Remove lpAssertValidEntry from listpack functions to achieve up to 10% improvement on HSET command.#399
Conversation
|
@zuiderkwast I see you commented on the previous thread, are you aligned with this? This seems like a good idea. |
|
@madolson Yes, the original PR first just removed the validation and Oran complained that there may be corrupt data from unvalidated RDB or RESTORE. I think it's better to always validate on insert rather than on lookup, even though it may affect RDB loading time. @ashtul do you want to make a flamegraph of loading a dump with and without sanitizing? It would be good to have a view on this difference as well, just for reference. |
zuiderkwast
left a comment
There was a problem hiding this comment.
Now I looked at the diff. It still just removes validation.
If we remove validation on lookup, we must do validation on insert instead.
|
Here are some stats from when deep sanitization were introduced: redis/redis#7807 (comment). RESTORE deep is 80% slower than RESTORE shallow. |
|
If we always sanitize listpacks on load and no longer on lookup, then we shall also do the same for intset and stream. For zipmap and ziplist (no longer used) I think we always convert them when we load them from an old dump. Let's check that santitization is done in this case too. Then we should remove the config and ACL rules added in redis/redis#7807. (We can't remove them immediately but we can make them have no effect.) @madolson WDYT? |
|
The stats Oran showed might be skewed due to other improvements he has done as he writes What do you suggest validating an insert? Maybe validating As for stats, I will try to create them after the holiday. BTW, how hard would it be to add mechanism which will load data without sanitation but won't add the key until it is sanitized, possibly on a thread? |
We only need to validate when we're loading a dump that can contain corrupt data (RESTORE or RDB). A normal insert can't add invalid data.
Sounds good. Anyway, I can accept a little slower RDB loading. It's more important to avoid validate on lookup. Also, the system is simpler if we never load corrupt data.
I think that would be too complex. Are you suggesting using a background thread for that? Like #356? We can do that later maybe, if you have a good idea about it, but not in the same PR. |
|
It seems like all of this is the classic trade-off between security and speed. Since we can't have both, and there are situations that justify either choice, it appears to me that we should be giving the solution architect the ability to choose via a new configuration property. |
|
@daniel-house There is already a config for that. Just the possibility of having invalid data is what prevents us from removing these asserts. More important than load speed vs lookup speed IMO is the complexity aspect. The possibility of having invalid data in memory is a tech dept with a high maintenance cost IMO. |
|
@valkey-io/core-team Shall we remove the possibility to load potentially corrupt data? Yes 👍 or no 👎 (This is a core team vote, so non-core-team members, please don't vote on this comment. Feel free to comment in the thread though.) |
It seems I was unclear. I meant to put a config around removing these asserts. Allow the asserts to be disabled via a test performed inside the in-lined functions. |
|
Before I vote, to make sure I understand, the plan is to change the code so we always sanitize the load on RDB Restore and RDB Load so that we don't need to do these checks during runtime. I'm OK with that decision as long as we have performance numbers that we aren't dramatically (>25%) increased execution time on the load. |
|
@ashtul Sorry for the delay. Do you have any interest in updating this PR to perform the validation on the restore path. This would improve the normal runtime performance, and only slightly degrade the restore case which should happen less often. |
|
The decision was approved if we add the validation on the restore path. |
…functions Signed-off-by: Ariel Shtul <ashtul@gmail.com>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## unstable #399 +/- ##
============================================
- Coverage 70.43% 70.07% -0.37%
============================================
Files 113 114 +1
Lines 61728 61705 -23
============================================
- Hits 43479 43237 -242
- Misses 18249 18468 +219
|
ff448df to
a7341b3
Compare
|
@madolson @zuiderkwast I need help with the tests. I am unfamiliar with |
zuiderkwast
left a comment
There was a problem hiding this comment.
What's missing in this PR is to always sanitize when loading dumps and on RESTORE.
a7341b3 to
fb8844a
Compare
c5206b5 to
4299eca
Compare
|
Hi @zuiderkwast, |
We are releasing 8.0 very soon. We are busy fixing the stability of this release, so this PR will have to wait until after 8.0 is released. What is missing in this PR is to make the config |
* remove sanitize-dump-payload w/o mayfail * remove mayfail tests * remove 767
If you haven't merged anything yet, it won't run automatically. I did run it and there is a format error, can you fix it? |
Signed-off-by: Madelyn Olson <madelyneolson@gmail.com>
Valkey's listpack is well tested and we do not fear a mistake during insertion. |
Yes, I meant when loading external data. "On insert" was unclear, sorry. You still didn't ensure we always do validation when loading external data. I'm waiting for that change. Currently, it is still possible to load corrupt data. |
|
@zuiderkwast I see your point. @madolson suggested to ignore the |
Yes, that sounds right.
