Add mechanism to detect leaked references to mimirpb buffers

[tcard]

What this PR does

Adds a common.instrument-reference-leaks-pct flag. When set to >0, a percentage of gRPC BufferHolder objects (most prominently, WriteRequest) will be instrumented so that, once the buffer's reference count reaches zero, if there are remaining references to the buffer, a panic is thrown.

For this to work, either the object needs to come from a generated gRPC server using our custom global codec, or the newly introduced mimirpb.Unmarshal must be used.

Since ingester storage doesn't receive WriteRequests from gRPC anymore but from Kafka, storage/ingest now calls mimirpb.Unmarshal.

To-do: plumb this mechanism with the distributor too, which has its own unmarshaling path.

Which issue(s) this PR fixes or relates to

Follow up of #13573

Checklist

• Tests updated.
• Documentation added.
• CHANGELOG.md updated - the order of entries should be [CHANGE], [FEATURE], [ENHANCEMENT], [BUGFIX]. If changelog entry is not needed, please add the changelog-not-needed label to the PR.
• about-versioning.md updated with experimental features.

---

Note

Introduces an experimental mechanism and flags to instrument a fraction of BufferHolder-backed gRPC buffers and detect leaked references, wiring it into the global codec and unmarshalling paths.

• Core/Runtime:
  • Add mimirpb.CustomCodecConfig and global codec registration; optional leak instrumentation using dedicated pages and delayed unmapping to detect stale references.
  • New mimirpb.Unmarshal(...) helper to use the global codec; replace direct unmarshalling in storage/ingest paths.
  • pkg/blockbuilder/tsdb: ensure request buffers are freed via defer req.FreeBuffer().
• Config/Flags:
  • New experimental block common.instrument_ref_leaks with flags: -common.instrument-reference-leaks.percentage, -common.instrument-reference-leaks.before-reuse-period, -common.instrument-reference-leaks.max-inflight-instrumented-bytes.
  • Wire config into CommonConfig, inheritance, help text, descriptors, defaults, and process setup.
• Tests:
  • Add tests for reference-leak detection, RW2 unmarshalling without leaks, and config inheritance.
• Docs/Changelog:
  • Update docs for new experimental feature and add CHANGELOG entry; help text reflects new flags.

^{Written by Cursor Bugbot for commit ff97b8c. This will update automatically on new commits. Configure here.}

[github-actions]

💻 Deploy preview available (Add mechanism to detect leaked references to mimirpb buffers):

• https://deploy-preview-mimir-13609-zb444pucvq-vp.a.run.app/docs/mimir/v3.0.x/
• https://deploy-preview-mimir-13609-zb444pucvq-vp.a.run.app/docs/helm-charts/mimir-distributed/latest/

[tcard]

I expected the revert 69ca33a to make the regression test I added to fail, but it doest in CI? It fails locally though:

 go test ./pkg/ingester/ -run=TestIngesterNoRW2MetadataRefLeaks -v
=== RUN   TestIngesterNoRW2MetadataRefLeaks
    ingester_test.go:9167:
        	Error Trace:	/Users/tcard/repos/mimir/pkg/ingester/ingester_test.go:9167
        	Error:      	reference leak detected
        	Test:       	TestIngesterNoRW2MetadataRefLeaks
        	Messages:   	addr: 140003f0210
--- FAIL: TestIngesterNoRW2MetadataRefLeaks (0.31s)

I'll increase the timeout. I've instead reworked NextRefLeakChannel to make it report negative detections too, and used that to make tests deterministic(-ish).

[tcard]

There's the regression failure, after reverting the fix:

  --- FAIL: TestIngesterNoRW2MetadataRefLeaks (0.41s)
      ingester_test.go:9169: 
          	Error Trace:	/__w/mimir/mimir/pkg/ingester/ingester_test.go:9169
          	Error:      	reference leak detected
          	Test:       	TestIngesterNoRW2MetadataRefLeaks
          	Messages:   	addr: 0xc000246420

I'll now reapply the fix.

[pracucci]

I took a quick look, not enough to do a proper review. I just left a couple of nits I noticed.

[pracucci]

Why not using it everywhere and add a faillint rule (defined in the Makefile) if the Unmarshal-function-with-receiver is called?

[tcard]

I think that's a good idea long-term, but maybe for now it's better to restrict its usage to the places I know work fine, and then introduce it everywhere else progressively. What do you think?

[pracucci]

nit: I suggest to change "pct" to "percentage". It will be consistent with other percentage-based settings we have.

[tcard]

7ca73a3

[tacole02]

Docs look good! I left a few minor suggestions. Thank you!

