Per-CPU bound on untracked memory to prevent OOMs

[azat]

Changelog category (leave one):

• Performance Improvement

Changelog entry (a user-readable short description of the changes that goes into CHANGELOG.md):

Per-CPU bound on untracked memory to prevent OOMs

Previously ClickHouse works memory overcommit was "max_untracked_memory*threads", which may in theory lead to ±40GiB of overcommited memory in a worst case scenario and 10K threads

By bounding maximum untracked memory to "ncpu*max_untracked_memory" we can avoid this massive memory overcommit, and also with default max_server_memory_usage_to_ram_ratio=0.9, all this memory is already reserved, so for now per-cpu memory is not reserved explicitly.

"max_untracked_memory" per query continues to control the per-thread accumulator and additionally sizes the thread's per-CPU bucket (rounded up to a power of two), so raising it opts that thread into looser tracking without affecting other queries.

Note, on Linux it uses librseq gives only ±1% (in the best case), so this patch has been removed from the patch set

[clickhouse-gh]

Workflow [PR], commit [30446d9]

Summary: ⏳

job_name	test_name	status	info	comment
Stateless tests (arm_asan_ubsan, targeted)		FAIL
	Server died	FAIL	cidb

---

AI Review

Summary

This PR adds a Linux-only process-wide PerCPUMemory budget to bound untracked memory by CPU instead of by thread count, plus server settings, tests, and a benchmark. The design is much stronger than the earlier bucket version, but the current code still loses the new bound on an allocation-limit exception path and leaves several server-setting surfaces inconsistent, so I do not think it is mergeable yet.

Missing context / blind spots

• ⚠️ CI for head 30446d93 is still mostly pending: the fetched Praktika PR report only had config and style complete, with performance comparison jobs pending. fetch_perf_report.py could not run locally because no clickhouse binary is in PATH. Completed performance comparison or benchmark numbers would close this gap.

Findings

❌ Blockers

• src/Common/CurrentMemoryTracker.cpp:88 The rollback path removes the thread's per-CPU contribution before calling MemoryTracker::allocImpl, but on MEMORY_LIMIT_EXCEEDED it restores only ThreadStatus::untracked_memory. A query that catches the exception can keep the previous deferred bytes outside per_cpu_memory, so the PR's bound is lost exactly on the OOM-prevention path. Restore or re-account the previous PerCPUMemoryThreadState contribution when rethrowing, or delay releasing it until the tracker update succeeds.

⚠️ Majors

• programs/server/Server.cpp:2322 clickhouse-local loads ServerSettings and installs total_memory_tracker, but never applies max_per_cpu_untracked_memory or per_cpu_untracked_memory_thread_buffer. The default per-CPU accounting is active there, while --max_per_cpu_untracked_memory=0 and buffer overrides are ignored. Wire the same settings in LocalServer next to max_server_memory_usage.
• programs/server/Server.cpp:2321 The new settings are applied on config reload, but system.server_settings will not report their current values because dumpToSystemServerSettingsColumns does not list them in changeable_settings. Add getters on PerCPUMemory if needed and expose the runtime values there.
• src/Common/PerCPUMemory.h:137 per_cpu_untracked_memory_thread_buffer=0 is silently ignored by setThreadBuffer, keeping the previous/default buffer. Either make 0 a real no-buffer value or reject/document it explicitly.
• src/Common/CurrentMemoryTracker.cpp [dismissed by author] The PR is categorized as Performance Improvement and changes the hot allocation/free path, but the current PR state does not include before/after measurements and the performance jobs are still pending. I still consider this real because existing broad perf tests are not evidence until their results are available for this head.

Tests

• ⚠️ Add a focused regression for the MEMORY_LIMIT_EXCEEDED rollback path: start with a non-zero deferred contribution, force a per-CPU flush that throws, catch it, and assert the previous bytes remain accounted in per_cpu_memory.
• ⚠️ Add coverage for the clickhouse-local setting path and for runtime visibility of max_per_cpu_untracked_memory / per_cpu_untracked_memory_thread_buffer through system.server_settings.
• ⚠️ Provide before/after benchmark or performance-comparison evidence for representative allocation/free patterns before relying on the Performance Improvement claim.

Final Verdict

Status: ❌ Block

Minimum required actions: fix the allocation-exception rollback, wire the settings consistently in clickhouse-local and system.server_settings, define 0 semantics for the thread buffer setting, and provide completed CI/performance evidence.

[Ergus]

This is labelled "Performance Improvement" but the primary goal is OOM prevention... a correctness/safety fix.

So I think this is an Improvement,

[azat]

This is labelled "Performance Improvement" but the primary goal is OOM prevention... a correctness/safety fix.

It is marked as so to run performance tests, and in some sense "OOM prevention" can be "performance improvement"

[azat]

@Ergus I do not like current implementation, will keep it as draft for now, and ping you/undraft once it will be ready

[clickhouse-gh]

These settings are only applied in clickhouse-server, but clickhouse-local also loads ServerSettings and installs total_memory_tracker in programs/local/LocalServer.cpp. With this change the process-wide per_cpu_memory default is active in clickhouse-local, yet --max_per_cpu_untracked_memory=0 and --per_cpu_untracked_memory_thread_buffer=... are silently ignored because LocalServer never calls setBudgetCapacity or setThreadBuffer.

Please wire the same settings in LocalServer next to max_server_memory_usage and min_allocation_size_to_throw_on_memory_limit, otherwise local runs and tests cannot tune or disable the new accounting behavior.

[clickhouse-gh]

The rollback restores only untracked_memory, but the per-CPU contribution has already been removed by reserve/release before this allocImpl call. If the flush throws MEMORY_LIMIT_EXCEEDED, the failed allocation is not made, while the previous unflushed bytes remain in ThreadStatus::untracked_memory with per_cpu_untracked_memory reset to zero. A query that catches the exception can then keep those bytes outside the per-CPU budget until a later allocation or free happens to re-reserve them, so the new bound is lost on the OOM path.

Please restore or re-account the previous PerCPUMemoryThreadState contribution together with previous_untracked_memory when the flush throws, or delay dropping the previous contribution until the tracker update has succeeded.

[clickhouse-gh]

These settings are applied on config reload, but system.server_settings will still report the stale value because dumpToSystemServerSettingsColumns only overrides current values for entries listed in its changeable_settings map. After an operator changes max_per_cpu_untracked_memory or per_cpu_untracked_memory_thread_buffer and reloads config, the new budget is active in per_cpu_memory but the system table continues to show the old/default value and changeable_without_restart = No.

Please add these settings to the runtime-current value path, with getters on PerCPUMemory if needed, so the observable server settings match the component state after reload.

[clickhouse-gh]

per_cpu_untracked_memory_thread_buffer is documented as a byte amount, but setThreadBuffer silently ignores 0 and keeps the previous/default buffer. That makes --per_cpu_untracked_memory_thread_buffer=0 unusable for disabling per-thread slack, and on reload it can leave an old value active while the config appears to request a stricter bound.

Please either store 0 as a real no-buffer value or reject/document it explicitly instead of falling back to the previous value.

[clickhouse-gh]

LLVM Coverage Report

Metric	Baseline	Current	Δ
Lines	84.40%	84.40%	+0.00%
Functions	92.40%	92.40%	+0.00%
Branches	77.00%	77.00%	+0.00%

Changed lines: Changed C/C++ lines covered by tests: 274/281 (97.51%) | Lost baseline coverage (was covered on master, now uncovered in this PR): 3 line(s) · Uncovered code

Full report · Diff report