Stop a finished job from being pulled back to running by a slower worker

[mihow]

Summary

When many ML workers process an async job at once, a job that has actually finished could end up still showing as "running", and a job that was cancelled or revoked could flip back to "succeeded". This happened because every result a worker posted re-saved the job's overall status together with its progress, so a slower worker working from an out-of-date snapshot could overwrite a newer status. Beyond the wrong label, this has a real cost: a job left wrongly in a running state stays claimable by workers through the task endpoint, so workers keep picking it up and newer jobs wait behind it.

This change makes the job's final status transition safe under that concurrency. A worker can no longer regress a job that another worker, the stale-job checker, or a user cancellation has already finished. It is the first, smaller half of the fix described in #1337 (the lost-update race on the job's progress/status); the counter-accumulation half is deferred to a separate design discussion.

List of Changes

1. A finished job no longer gets pulled back to "running" by a slow worker. The progress update now writes the progress detail and the overall status separately, and the status only moves to a terminal value (SUCCESS/FAILURE) from a still-running state — as a single database statement that can't be overwritten by a stale in-memory copy. Technical: in _update_job_progress (ami/jobs/tasks.py), status/finished_at are dropped from the progress-blob save(update_fields=...); the terminal transition is a guarded Job.objects.filter(pk=..., status__in=JobState.finalizable_states()).update(status=..., finished_at=...). This is statement-scope and holds no transaction-length lock, so it does not reintroduce the row-lock contention removed in fix(jobs): fixes for concurrent ML processing jobs #1261.
2. A cancelled or revoked job is never resurrected into "succeeded". Late-arriving results that complete the work leave a terminal/CANCELING job untouched. Technical: the guarded UPDATE only fires from finalizable_states(), which excludes terminal, CANCELING, and UNKNOWN states, so completion can't override them. This is a small, intentional behaviour change versus the previous code, which could flip CANCELING → SUCCESS. It aligns with CANCELLED jobs leak through /next filter, starve newer async_api jobs #1282/Clean up task queue when job is revoked or re-started, fix duplicate tasks #1283.
3. The set of states a job may finalize from now lives in one place. Technical: extracted JobState.finalizable_states() ([CREATED, PENDING, STARTED, RETRY] — running_states() minus CANCELING and UNKNOWN), with a short note on why those two are excluded, so the guard rule has a single source of truth for the remaining terminal-status writers to reuse.
4. Regression tests. TestConditionalTerminalTransition covers the guard logic directly: a completing worker does not resurrect a REVOKED job; a normal job still transitions STARTED → SUCCESS with finished_at set; a non-terminal progress update never writes the overall status; and a completion does not flip the JSONB summary.status of a REVOKED job. TestConcurrentStatusRace reproduces the actual lost-update interleave with real threads and database transactions — a slow worker reads the job while STARTED, another writer commits REVOKED, and only then does the slow worker save. This test fails on the pre-fix code (the stale save resurrects the job to SUCCESS) and passes with the guarded transition, so it is a genuine regression guard rather than a unit test of the guard in isolation.

Detailed Description

Since #1261 dropped the select_for_update that serialized progress writes (it was a contention bottleneck — see #1256), concurrent result handlers do an unlocked read-modify-write of the Job row. Two handlers reading the same snapshot and both saving the whole blob means one update is lost. The most damaging case is the status field: a stale STARTED overwriting a freshly-written terminal status. That both misreports the job and — because status drives claimability at the worker task endpoint — keeps a finished job in rotation, starving newer async jobs (the same shape as #1282).

This PR is Layer 1 of #1337: it makes the status transition atomic and non-regressing without re-adding a transaction-length lock. The counter accumulation (processed/failed/detection/classification counts in the progress blob) can still drift by a batch under race — that is Layer 2, deferred because the right shape (counter columns vs. a per-task table vs. Redis-as-source vs. an event log) depends on other consumers of per-image job history and needs a dedicated design pass. See #1337 for the plan.

Scope note: this hardens the result-handler status writer. The other terminal-status writers (the cancel path and the Celery task signal handlers) still do unguarded full-row saves; routing them through the same finalizable_states() guard is a focused fast-follow on top of this PR. #1324 should also be gated behind this change: its acks_late redelivery guard reads job.status, which is the field this PR makes reliable.

How to Test the Changes

• pytest ami/jobs/tests/test_tasks.py::TestConditionalTerminalTransition — the four guard cases.
• pytest ami/jobs/tests/test_tasks.py::TestConcurrentStatusRace — the real-concurrency race test. Check out the pre-fix commit to see it fail (the job is resurrected to SUCCESS), then this branch to see it pass.
• Full ami/jobs/tests/test_tasks.py and ami/jobs/tests/test_jobs.py pass locally.

Checklist

• I have tested these changes appropriately.
• I have added and/or modified relevant tests.
• I updated relevant documentation or comments.
• I have verified that this PR follows the project's coding standards.
• Any dependent changes have already been merged to main.

Refs #1337, #1282, #1283

Summary by CodeRabbit

• Bug Fixes

  • Prevented completed jobs from being incorrectly “resurrected” or moved to a non-terminal result due to concurrent or late progress updates (including revoked jobs).
  • Improved job progress handling so stage updates only affect completion indicators when the job is successfully transitioned to its final state.