We'll do this while/before loading it? We offload to a thread and then wait for all such jobs to complete before we actually load them? If we do it this way, then we can also return an error just like we do for I don't see how we can do it after loading it, because then we will already have corrupt data in the system and maybe already accessing it. |
…-listpack-functions
|
Reminder:
This is the decision we made long ago, as noted when the This PR is not relevant without the missing validation. |
Remove lpAssertValidEntry calls from lpNext, lpPrev, lpFirst, lpFind, and lpDeleteRangeWithEntry to eliminate redundant per-operation listpack validation. Safety is maintained by making deep_integrity_validation unconditional in rdbLoadObject, ensuring all data structures (listpack, intset, stream) are fully validated on every load path (RDB and RESTORE). This effectively makes sanitize-dump-payload a no-op. Benchmark results (Graviton3, 200 clients, P=32, 8 threads): 256-field hash HGET: +4.7% throughput (907K -> 950K rps) 256-field hash HSET: +1.2% throughput (688K -> 696K rps) 100-field hash HSET: +2.4% throughput (688K -> 704K rps) p99 latency (256-field HSET): -16% (11.15ms -> 9.38ms) RDB load (1M keys): +1% overhead (acceptable) Lightweight EOF position assertions from PR valkey-io#2027 remain intact. Takes over: valkey-io#399 Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com>
Remove lpAssertValidEntry calls from lpNext, lpPrev, lpFirst, lpFind, and lpDeleteRangeWithEntry to eliminate redundant per-operation listpack validation. Safety is maintained by making deep_integrity_validation unconditional in rdbLoadObject, ensuring all data structures (listpack, intset, stream) are fully validated on every load path (RDB and RESTORE). This effectively makes sanitize-dump-payload a no-op. Benchmark results (Graviton3, 200 clients, P=32, 8 threads): 256-field hash HGET: +4.7% throughput (907K -> 950K rps) 256-field hash HSET: +1.2% throughput (688K -> 696K rps) 100-field hash HSET: +2.4% throughput (688K -> 704K rps) p99 latency (256-field HSET): -16% (11.15ms -> 9.38ms) RDB load (1M keys): +1% overhead (acceptable) Lightweight EOF position assertions from PR valkey-io#2027 remain intact. Takes over: valkey-io#399 Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com>
Remove lpAssertValidEntry calls from lpNext, lpPrev, lpFirst, lpFind, and lpDeleteRangeWithEntry to eliminate redundant per-operation listpack validation. Safety is maintained by making deep_integrity_validation unconditional in rdbLoadObject, ensuring all data structures (listpack, intset, stream) are fully validated on every load path (RDB and RESTORE). This effectively makes sanitize-dump-payload a no-op. Benchmark results (Graviton3, 200 clients, P=32, 8 threads): 256-field hash HGET: +4.7% throughput (907K -> 950K rps) 256-field hash HSET: +1.2% throughput (688K -> 696K rps) 100-field hash HSET: +2.4% throughput (688K -> 704K rps) p99 latency (256-field HSET): -16% (11.15ms -> 9.38ms) RDB load (1M keys): +1% overhead (acceptable) Lightweight EOF position assertions from PR valkey-io#2027 remain intact. Takes over: valkey-io#399 Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com>
Until now, deep santitization of listpack on load (RDB load, RESTORE) was configurable. That meant that we had to do validation on access and traversal of the listpack. This change: - Force sanitization of listpacks on load and import. - Deprecates the config `sanitize-dump-payload` and makes it a no-op. - Deprecates the ACL flags `skip-sanitize-payload` and `sanitize-payload`, ignoring them when loading old ACL files. - Removes validation asserts on access. Benefits: - Prevents deferred assertions, which would happen if unsanitized listpacks were loaded and later accessed, leading to server shutdown. - Improves read performance. Replaces: #399 Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com>
|
Replaced by #3721. |
…key-io#3721) Until now, deep santitization of listpack on load (RDB load, RESTORE) was configurable. That meant that we had to do validation on access and traversal of the listpack. This change: - Force sanitization of listpacks on load and import. - Deprecates the config `sanitize-dump-payload` and makes it a no-op. - Deprecates the ACL flags `skip-sanitize-payload` and `sanitize-payload`, ignoring them when loading old ACL files. - Removes validation asserts on access. Benefits: - Prevents deferred assertions, which would happen if unsanitized listpacks were loaded and later accessed, leading to server shutdown. - Improves read performance. Replaces: valkey-io#399 Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com>
Until now, deep santitization of listpack on load (RDB load, RESTORE) was configurable. That meant that we had to do validation on access and traversal of the listpack. This change: - Force sanitization of listpacks on load and import. - Deprecates the config `sanitize-dump-payload` and makes it a no-op. - Deprecates the ACL flags `skip-sanitize-payload` and `sanitize-payload`, ignoring them when loading old ACL files. - Removes validation asserts on access. Benefits: - Prevents deferred assertions, which would happen if unsanitized listpacks were loaded and later accessed, leading to server shutdown. - Improves read performance. Replaces: valkey-io/valkey#399 Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com>
This PR come after a similar PR was declined on Redis repo redis/redis#11273 with additional info at redis/redis#11293.
The issue it comes to solve is excess checks for corrupted data whenever a listpack is traversing. There are flamecharts in the original PR show it can reach 10% improvement of common commands such a
HSETThe reasoning against the change is that the data can be corrupted if the
RESTOREcommand was used and with flagSANITIZE_DUMP_NO.IMO this isn't justified. To make all users pay a significant patently because a user can potentially load data without sanitizing it first, seems excessive. Anyone who does it must consider the server may crush.
This simple change can give ValKey a nice speed boost.
NOTE: the current tests fail b/c there are tests which load corrupted listpacks without sanitizing them first.