SIGABRT crash on search with huge limit

[timvisee]

Current Behavior

When searching with a huge limit such as 99999999999999999, Qdrant crashes with a SIGABRT.

Such limit is obviously unrealistic, but that doesn't mean we should accept the hard crash.

Steps to Reproduce

1. Create collection with 100k points: bfb -d 2
2. Do search request with a huge limit:

   POST collections/benchmark/points/search 
   {
     "limit": 99999999999999999,
     "vector": [0.1, 0.2]
   }

3. Watch Qdrant crash:

   memory allocation of memory allocation of 800000000000000008800000000000000008 bytes failed
    bytes failed
   fish: Job 1, './target/perf/qdrant' terminated by signal SIGABRT (Abort)

Expected Behavior

No matter he input, we prevent crashing in all cases. When using this on a cluster, you might take down 100% of the nodes instantly with one request.

Ideally we'd simply respond with the complete set of points as search result.

If that isn't possible, we should respond with an error explaining the specified limit is problematic.

Possible Solution

Here are some potential solutions, we probably want to pick one:

1. Memory allocation fails. We either want to test for memory availability or catch the allocation failure somehow so we can return an error to the user.

2. We could internally clamp the limit to the total number of points available in a collection. You cannot return more results than points you have. The total point count is somewhat unreliable though, which makes this hard to implement correctly.

3. We could implement a different code path for when a huge limit is set, this code path would sort search results in a different way not requiring us to allocate capacity for limit items.

4. We can also set an artificial upper bound for the limit, but I'd rather see any of the above solutions instead.

Detailed Description

As far as I understand, memory allocation fails in the fixed length priority queue we use during searches. It tries to allocate capacity for 99999999999999999 items, for which we do not have enough memory.

We had something else before, maybe it is better suited for huge limits not requiring such huge allocations.

[generall]

/bounty $100

[algora-pbc]

💎 $100 bounty • Qdrant

Steps to solve:

1. Start working: Comment /attempt #4321 with your implementation plan
2. Submit work: Create a pull request including /claim #4321 in the PR body to claim the bounty
3. Receive payment: 100% of the bounty is received 2-5 days post-reward. Make sure you are eligible for payouts

Thank you for contributing to qdrant/qdrant!

Add a bounty • Share on socials

Attempt	Started (GMT+0)	Solution
🟢 @kid-116	May 25, 2024, 6:46:14 AM	WIP
🟢 @xhjkl	May 26, 2024, 7:40:31 PM	#4328

[kid-116]

/attempt #4321

Options

• Cancel my attempt

[kid-116]

After an initial review, catching allocation failures with set_alloc_error_hook might be the most direct solution. The second proposal doesn't fully address the issue because allocation failures could still occur even when considering the total number of points in a collection. While the third option is an ideal solution, it requires a more in-depth discussion due to its complexity.

While set_alloc_error_hook offers a way to catch allocation errors, it's currently an experimental feature. If we decide to use this hook, we need to determine the appropriate level for catching the error. I think, we should catch it at the outer API layer to avoid complex error propagation from FixedLengthPriorityQueue initialization.

Being a beginner, I'd love to hear any suggestions or corrections anyone might have.

[generall]

Hey @kid-116, set_alloc_error_hook is an interesting suggestion, but it is unfortunately a nightly-only feature, while we are using stable rust.

Personally, I would try to try try_* for allocations, where possible.

[xhjkl]

/attempt #4321

I choose @timvisee's third option. There is a good chance I'm missing some nuances, because I can't really believe my one-liner fixes the bug.

My reasoning is that when a requestor actually does limit:999k they might mean "no limit at all." So I separated the two concepts: there is now the "requested hard limit," and the "capacity of the FixedLengthPriorityQueue." More precisely, the queue now allocates "oughta be enough" capacity in the hope that either the results will fit anyway, or it lets the heap reallocate subsequently. It's true that reallocations are not what we want, but I still foresee that after some tweaking of that threshold, this simplistic solution may be the most practical.

After my changes it will still crash if we have an actual huge collection on the storage. Reporting such errors is a next step after my submission.

Again, sorry if I misunderstood something trivial.

Options

• Cancel my attempt

[algora-pbc]

💡 @xhjkl submitted a pull request that claims the bounty. You can visit your bounty board to reward.

[algora-pbc]

@xhjkl: You've been awarded a $100 bounty by Qdrant! 👉 Complete your Algora onboarding to collect the bounty.

[timvisee]

Since #4328 is good enough for now, I'm closing this. Thanks!

[algora-pbc]

🎉🎈 @xhjkl has been awarded $100! 🎈🎊

• Share on socials
• Give feedback