• Tests

  • Added coverage for conditional terminal-state transitions.
  • Added a concurrency race test to ensure late worker updates never overwrite an already-terminal job status.

[netlify]

✅ Deploy Preview for antenna-preview canceled.

Name	Link
🔨 Latest commit	f347ff5
🔍 Latest deploy log	https://app.netlify.com/projects/antenna-preview/deploys/6a3491031ec3720008276571

[netlify]

✅ Deploy Preview for antenna-ssec canceled.

Name	Link
🔨 Latest commit	f347ff5
🔍 Latest deploy log	https://app.netlify.com/projects/antenna-ssec/deploys/6a3491038214550008c9b04c

[coderabbitai]

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 26252473-be81-46ce-b427-955c5f90081c

📥 Commits

Reviewing files that changed from the base of the PR and between 040eae0 and f347ff5.

📒 Files selected for processing (3)

• ami/jobs/models.py
• ami/jobs/tasks.py
• ami/jobs/tests/test_tasks.py

---

📝 Walkthrough

Walkthrough

_update_job_progress in ami/jobs/tasks.py is refactored to split progress persistence from status finalization: it now saves only progress/updated_at first, then performs a guarded terminal UPDATE constrained to pre-terminal active states. Comprehensive tests validate REVOKED preservation, SUCCESS promotion, progress-only persistence, non-overwrite of already-terminal status, and concurrent lost-update race prevention.

Changes

Guarded terminal transition in _update_job_progress

Layer / File(s)	Summary
Finalizable states contract ami/jobs/models.py	Adds JobState.finalizable_states() classmethod returning [CREATED, PENDING, STARTED, RETRY], explicitly excluding CANCELING and UNKNOWN to prevent resurrecting in-progress cancellations and non-terminal states.
Became-complete detection and guarded terminal UPDATE ami/jobs/tasks.py	After stage progress is updated, became_complete is computed and job.progress.summary.status is conditionally set to complete_state. Persistence is split: progress/updated_at are saved unconditionally via job.save(update_fields=[...]); a separate Job.objects.filter(status__in=finalizable_states()).update(...) applies the terminal transition only when the job remains in a pre-terminal state, with in-memory job.status/job.finished_at updated only on successful row update.
Test imports and guarded transition validation ami/jobs/tests/test_tasks.py	Imports threading and _update_job_progress for testing. TestConditionalTerminalTransition validates four scenarios: completing a results stage does not resurrect REVOKED jobs while persisting progress; completing all stages from STARTED sets SUCCESS and finished_at; both job.status and progress.summary.status remain REVOKED when already terminal; non-completing stage updates never overwrite already-terminal status. TestConcurrentStatusRace reproduces a lost-update race by patching internal count retrieval to pause mid-transaction, interleaving a worker's completion detection with a concurrent REVOKED transition, verifying final job status remains REVOKED after late results persist.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• Saving job progress concurrently is the root of multiple issues related to incorrect job statuses #1337 — This PR directly implements the "Conditional status transitions" fix described in that issue, preventing status resurrection (e.g., REVOKED → STARTED) via the guarded filter-scoped UPDATE.

Possibly related PRs

• RolnickLab/antenna#1114: Both PRs add guarded completion transitions in _update_job_progress based on per-stage progress, with #1114 introducing JobProgress.is_complete() and this PR adding the constrained UPDATE guard to prevent status resurrection.
• RolnickLab/antenna#1125: Both PRs modify _update_job_progress around became-complete detection and terminal status/finished_at assignment when all stage progress completes.
• RolnickLab/antenna#1261: Both PRs modify _update_job_progress to change how concurrent progress/status terminal transitions are persisted within atomic transactions, addressing the same race-condition surface.

Poem

🐇 A rabbit once watched two workers race,
Both finishing jobs at the very same pace.
"REVOKED!" cried one—but the other said "STARTED!"
Now a guarded UPDATE keeps the wrong state departed.
No status shall resurrect, no zombie shall rise,
The terminal stays terminal—hooray for the wise! 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 42.86% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: preventing a finished job from reverting to running status due to slower workers, which is the core issue addressed in the PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description is comprehensive and well-structured, covering all required template sections including summary, list of changes, detailed description, testing instructions, and a completed checklist.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/1337-conditional-status-transition

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR hardens async job finalization under concurrent worker result posts so that stale workers cannot regress a job’s terminal status (e.g., SUCCESS → STARTED) or resurrect cancelled/revoked jobs into SUCCESS. It implements the first part of the fix discussed in #1337 by making terminal status transitions conditional/atomic at the database level while still allowing progress blob updates.

Changes:

• Split job progress persistence from terminal status persistence in _update_job_progress, and perform terminal transitions via a guarded single-statement UPDATE.
• Prevent late-arriving results from overriding terminal/CANCELING job statuses.
• Add regression tests covering revoked-job completion, normal success transition, and ensuring non-terminal progress updates don’t touch Job.status.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
ami/jobs/tasks.py	Makes terminal status transition conditional/atomic and stops progress saves from overwriting status/finished_at.
ami/jobs/tests/test_tasks.py	Adds regression tests validating the guarded terminal transition behavior under concurrency.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mihow]

@coderabitai full review

[mihow]

Tested on arctia