Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qtfN5-00DSGa-Qj for pgsql-hackers@arkaria.postgresql.org; Fri, 20 Oct 2023 02:36:20 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1qtfN3-00BPCH-9s for pgsql-hackers@arkaria.postgresql.org; Fri, 20 Oct 2023 02:36:17 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qtfN2-00BPC9-SQ for pgsql-hackers@lists.postgresql.org; Fri, 20 Oct 2023 02:36:17 +0000 Received: from mail.postgrespro.ru ([93.174.131.139]) by magus.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1qtfMy-001e2M-Fx for pgsql-hackers@lists.postgresql.org; Fri, 20 Oct 2023 02:36:16 +0000 Received: from [10.10.20.80] (node-b46.pool-113-53.dynamic.totinternet.net [113.53.56.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: a.lepikhov@postgrespro.ru) by mail.postgrespro.ru (Postfix/587) with ESMTPSA id 4DF11E20E8E; Fri, 20 Oct 2023 05:36:10 +0300 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=postgrespro.ru; s=mx2023; t=1697769372; bh=dYx502/JCm7NN4pxWGNJTRn4pbQ0/bsxwWD9ENqWOCU=; h=Message-ID:Date:User-Agent:Subject:To:Cc:References:From: In-Reply-To:From; b=u+LBdqpxgXzhvXNoZDpuMyxC8FsmIpQn21EeaEz74JNduKBycPvm59u5ZAipeZaVQ gsyIGb6sIxoJQr2a/nzVSli9w/UcmCdhOIHS2hNOJq94lbaLKN2ZRKxvk0xNI4FPp6 pjyp/JOL5KjMtLAeEQ5WS55Jdu5ICUxxP6LWIZi8Z4CkCnCi5bgk9pEkEGMyG4ckXs ta4EcPjuvCqym/VM+D7X1aPu+wGjJAdlGRKG7iaECQAirDCUzm7IRWMEjyHicEJYWU Y5afGfW6a1y816uxGrZiQqrEM7ndiy8ct3iQgj0jSKwPmCAVOOV9Gw3eopjB0kZqm7 l/t9MxoUiAOig== Message-ID: Date: Fri, 20 Oct 2023 09:36:07 +0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Add the ability to limit the amount of memory that can be allocated to backends. Content-Language: en-US To: Stephen Frost Cc: reid.thompson@crunchydata.com, Arne Roland , Andres Freund , "pgsql-hackers@lists.postgresql.org" , vignesh C , Justin Pryzby , Ibrar Ahmed , "stephen.frost" References: <457dd07b21810463d8dd282e48b99cd90c24a440.camel@crunchydata.com> <334ccda9d8790f2b80dc3fee787704b0621152da.camel@crunchydata.com> <94184680049d6bda0c85f1759af24d8127cfe895.camel@crunchydata.com> <7912c911af51d5cf28c611190bf3d463b9209343.camel@crunchydata.com> <4edafedc0f8acb12a2979088ac1317bd7dd42145.camel@crunchydata.com> <268e0ac7-8a81-4d65-8b40-b62c4b3f1bf9@postgrespro.ru> <48548d40-634b-4943-a737-3c9d95eacf06@postgrespro.ru> From: Andrei Lepikhov Organization: Postgres Professional In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 20/10/2023 05:06, Stephen Frost wrote: > Greetings, > > * Andrei Lepikhov (a.lepikhov@postgrespro.ru) wrote: >> On 19/10/2023 02:00, Stephen Frost wrote: >>> * Andrei Lepikhov (a.lepikhov@postgrespro.ru) wrote: >>>> On 29/9/2023 09:52, Andrei Lepikhov wrote: >>>>> On 22/5/2023 22:59, reid.thompson@crunchydata.com wrote: >>>>>> Attach patches updated to master. >>>>>> Pulled from patch 2 back to patch 1 a change that was also pertinent >>>>>> to patch 1. >>>>> +1 to the idea, have doubts on the implementation. >>>>> >>>>> I have a question. I see the feature triggers ERROR on the exceeding of >>>>> the memory limit. The superior PG_CATCH() section will handle the error. >>>>> As I see, many such sections use memory allocations. What if some >>>>> routine, like the CopyErrorData(), exceeds the limit, too? In this case, >>>>> we could repeat the error until the top PG_CATCH(). Is this correct >>>>> behaviour? Maybe to check in the exceeds_max_total_bkend_mem() for >>>>> recursion and allow error handlers to slightly exceed this hard limit? >>> >>>> By the patch in attachment I try to show which sort of problems I'm worrying >>>> about. In some PП_CATCH() sections we do CopyErrorData (allocate some >>>> memory) before aborting the transaction. So, the allocation error can move >>>> us out of this section before aborting. We await for soft ERROR message but >>>> will face more hard consequences. >>> >>> While it's an interesting idea to consider making exceptions to the >>> limit, and perhaps we'll do that (or have some kind of 'reserve' for >>> such cases), this isn't really any different than today, is it? We >>> might have a malloc() failure in the main path, end up in PG_CATCH() and >>> then try to do a CopyErrorData() and have another malloc() failure. >>> >>> If we can rearrange the code to make this less likely to happen, by >>> doing a bit more work to free() resources used in the main path before >>> trying to do new allocations, then, sure, let's go ahead and do that, >>> but that's independent from this effort. >> >> I agree that rearranging efforts can be made independently. The code in the >> letter above was shown just as a demo of the case I'm worried about. >> IMO, the thing that should be implemented here is a recursion level for the >> memory limit. If processing the error, we fall into recursion with this >> limit - we should ignore it. >> I imagine custom extensions that use PG_CATCH() and allocate some data >> there. At least we can raise the level of error to FATAL. > > Ignoring such would defeat much of the point of this effort- which is to > get to a position where we can say with some confidence that we're not > going to go over some limit that the user has set and therefore not > allow ourselves to end up getting OOM killed. These are all the same > issues that already exist today on systems which don't allow overcommit > too, there isn't anything new here in regards to these risks, so I'm not > really keen to complicate this to deal with issues that are already > there. > > Perhaps once we've got the basics in place then we could consider > reserving some space for handling such cases.. but I don't think it'll > actually be very clean and what if we have an allocation that goes > beyond what that reserved space is anyway? Then we're in the same spot > again where we have the choice of either failing the allocation in a > less elegant way than we might like to handle that error, or risk > getting outright kill'd by the kernel. Of those choices, sure seems > like failing the allocation is the better way to go. I've got your point. The only issue I worry about is the uncertainty and clutter that can be created by this feature. In the worst case, when we have a complex error stack (including the extension's CATCH sections, exceptions in stored procedures, etc.), the backend will throw the memory limit error repeatedly. Of course, one failed backend looks better than a surprisingly killed postmaster, but the mix of different error reports and details looks terrible and challenging to debug in the case of trouble. So, may we throw a FATAL error if we reach this limit while handling an exception? -- regards, Andrey Lepikhov Postgres Professional