Dogpile: build and tame the herd

Build a small cache-aside service with one expensive hot key, reproduce a measurable dogpile at the expiry instant under concurrent load, then implement and measure three mitigations — single-flight, a leased distributed lock, and XFetch — proving each collapses the origin recompute count with before/after numbers.

• Stand up a small HTTP service (Go, Node, or JVM) with a single hot endpoint backed by a cache-aside read against a deliberately slow origin: a recompute that sleeps ~200ms (and a tail mode that occasionally takes ~5s) and increments a global origin-recompute counter every time it runs.
• Reproduce the baseline dogpile: warm the key, let its TTL expire, and fire ~500–5000 concurrent requests across the expiry instant. Record the origin-recompute count, p99 latency, and the count of requests that fell through to the origin in the miss window.
• Implement local single-flight (e.g. singleflight.Group or an in-process keyed promise) and re-run the same load from a SINGLE instance; then run TWO or more instances behind a load balancer and show the origin count equals the instance count, not one — demonstrating per-process coalescing.
• Implement a distributed lock in Redis (SET key token NX PX) so exactly one instance recomputes fleet-wide; waiters serve stale or retry. Show the origin-recompute count drops to ~1 per expiry across all instances.
• Harden the lock: give it a TTL longer than the worst-case recompute, add a heartbeat that renews the lease while the holder is alive, release conditionally on the token (CAS delete), and fence the write with a monotonic token so a paused-and-resumed holder cannot overwrite a newer value. Demonstrate each guard with a fault-injection test (kill the holder; pause the holder past the lease).
• Implement XFetch (probabilistic early expiration): store the recompute-cost delta, and on each hit recompute early with probability rising via time() − delta * beta * log(rand()) ≥ expiry (beta ≈ 1). Re-run the same load and show the key effectively never expires under the herd — the first lucky reader refreshes alone and the origin count stays near 1 with no lock.
• Produce a comparison: for each strategy (none, local single-flight, distributed lease lock, XFetch) record origin-recompute count per expiry, p99 latency, and staleness exposure, all under the identical load.

• A before/after table across all four strategies: origin recomputes per expiry, p99 latency, and max staleness — measured under the same concurrent load, not estimated.
• The distributed-lock variant shows ~1 origin recompute per expiry fleet-wide, and the fault-injection tests prove (a) a killed holder is auto-released by the TTL with no deadlock and (b) a holder paused past its lease cannot overwrite the newer value (fenced write rejected).
• The XFetch variant shows the hot key recomputing early and alone before its TTL hits zero, keeping origin recomputes near 1 with no lock held.
• A one-paragraph write-up choosing a default strategy for this workload and justifying it against staleness tolerance, instance count, and recompute cost — and naming the failure each guard (lock TTL, lease renewal, fencing token) defends against.