scenario 3: Permit Held Across Await Points in Select\u003C\u002Fh3>\n\u003Cpre>\u003Ccode class=\"language-rust\">async fn process_with_timeout(sem: &Semaphore) -> Result<()> {\n let permit = sem.acquire().await?;\n\n tokio::select! {\n result = do_work() => {\n result?;\n }\n _ = tokio::time::sleep(Duration::from_secs(30)) => {\n tracing::warn!(\"timeout, but permit is still held until drop\");\n \u002F\u002F If do_work() is cancelled but its future holds resources\n \u002F\u002F that reference the permit indirectly, you get a leak\n }\n }\n \u002F\u002F permit dropped here — this is actually correct\n \u002F\u002F BUT: if do_work() spawns a sub-task that captures the permit, the\n \u002F\u002F cancellation of do_work() does NOT cancel the sub-task\n Ok(())\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>The \u003Ccode>select!\u003C\u002Fcode> macro cancels the losing branch by dropping its future, but any tasks spawned inside that future continue running. If those tasks captured a reference to the permit (or a clone of an \u003Ccode>OwnedSemaphorePermit\u003C\u002Fcode>), the permit is not released when expected.\u003C\u002Fp>\n\u003Ch2 id=\"diagnosing-semaphore-deadlocks\">Diagnosing Semaphore Deadlocks\u003C\u002Fh2>\n\u003Cp>When your system stops making progress, how do you identify a semaphore deadlock versus a slow dependency?\u003C\u002Fp>\n\u003Ch3>Tracing-Based Diagnosis\u003C\u002Fh3>\n\u003Cp>Instrument acquire\u002Frelease with structured logging:\u003C\u002Fp>\n\u003Cpre>\u003Ccode class=\"language-rust\">let permits_before = semaphore.available_permits();\ntracing::debug!(\n available = permits_before,\n \"acquiring semaphore permit\"\n);\n\nlet _permit = semaphore.acquire().await?;\n\ntracing::debug!(\n available = semaphore.available_permits(),\n \"acquired semaphore permit\"\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>If your logs show “acquiring” but never “acquired”, all permits are held somewhere. Correlate with the last N “acquired” log entries to find who is holding them.\u003C\u002Fp>\n\u003Ch3>Prometheus Metrics\u003C\u002Fh3>\n\u003Cp>Expose a gauge metric for available permits:\u003C\u002Fp>\n\u003Cpre>\u003Ccode class=\"language-rust\">use metrics::gauge;\n\n\u002F\u002F In your decorator or middleware\ngauge!(\"semaphore_available_permits\", semaphore.available_permits() as f64);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>A gauge that drops to zero and stays there is a deadlock. A gauge that hovers near zero but fluctuates is contention (high load, possibly needs more permits).\u003C\u002Fp>\n\u003Ch3>tokio-console\u003C\u002Fh3>\n\u003Cp>\u003Ccode>tokio-console\u003C\u002Fcode> is a diagnostic tool that attaches to a running tokio application and shows task states in real time:\u003C\u002Fp>\n\u003Cpre>\u003Ccode class=\"language-bash\">cargo add --dev console-subscriber\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cpre>\u003Ccode class=\"language-rust\">\u002F\u002F In main.rs (debug builds only)\n#[cfg(debug_assertions)]\nconsole_subscriber::init();\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Run \u003Ccode>tokio-console\u003C\u002Fcode> in another terminal and look for tasks stuck in “Idle” state on a semaphore acquire. The tool shows you exactly which task is waiting and for how long.\u003C\u002Fp>\n\u003Ch2 id=\"production-hardened-solutions\">Production-Hardened Solutions\u003C\u002Fh2>\n\u003Ch3>Solution 1: Always Use OwnedSemaphorePermit with Arc\u003C\u002Fh3>\n\u003Cp>When spawning tasks, prefer \u003Ccode>acquire_owned()\u003C\u002Fcode> over \u003Ccode>acquire()\u003C\u002Fcode>. The owned variant takes \u003Ccode>Arc<Semaphore>\u003C\u002Fcode> and returns a permit that does not borrow the semaphore — it owns a clone of the \u003Ccode>Arc\u003C\u002Fcode>. This avoids lifetime issues entirely:\u003C\u002Fp>\n\u003Cpre>\u003Ccode class=\"language-rust\">let semaphore = Arc::new(Semaphore::new(20));\n\nfor item in items {\n let permit = semaphore.clone().acquire_owned().await?;\n\n tokio::spawn(async move {\n \u002F\u002F permit is moved into the task — no borrow issues\n do_work(item).await;\n drop(permit); \u002F\u002F explicit drop for clarity, or let scope handle it\n });\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Solution 2: Acquire with Timeout\u003C\u002Fh3>\n\u003Cp>Never wait indefinitely for a permit in production. Use \u003Ccode>tokio::time::timeout\u003C\u002Fcode> to detect deadlocks early:\u003C\u002Fp>\n\u003Cpre>\u003Ccode class=\"language-rust\">use tokio::time::{timeout, Duration};\n\nlet permit = timeout(\n Duration::from_secs(30),\n semaphore.acquire(),\n).await\n .map_err(|_| anyhow!