[STF] Migrate __stf/allocators/ from cuda_safe_call to cuda_try

[andralex]

Summary

First PR in a series migrating production STF headers off the abort-on-failure cuda_safe_call and onto the throw-on-failure cuda_try, so callers (Python wrappers, any exception-aware control flow) can recover from CUDA errors instead of having the process aborted underneath them.

Intentionally small -- two call sites in cudax/include/cuda/experimental/__stf/allocators/ -- so the conversion patterns can be reviewed before scaling up.

Changes

pooled_allocator.cuh

block_data_pool's constructor used cudaGetDeviceProperties via cuda_safe_call. Now uses the templated cuda_try<F>(args...) form -- which deduces the first-output substitution and returns the populated struct -- so the variable can be const-initialized:

const cudaDeviceProp prop = cuda_try<cudaGetDeviceProperties>(dev);
const size_t max_mem = prop.totalGlobalMem;

Leak audit on throw:

• The throw point is upstream of the only GPU allocation in the constructor (root_allocator.allocate(...)).
• All member subobjects unwound at the throw point have noexcept-clean destructors (data_place and block_allocator_untyped are shared_ptr pimpls).
• The single call site wraps construction in map.emplace(...), which is exception-safe.

adapters.cuh

stream_adapter::clear() was a for-each over the to_free vector with a lazy sync before the first blocking deallocation. Under cuda_safe_call a sync failure just aborted; converting to cuda_try exposed the lack of exception safety -- on a thrown sync, the unprocessed buffers would have been silently abandoned, and the destructor's _CCCL_ASSERT(cleared_or_moved, ...) would either lie or fire spuriously.

Rewritten to be transactional:

bool stream_synchronized = false;
while (!adapter_state->to_free.empty())
{
  const auto b = mv(adapter_state->to_free.back());
  adapter_state->to_free.pop_back();
  SCOPE(exit)
  {
    b.memory_node.deallocate(b.ptr, b.sz, stream);
  };

  if (!stream_synchronized && !b.memory_node.allocation_is_stream_ordered())
  {
    cuda_try(cudaStreamSynchronize(stream));
    stream_synchronized = true;
  }
}
cleared_or_moved = true;

On a throw from cudaStreamSynchronize:

• The just-popped buffer is still deallocated by its SCOPE(exit).
• to_free accurately holds the remaining un-deallocated entries.
• cleared_or_moved stays false.
• The caller can catch and retry clear(), or let the destructor's assertion fire with truthful state.

Inter-buffer deallocation order doesn't matter (each raw_buffer is independent), so popping from the back is the natural O(1) choice. mv(...back()) + pop_back() skips one shared_ptr refcount bump on data_place per iteration; the move is noexcept, so no half-moved-not-popped risk.

Explicit #include <cuda/experimental/__stf/utility/scope_guard.cuh> added rather than relying on transitive inclusion.

Migration pattern notes (for follow-ups)

• SAFE: pure queries with no in-flight CUDA state → direct cuda_try substitution. Prefer the templated cuda_try<F>(args...) form when the function has an out-parameter, so the result can be const-initialized.
• GUARDED: operations that need an undo step on failure → cuda_try + SCOPE(fail) for the rollback. Inside the SCOPE(fail) body, use cuda_safe_call, not cuda_try -- guard destructors are noexcept, so a thrown exception during unwinding would std::terminate.
• TRANSACTIONAL (this PR's clear() pattern): when looping over state to release, pop incrementally and use per-iteration SCOPE(exit) so the in-flight item is always freed and the remaining queue stays accurate on throw.
• KEEP: destructors and CUDA host callbacks remain cuda_safe_call. Same rationale -- those contexts are noexcept.
• Audit: "if this throws, will any subobject destructor on the unwind path need to make CUDA calls?" If yes, add a SCOPE(fail) rollback in the constructor body.

Test plan

• CI green (/ok to test triggered in comment below)
• No behavioral change on the success path

[andralex]

/ok to test b81c5df

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 382cf721-e36a-4a8f-8799-6b6f62d7ee5f

📥 Commits

Reviewing files that changed from the base of the PR and between a9d287a and 5200237.

📒 Files selected for processing (1)

• cudax/include/cuda/experimental/__stf/allocators/adapters.cuh

🚧 Files skipped from review as they are similar to previous changes (1)

• cudax/include/cuda/experimental/__stf/allocators/adapters.cuh

---

📝 Walkthrough

Summary by CodeRabbit

• Bug Fixes

  • More robust resource cleanup: deallocations proceed even when stream synchronization reports errors; synchronization failures are reported after cleanup.
  • Improved exception-safety to avoid descriptor/resource leaks during cleanup failures.

• Performance Improvements

  • Stream synchronization is now performed lazily only when needed, reducing unnecessary stalls.
  • Reduced buffer handling overhead during deallocation for lower allocation latency.

