Memory usage issues with large Apache httpd configuration files

[joohoi]

An user reported an memory usage issue in Certbot, and when investigating the cause I found out that our (very suboptimal) regexes caused the Augeas match memory usage to balloon out of proportions.

This only happens with really large configurations, and complex regexes however. The reporting users configuration had roughly 300 configuration files with 1500 lines each. I was able to create a much simplified file with similar effect. The effects start to be really visible after 40k lines, and at 80k lines augtool with stock httpd lens segfaults in startup on Debian stretch.

Please note that the regex is really suboptimal, and is used for backwards compatibility for environments with too old version of Augeas to support case insensitive regex flag 'i'. Using recent version and the case insensitive flag reduces the memory footprint roughly by two thirds, but it is still roughly 400 fold compared to actual configuration size.

How to reproduce

1. Modify the following template, repeating the line: AddType huge/memory usage 50k times.

<VirtualHost *:80>
	ServerName memory.issue
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html
	<Directory /var/www/html>
		<IfModule mod_mime.c>
			# Repeat the following line 50k times
			AddType huge/memory       usage	
		</IfModule>
	</Directory>
</VirtualHost>

2. Copy the modified template to /etc/apache2/sites-available/memorybomb.conf

3. Start augtool -I httpd.aug

4. Use suboptimal regex:

match /files/etc/apache2/sites-available/*[label()=~regexp('.*\\.conf')]//*[self::directive=~regexp('([Ii][Nn][Cc][Ll][Uu][Dd][Ee])|([Ii][Nn][Cc][Ll][Uu][Dd][Ee])|([Ii][Nn][Cc][Ll][Uu][Dd][Ee][Oo][Pp][Tt][Ii][Oo][Nn][Aa][Ll])')]

5. Observe the memory usage, it should use roughly 2Gb of memory during the regex match, roughly 1000 times the on-disk size of the configuration.

[lutter]

Thanks for the detailed description. I am having trouble reproducing this behavior. I followed your instructions, and with a file where the line is repeated 50k times, memory usage only goes up to ~ 120MB.

It also doesn't seem to make a difference whether I use that match or not in terms of memory usage.

I tried this with augeas 1.8.0 (the version in stretch, AFAIK), augeas 1.10.0, and the latest from git HEAD with roughly the same results. I did all my experiments on Fedora 28; I'll try and get my hands on Debian Stretch, too.

Can you confirm that you see this crazy amount of memory used if you run augtool -At 'Httpd.lns incl /etc/apache2/sites-available/memorybomb.conf' quit ? I just want to make sure there isn't something else that factors into the memory use.

BTW, the -I httpd.aug in your example doesn't have an effect - you have to pass the directory that contains httpd.aug to -I, not the file itself.

[joohoi]

Can you confirm that you see this crazy amount of memory used if you run augtool -At 'Httpd.lns incl /etc/apache2/sites-available/memorybomb.conf' quit ? I just want to make sure there isn't something else that factors into the memory use.

I don't. The memory usage balloons out when while running the match. If I make the memorybomb.conf ~80k lines, I do see the segfault with that command though.

I'm running augeas version: 1.8.0-1+deb9u1

[lutter]

Thanks .. after trying some more (and realizing where I made an early morning mistake) I can reproduce this now. It looks like the amount of memory taken is related to the size of the regexp. I'll look into it.

[lutter]

I looked into this some more and have a good understanding of what's causing the issue. The basic problem is that the interpreter for path expressions does some very naive things (which are fine when you search over a few hundred nodes, but really hurt when you are dealing with 50k nodes) In particular, the interpreter recompiles the regex every time it needs to check a node (there's no lifting of constant expressions out of loops) and that the interpreter simplifies its memory management by not releasing memory until it's done evaluating a path expression. Those two together lead to the memory blowup.

Addressing that will take a bit of time; I have some POC code for lifting constant expressions which brings memory usage down from > 2GB to ~ 180MB. But since this is a fairly intrusive change, it needs more work and testing.

One thing I realized is that you can change your expression slightly: instead of //*[self::directive =~ regexp(...) ] use //directive[ . =~ regexp(...) ] That cuts down on the number of nodes that have to be compared against the regexp, and therefore produces less garbage during evaluation. In my testing, it brings memory usage down from ~ 2.2 GB to ~ 860MB - not a solution, but a decent bandaid, and the right thing to do anyway as it eliminates unnecessary computation.

I saw the segfault with 80k entries, too. I haven't looked into it, but it looks like it' s caused by an integer overflow in a part of the code that's unrelated to this problem. I'll look at that in more detail once I've got a handle on the memory usage.

[lutter]

At long last, PR #578 has a patch that reduces memory consumption for this issue a lot. In my testing, for a 50000 line httpd.conf, memory usage goes from ~ 2.2GB down to ~ 107MB. That's still a lot for a 1.7MB file, but it now seems that that memory is not used by the match statement but by something else.

If you have a chance to give this a spin, I would very much appreciate confirmation of my testing.