(\"semaphore acquire timed out — possible deadlock\"))?\n .map_err(|_| anyhow!(\"semaphore closed\"))?;\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>When the timeout fires, log the available permits, the number of waiting tasks, and a stack trace. This gives you immediate visibility into the deadlock without bringing down the process.\u003C\u002Fp>\n\u003Ch3>Solution 3: Structured Concurrency with JoinSet\u003C\u002Fh3>\n\u003Cp>Instead of unbounded \u003Ccode>tokio::spawn\u003C\u002Fcode>, use \u003Ccode>tokio::task::JoinSet\u003C\u002Fcode> to maintain ownership of spawned tasks and pair it with a semaphore:\u003C\u002Fp>\n\u003Cpre>\u003Ccode class=\"language-rust\">use tokio::task::JoinSet;\n\nlet semaphore = Arc::new(Semaphore::new(20));\nlet mut join_set = JoinSet::new();\n\nfor batch in batches {\n let permit = semaphore.clone().acquire_owned().await?;\n let db_pool = db_pool.clone();\n\n join_set.spawn(async move {\n let result = process_batch(&db_pool, &batch).await;\n drop(permit); \u002F\u002F release before the JoinSet collects\n result\n });\n}\n\n\u002F\u002F Drain all tasks — collect errors instead of silently losing them\nwhile let Some(result) = join_set.join_next().await {\n match result {\n Ok(Ok(())) => {}\n Ok(Err(e)) => tracing::error!(error = %e, \"batch processing failed\"),\n Err(e) => tracing::error!(error = %e, \"task panicked\"),\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>This pattern ensures: (1) bounded concurrency via semaphore, (2) no silent task failures, (3) the parent task knows when all children complete, (4) permits are always released even if a task panics (because \u003Ccode>JoinSet::join_next\u003C\u002Fcode> returns \u003Ccode>JoinError\u003C\u002Fcode> for panicked tasks, and the permit is dropped with the task’s state).\u003C\u002Fp>\n\u003Ch3>Solution 4: Separate Semaphores for Separate Concerns\u003C\u002Fh3>\n\u003Cp>Never share a single semaphore across unrelated operations. In our MEV pipeline, we use separate semaphores for:\u003C\u002Fp>\n\u003Cpre>\u003Ccode class=\"language-rust\">pub struct ConcurrencyLimits {\n \u002F\u002F\u002F Limits concurrent RPC simulation calls to the node\n pub simulation: Arc<Semaphore>,\n \u002F\u002F\u002F Limits concurrent database writes for chain persistence\n pub db_writes: Arc<Semaphore>,\n \u002F\u002F\u002F Limits concurrent mempool subscription handlers\n pub mempool: Arc<Semaphore>,\n}\n\nimpl ConcurrencyLimits {\n pub fn new() -> Self {\n Self {\n simulation: Arc::new(Semaphore::new(4)), \u002F\u002F node can handle 4 parallel batches\n db_writes: Arc::new(Semaphore::new(20)), \u002F\u002F 20 of 50 pool connections\n mempool: Arc::new(Semaphore::new(100)), \u002F\u002F 100 concurrent tx handlers\n }\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>This eliminates the nested acquire deadlock entirely — a task acquires \u003Ccode>simulation\u003C\u002Fcode> permit, then \u003Ccode>db_writes\u003C\u002Fcode> permit, and these are independent pools.\u003C\u002Fp>\n\u003Ch2 id=\"performance-semaphore-overhead\">Performance: Semaphore Overhead\u003C\u002Fh2>\n\u003Cp>Is the semaphore itself a bottleneck? In practice, no. \u003Ccode>tokio::sync::Semaphore\u003C\u002Fcode> is implemented with an atomic counter and an intrusive linked list of waiters. Acquiring an uncontested permit is a single \u003Ccode>fetch_sub\u003C\u002Fcode> — nanoseconds. Even under contention, the overhead is the waker notification (also nanoseconds) versus the milliseconds your actual I\u002FO takes.\u003C\u002Fp>\n\u003Cp>We benchmarked semaphore overhead in our pipeline:\u003C\u002Fp>\n\u003Ctable>\u003Cthead>\u003Ctr>\u003Cth>Operation\u003C\u002Fth>\u003Cth>Without Semaphore\u003C\u002Fth>\u003Cth>With Semaphore (20 permits)\u003C\u002Fth>\u003C\u002Ftr>\u003C\u002Fthead>\u003Ctbody>\n\u003Ctr>\u003Ctd>10,000 DB writes\u003C\u002Ftd>\u003Ctd>1,340ms (all concurrent, pool exhaustion errors)\u003C\u002Ftd>\u003Ctd>1,580ms (controlled, zero errors)\u003C\u002Ftd>\u003C\u002Ftr>\n\u003Ctr>\u003Ctd>500 RPC simulations\u003C\u002Ftd>\u003Ctd>8,200ms (node overloaded, timeouts)\u003C\u002Ftd>\u003Ctd>9,100ms (4 at a time, zero timeouts)\u003C\u002Ftd>\u003C\u002Ftr>\n\u003Ctr>\u003Ctd>Memory (2.7M tasks)\u003C\u002Ftd>\u003Ctd>15.4 GB\u003C\u002Ftd>\u003Ctd>0.8 GB (batched with JoinSet)\u003C\u002Ftd>\u003C\u002Ftr>\n\u003C\u002Ftbody>\u003C\u002Ftable>\n\u003Cp>The 10-15% wall-clock overhead is negligible compared to eliminating errors, timeouts, and OOM crashes.