• Stability

  • Device memory capacity discovery updated for more reliable device queries while preserving allocation caps.

important: ## Walkthrough

Stream adapter and pooled allocator update error-handling: stream_adapter::clear() drains pending buffers with lazy stream synchronization and deferred error propagation; pooled allocator constructor queries device properties via cuda_try initialization.

Changes

STF allocator error handling updates

Layer / File(s)	Summary
Stream adapter clear() draining and lazy sync cudax/include/cuda/experimental/__stf/allocators/adapters.cuh	Drains adapter_state->to_free with a pop_back() loop, captures the CUDA stream once, performs a single lazy cudaStreamSynchronize(stream) when encountering the first non-stream-ordered buffer (records the error), deallocates each popped raw_buffer immediately, and surfaces the recorded sync error via cuda_try.
Pooled allocator device property query modernization cudax/include/cuda/experimental/__stf/allocators/pooled_allocator.cuh	Replaces two-step cuda_safe_call(cudaGetDeviceProperties(&prop, dev)) with inline cuda_try<cudaGetDeviceProperties>(dev) initialization while preserving prop.totalGlobalMem-based capacity computation.

Possibly related PRs

• NVIDIA/cccl#8891: Introduces cuda_try output-parameter inference used here.

Suggested labels

stf

Suggested reviewers

• caugonnet
• alliepiper

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

cudax/include/cuda/experimental/__stf/allocators/pooled_allocator.cuh (1)

76-76: ⚡ Quick win

suggestion: qualify the new cuda_try<cudaGetDeviceProperties> call from the global namespace instead of relying on unqualified lookup in this header. As per coding guidelines, "All calls to free functions must be fully qualified starting from the global namespace, e.g., ::cuda::ceil_div, including calls to functions in the same namespace."

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d250ca80-365d-4dfb-bde7-d7c11380d77c

📥 Commits

Reviewing files that changed from the base of the PR and between 740b3c0 and b81c5df.

📒 Files selected for processing (2)

• cudax/include/cuda/experimental/__stf/allocators/adapters.cuh
• cudax/include/cuda/experimental/__stf/allocators/pooled_allocator.cuh

[andralex]

Thanks for the review -- you were right on all counts. Fixed in 65d7e9a.

Restructured to avoid putting deallocate() in a noexcept context. The new flow captures the sync status, performs the deallocation normally (which can now throw safely), and then surfaces the sync error via cuda_try(sync_err) at a convenient throw point:

cudaError_t sync_err = cudaSuccess;
if (!stream_synchronized && !b.memory_node.allocation_is_stream_ordered())
{
  sync_err = cudaStreamSynchronize(stream);
  if (sync_err == cudaSuccess) { stream_synchronized = true; }
}

b.memory_node.deallocate(b.ptr, b.sz, stream);
cuda_try(sync_err);

No SCOPE guards, no noexcept body containing throwing code. The transactional invariant ("on throw, to_free accurately reflects what is pending and cleared_or_moved stays false") is preserved.

Also dropped the now-unused scope_guard.cuh include.

Side note for a follow-up PR: data_place_device::deallocate (data_place_impl.cuh:284) has the same cuda_try-inside-SCOPE(exit) anti-pattern for the cudaSetDevice rollback. Outside this PR's scope but worth a separate fix.

[andralex]

/ok to test 65d7e9a

[andralex]

/ok to test a9d287a

[andralex]

Bisect: reverted the 5200237 raw_buffer ctor change (memory_node(mv(memory_node_)) -> memory_node(memory_node_)) to isolate the H100 crash in cudax.test.stf.threads.axpy-threads-graph. CI investigator's leading hypothesis was that this ctor change combined with the new mv(...back()) + pop_back() in clear() was producing the malloc(): smallbin double linked list corrupted abort. Code review did not pin it down, so testing empirically. If this run goes green, the ctor mv was the culprit; if still red, the bug is in the clear() loop and needs deeper analysis.

[andralex]

/ok to test 5200237

[coderabbitai]

Actionable comments posted: 0

[caugonnet]

#9186 hopefully deal with these concurrency issues

[andralex]

/ok to test b772be7

[andralex]

/ok to test 7273e6a

[andralex]

/ok to test 8a3e21b

[andralex]

/ok to test a5af2e6

[andralex]

/ok to test

[copy-pr-bot]

/ok to test

@andralex, there was an error processing your request: E1

See the following link for more information: https://docs.gha-runners.nvidia.com/cpr/e/1/

[andralex]

/ok to test a13bdb9

[github-actions]

🥳 CI Workflow Results

🟩 Finished in 1h 45m: Pass: 100%/55 | Total: 1d 09h | Max: 1h 03m | Hits: 13%/191739

See results here.