Wandering Thoughts archives

2019-05-03

In Go, unsafe type conversions are still garbage collection safe

I was recently reading to slice or not to slice (via), where one of the example ways of going from a slice to an array is the non copying brute force approach with unsafe. To quote the first part of the example code:

bufarrayptr := (*[32]byte)(unsafe.Pointer(&buf[0])) // *[32]byte (same memory region)

(Here buf is a slice, and we'll assume that we've already verified that it has a len() of at least 32.)

One of the things you might wonder about here is whether this is safe from garbage collection. After all, we're eventually discarding buf, the original and true reference to the slice and its backing array. Will the Go garbage collector someday free the memory involved even though we still have a reference to it in the form of bufarrayptr? On the one hand, we do have a reference to the backing array; on the other hand, we created the reference through the use of unsafe and thus went behind Go's back to do it.

(This would be an analog of the C mistake of retaining a pointer to something that you've free()'d.)

Conveniently, the answer is that this unsafe type conversion is still safe from being garbage collected. As I discussed in Exploring how and why interior pointers keep entire objects alive, the Go garbage collector is blind to the type of pointers; it intrinsically knows what a particular block of memory is, and any pointer to it of any type is as good as any other pointer. It does not have to be the original type, and in fact it can generally be a completely incorrect type. As far as garbage collection goes, I suspect that you can get away with a pointer of a type that is larger than what you're actually pointing to.

(The Go language specification does not say that this has to work, though, although it does say a bit about unsafe. The unsafe package itself implicitly says that reinterpreting to a too-large type is invalid usage.)

There is an important consequence of this type blindness in the garbage collector if you are doing type conversions, and that is what is and isn't a pointer is set permanently from the original type. When the Go runtime allocates memory initially, it records the 'shape' of that memory, including what portions of it are pointers. Regardless of how you reinterpret the memory, that original shape sticks to it, and that original shape is what the garbage collector uses when determining what pointers to follow to find more used memory and what bytes to not look at further because they're not pointers. If you put non-pointer data in what the garbage collector thinks is a pointer, it will probably panic your program. If you put pointer data in what the garbage collector thinks is not a pointer, the garbage collector may decide that some memory is unused and free it even though you think you have a pointer to it; when you use that pointer later, you will be sad.

(In general, reinterpreting non-pointer memory as a pointer is not necessarily safe. The Go runtime does some things when you tell it you're modifying a pointer, and it makes no guarantees that those things will be safe if the actual memory did not start out its life as a pointer.)

PS: I think that this garbage collection safe behavior of unsafe.Pointer is implicitly guaranteed by the first unsafe.Pointer usage pattern. This isn't part of the language specification itself but it is part of the current unsafe package specification, so it's pretty close. As a practical matter, I think that the Go authors see this sort of usage as valid and thus are likely to support it for as long as possible.

programming/GoUnsafeTypeConvGCSafety written at 22:17:16; Add Comment

Some implications of using offset instead of delta() in Prometheus

I previously wrote about how delta() can be inferior to subtraction with offset, because delta() has to load the entire range of metric points and offset doesn't. In light of the issue I ran into recently with stale metrics and range queries, there turn out to be some implications and complexities of using offset in place of delta(), even if it lets you make queries that you couldn't otherwise do.

Let's start with the basics, which is that 'delta(mymetric[30d])' can theoretically be replaced with 'mymetric - mymetric offset 30d' to get the same result with far fewer metric points having to be loaded by Prometheus. This is an important issue for us, because we have some high-cardinality metrics that it turns out we want to query over long time scales like 30 or 90 days.

The first issue with the offset replacement is what happens when a particular set of labels for the metric didn't exist 30 days ago. Just like PromQL boolean operators (cf), PromQL math operators on vectors are filters, so you'll ignore all current metric points for mymetric that didn't exist 30 days ago. The fix for this is the inverse of ignoring stale metrics:

(mymetric - mymetric offset 30d) or mymetric

Here, if mymetric didn't exist 30 days ago we implicitly take its starting value as 0 and just consider the delta to be the current value of mymetric. Under some circumstances you may want a different delta value for 'new' metrics, which will require a different computation.

The inverse of the situation is metric labels that existed 30 days ago but don't exist now. As we saw in an earlier entry, the range query in the delta() version will include those metrics, so they will flow through to the delta() calculation and be included in your final result set. Although the delta() documentation sort of claims otherwise, the actual code implementing delta() reasonably doesn't currently extrapolate samples that start and end significantly far away from the full time range, so the delta() result will probably be just the change over the time series points available. In some cases this will go to zero, but in others it will be uninteresting and you would rather pretend that the time series is now 0. Unfortunately, as far as I know there's no good way to do that.

If you only care about time series (ie label sets) that existed at the start of the time period, I think you can extend the previous case to:

((mymetric - mymetric offset 30d) or mymetric)
    or -(mymetric offset 30d)

(As before, this assumes that a time series that disappears is implicitly going to zero.)

If you care about time series that existed in the middle of the time range but not at either the beginning or the end, I think you're out of luck. The only way to sweep those up is a range query and using delta(), which runs the risk of a 'too many metric points loaded' error.

Unfortunately all of this is increasingly verbose, especially if you're using label matches restricting mymetric to only some values (because then you need to propagate these label restrictions into at least the or clauses). It's a pity that PromQL doesn't have any function to do this for us.

I also have to modify something I said in my first entry on offset and delta(). Given all of these issues with appearing and disappearing time series, it's clear that optimizing delta() to not require the entire range is not as simple as it looks. It would probably require some deep hooks into the storage engine to say 'we don't need all the points, just the start and the end points and their timestamps', and that stuff would only be useful for gauges (since counters already have to load the entire range set and sweep over it looking for counter resets).

In our current usage we care more about how the current metrics got there than what the situation was in the past; we are essentially looking backward to ask what disk space usage grew or shrank. If some past usage went to zero and disappeared, it's okay to exclude it entirely. There are some potentially tricky cases that might cause me to rethink that someday, but for now I'm going to use the shorter version that only has one or, partly because Grafana makes it a relatively large pain to write complicated PromQL queries.

sysadmin/PrometheusDeltaVsOffsetII written at 00:45:45; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.