Fix potential memory leaks when a writable replica is promoted to primary after direct writes of keys with expiration#2953
Conversation
|
Can't we somewhere in replica write logic call Also, can you please signoff commits using |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## unstable #2953 +/- ##
============================================
- Coverage 74.29% 74.28% -0.01%
============================================
Files 129 129
Lines 70974 70977 +3
============================================
- Hits 52731 52727 -4
- Misses 18243 18250 +7
🚀 New features to boost your workflow:
|
Yes, currently, when a writable replica receives a write operation for a key with an expiration time, it invokes the rememberReplicaKeyWithExpire function. This function stores the key in the replicaKeysWithExpire dictionary, which is used to proactively and periodically clean up these expired keys on the replica. However, when the node is promoted to a primary, this dictionary is no longer required—and the current logic lacks any mechanism to clean it up, resulting in a memory leak. |
679a224 to
abb7706
Compare
Wow, that's unusual, don't you want to let your client to retry writes to primary after promotion? But the need to expire those keys makes sense to me. If we plan to have But other than that - LGTM |
At first, I also considered whether to place this piece of logic into |
|
If we have some key that shouldn't be here then we need to delete, I don't think we need a parameter here to control that, thats why maybe it's better to put this check alongside |
On second thought, your consideration makes sense. We can remove this newly added parameter as well—it will cut down unnecessary redundancy. I’ll make the changes. |
…pired keys to replica Signed-off-by: li-benson <1260437731@qq.com>
abb7706 to
db85fed
Compare
dvkashapov
left a comment
There was a problem hiding this comment.
LGTM but DCO is failing, need to signoff again
…pired keys to replica Signed-off-by: li-benson <1260437731@qq.com>
b473ef3 to
d89c876
Compare
IMO it is fine to keep the 2nd limitation (ie do NOT persist the replica written keys after failover) but #1 is something that needs attention IMO. maybe it is important to flush them and delete them when a replica is promoted, rather than to only delete the expiration dictionary? |
Yes, writing expired keys to a replica stores them in both the main dict and replica expiration dict (for proactive expiration). When the replica becomes primary, the replica expiration dict becomes obsolete and unused—undeniably a memory leak. Are you saying that besides this metadata, the actual replica-written keys & values are also unused by the primary and should be cleaned up (and not replicated to new replicas)? This is reasonable in theory, but seems overly radical to me. We cannot guarantee the primary will never need this data. In our failover scenario: traffic is switched to the replica first, then the replica is promoted to primary—we need this data post-promotion, so deleting it would contradict expectations. Maybe we can be conservative for the time being? |
I am saying that the "leak" is not really being fixed. not only the keys are kept on the primary follow the failover, they are also potentially replicated to the replicas which are performing full sync follow this failover.
I think there is no "good" solution in the existing implementation. Probably better solution should be that each key written on a replica is also recorded in the
We can. I think that for keys with expiration, they should probably get expired eventually, so I guess this will not introduce any degradation. |
ranshid
left a comment
There was a problem hiding this comment.
Overall looks simple enough. Left some comments.
One thing I do think about is if this should have been an info field or not?
I know some prefer avoid adding more and more info fields, but IMO it makes it much easier to identify issues and help debug cases when it is exposed in info.
@madolson (IIRC you said you prefer to avoid adding unnecessary info fields) WDYT?
…pired keys to replica Signed-off-by: li-benson <1260437731@qq.com>
ranshid
left a comment
There was a problem hiding this comment.
Overall LGTM, accept the indication via DEBUG command rather than an info field.
I know actually some other maintainers PREFER to avoid adding info fields, so will wait to hear their opinions
…pired keys to replica Signed-off-by: li-benson <1260437731@qq.com>
|
@li-benson IMO this can be placed in the Memory, Debug or Replication sections of the INFO output. Debug commands are mostly used in order to allow tests to run, but I find this information something that applications can still use in some ways. Personally I feel it can be part of the Memory section, since this is probably the main purpose of this data. |
…pired keys to replica Signed-off-by: li-benson <1260437731@qq.com>
I just found this information in info Stats: slave_expires_tracked_keys. It's redundant for me to use the debug command to get it, so I'll make a modification. |
…pired keys to replica Signed-off-by: li-benson <1260437731@qq.com>
…pired keys to replica Signed-off-by: li-benson <1260437731@qq.com>
…mary after direct writes of keys with expiration (valkey-io#2953) The bug mentioned in this valkey-io#2952 has been fixed. --------- Signed-off-by: li-benson <1260437731@qq.com>
…mary after direct writes of keys with expiration (valkey-io#2953) The bug mentioned in this valkey-io#2952 has been fixed. --------- Signed-off-by: li-benson <1260437731@qq.com> Signed-off-by: Harkrishn Patro <bunty.hari@gmail.com>
The bug mentioned in this #2952 has been fixed.