\u003C\u002Fp>\n\u003Ch2 id=\"conclusion\">Conclusion\u003C\u002Fh2>\n\u003Cp>Semaphores in async Rust are deceptively simple — \u003Ccode>acquire\u003C\u002Fcode>, do work, drop the permit. The complexity emerges in production: permits leaked into long-lived structs, nested acquires across call stacks, permits held across \u003Ccode>select!\u003C\u002Fcode> cancellation boundaries.\u003C\u002Fp>\n\u003Cp>The defensive playbook:\u003C\u002Fp>\n\u003Col>\n\u003Cli>\u003Cstrong>Always\u003C\u002Fstrong> use \u003Ccode>acquire_owned()\u003C\u002Fcode> when spawning tasks\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Always\u003C\u002Fstrong> wrap acquire in a timeout\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Never\u003C\u002Fstrong> nest acquires on the same semaphore\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Separate\u003C\u002Fstrong> semaphores for separate resource pools\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Instrument\u003C\u002Fstrong> available permits with metrics and tracing\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Use JoinSet\u003C\u002Fstrong> instead of unbounded \u003Ccode>tokio::spawn\u003C\u002Fcode> to maintain structured concurrency\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>These patterns have held up across millions of blocks processed, hundreds of thousands of concurrent tasks, and zero deadlocks in production since adopting them.\u003C\u002Fp>\n","en","b0000000-0000-0000-0000-000000000001",true,"2026-03-28T10:44:24.194389Z","Semaphores in Async Rust — Deadlock Hunting and Fire-and-Forget Patterns","Deep dive into tokio::sync::Semaphore for backpressure, fire-and-forget writes, deadlock diagnosis, and production solutions with RAII permits and structured concurrency.","rust semaphore async",null,"index, follow",[22,27],{"id":23,"name":24,"slug":25,"created_at":26},"c0000000-0000-0000-0000-000000000022","Performance","performance","2026-03-28T10:44:21.513630Z",{"id":28,"name":29,"slug":30,"created_at":26},"c0000000-0000-0000-0000-000000000001","Rust","rust","Engineering",[33,39,45],{"id":34,"title":35,"slug":36,"excerpt":37,"locale":12,"category_name":31,"published_at":38},"d0200000-0000-0000-0000-000000000003","Why Bali Is Becoming Southeast Asia's Impact-Tech Hub in 2026","why-bali-becoming-southeast-asia-impact-tech-hub-2026","Bali ranks #16 among Southeast Asian startup ecosystems. With a growing concentration of Web3 builders, AI sustainability startups, and eco-travel tech companies, the island is carving a niche as the region's impact-tech capital.","2026-03-28T10:44:37.748283Z",{"id":40,"title":41,"slug":42,"excerpt":43,"locale":12,"category_name":31,"published_at":44},"d0200000-0000-0000-0000-000000000002","ASEAN Data Protection Patchwork: A Developer's Compliance Checklist","asean-data-protection-patchwork-developer-compliance-checklist","Seven ASEAN countries now have comprehensive data protection laws, each with different consent models, localization requirements, and penalty structures. Here is a practical compliance checklist for developers building multi-country applications.","2026-03-28T10:44:37.374741Z",{"id":46,"title":47,"slug":48,"excerpt":49,"locale":12,"category_name":31,"published_at":50},"d0200000-0000-0000-0000-000000000001","Indonesia's $29 Billion Digital Transformation: Opportunities for Software Companies","indonesia-29-billion-digital-transformation-opportunities-software-companies","Indonesia's IT services market is projected to reach $29.03 billion in 2026, up from $24.37 billion in 2025. Cloud infrastructure, AI, e-commerce, and data centers are driving the fastest growth in Southeast Asia.","2026-03-28T10:44:37.349311Z",{"id":13,"name":52,"slug":53,"bio":54,"photo_url":19,"linkedin":19,"role":55,"created_at":56,"updated_at":56},"Open Soft Team","open-soft-team","The engineering team at Open Soft, building premium software solutions from Bali, Indonesia.","Engineering Team","2026-03-28T08:31:22.226811Z"]