[cursor]

Bug: Missing initialization for YAML unmarshaling field

The InstrumentRefLeaksPct field is defined in commonConfigUnmarshaler but not initialized when creating the unmarshaler in UnmarshalCommonYAML. This means setting instrument_ref_leaks_pct under the common: section in YAML config will fail. Either the field should be removed from commonConfigUnmarshaler if inheritance isn't needed, or it should be initialized here like the other fields.

pkg/mimir/mimir.go#L716-L721

mimir/pkg/mimir/mimir.go

Lines 716 to 721 in da56796

	common := configWithCustomCommonUnmarshaler{
	Common: &commonConfigUnmarshaler{
	Storage: &specificStorageLocations,
	ClientClusterValidation: &specificClusterValidationLocations,
	},

 

---

[seizethedave]

If buf is (say) (0x70000000, 0x74000000] and immediately after this Munmap call returns, another instrumented pool buffer is mmapped that at least partially overlaps with that same range, then there can be times when dangling references to this buf are permitted to dereference data in the new buf without error. It may be more confidence-inspiring to claim "our new build served 500,000 requests out of the leak-instrumented pool with zero use-after-frees" if the guard mechanism is precise.

The idea I had was to have a long-lived MMapped buffer that has a cool-down time that is >> any reasonable request processing time. Which would have the same problem described above but only if there's a pathological request that runs for more than the cooldown time.

[tcard]

I had the same concern initially, but then noticed the docs for munmap say:

The munmap() system call deletes the mappings for the specified address range, and causes further references to addresses within the range to generate invalid memory references.

It seems to me the emphasized part guarantees that the address space range won't be reused, but maybe there's an implicit "... until the addresses are reused" in there.

[tcard]

Some more googling/LLMing and a short foray into OpenBSD's implementation point in the direction that you are right, and the address space can potentially be reused. Thanks for challenging this!

See b39485d

[cursor]

Bug: Missing FreeBuffer() call causes memory leak in block builder

The change from wr.Unmarshal(content) to mimirpb.Unmarshal(content, wr) now sets a buffer reference on the PreallocWriteRequest, requiring callers to invoke FreeBuffer() when done. While Ingester.PushToStorageAndReleaseRequest correctly calls req.FreeBuffer(), TSDBBuilder.PushToStorageAndReleaseRequest in pkg/blockbuilder/tsdb.go only calls mimirpb.ReuseSlice(req.Timeseries) without freeing the buffer. When reference leak instrumentation is enabled via common.instrument-reference-leaks-percentage, this causes mmap'd buffers to never be unmapped, resulting in memory leaks in the block builder path.

Additional Locations (1)

• pkg/storage/ingest/version.go#L193-L194

 

[tcard]

This sets a limit of 1000 WriteRequest buffers held up waiting. Is that too much maybe?

[seizethedave]

As I read this PR one concern I have is a queueing pileup one - we can dial in that X% of requests should get the instrumented pool, but in some cell it may work out that X% of requests may be a tipping point where requests take longer and longer and the number of mmapped regions grows until the process crashes.

To connect it to your question here, what if we have both an "X%" config knob but also a "maximum instrumented pools" knob so that we never exceed that limit. And then you don't need to limit the unmaps.

[tcard]

Good call, added a knob at f44250c

I have kept behavior of immediately unmapping if unmapQueue is full because it seems to me it's saner than the alternative of blocking and waiting.

[seizethedave]

I think that this now needs mprotect() so that the memory is rendered inaccessible between the free and unmap?

[tcard]

Yes indeed 🤦 I still need to actually verify this new machinery works.

[tcard]

Fixed at 325f3c6

[cursor]

Bug: Missing field causes nil pointer dereference in unmap

When sending an unmapTask to unmapQueue, the inflightInstrumentedBytes field is omitted from the struct literal, leaving it as nil. Later, when the background goroutine processes this task and calls unmap(), it will call inflightInstrumentedBytes.Sub() on a nil pointer, causing a panic. The struct literal needs to include inflightInstrumentedBytes: b.inflightInstrumentedBytes.

Additional Locations (1)

• pkg/mimirpb/custom.go#L328-L329

 

[cursor]

Bug: Test missing defer FreeBuffer causes memory leak

The v1 test case is missing defer wr.FreeBuffer() that was added to the v0 test case. This causes the mmap'd buffer to never be freed in tests. Since tests run with 100% instrumentation, every buffer is mmap'd, and without FreeBuffer() being called, the mmap'd memory is leaked. Additionally, the v0 test's defer wr.FreeBuffer() is also ineffective because the BufferHolder is immediately zeroed on line 101, clearing the buffer reference before the defer can run.

 

[tcard]

Testing ff97b8c under some real load, it's apparent that we're not calling WriteRequest.FreeBuffer everywhere we should. We need to plug those leaks before merging this.