Add allocator for memory backpressure

[hannahhoward]

Goals

With slow receiving peers, we can sometimes make major memory allocators in a selector traversal if the blocks we're traversing aren't being sent. We would like to slow down traversals with backpressure to prevent global allocations from going over a certain amount

Implementation

• Establish an allocator that will allocate and deallocate, against both a global total and a per peer total. The allocate command returns a channel when the allocation can be safely completed under both the global and per peer max (if it can be done currently under the global and per peer max the channel will read immediately)
• When deallocating, prioritize in the following order:
  • peers where pending next allocation will go under per peer max for that peer
  • if there are multiple that meet this criteria, prioritize peer with oldest pending allocation
• hook deallocator into notification system on peer responder sender
• add options for configuring allocator

[Stebalien]

I'm generally concerned here about never releasing allocations in some cases.

• Message sending fails.
• Peer disconnects.

This could cause us to slowly slow down then stop.

The main solution I can think of is a finalizer. That is, pass the block into the allocator and get back a "tracked block". The "tracked block" would have some form of "deallocate" method that would, at a minimum, be called on free.

[Stebalien]

Hm. can't this cause us to never release the memory?

[hannahhoward]

There are two cases this could happen -- first is if the whole graphsync instance shuts down, in which case, who cares.

The second is if the peer itself shuts down. I am working on a fix for this now.

[hannahhoward]

@Stebalien this should now be ready for review, I think.

The main addition I've added is the removal of allocations for a peer when it disconnects. You can see this in the ReleasePeerMemory method on the allocator. (I also removed allocation when blocksize = 0 case why block for nothing)

So regarding your comment:

• if message send fails, a notification is still sent, and published, which triggers a freeing of relevant memory
• if a peer disconnects, we now free ALL memory for that peer if any is allocated

Also, I felt it was pretty important to prove to myself that we've actually solved the allocation problem, so you can see I've made some changes in the benchmarks. Specifically, I have a large file transfer test (1GB). I've run it both as it currently stands -- with 128MB max for allocations (artificially low) and regular (with 4GB default, which means no back pressure during the request). Note that the connection bandwidth in the test is extremely slow -- so not much data is sent over the wire in the 10 seconds the test runs. At the time the test stops, minus backpressure, we should have created the conditions that triggered the memory issue people are seeing: the selector traversal is done, and we've queued up all the response messages but very few have gone out. With backpressure, the selector traversal should be held up, so that only some of the blocks have been read out of the blockstore, and we've only queued up messages up to the memory limit.

So, here's the results:

Without backpressure:

With backpressure:

I've outlined the area where you can see the different results are as expected. Note that I had to use Badger to replicate this case with the in memory data store reading blocks has no allocation penalty.

[Stebalien]

I haven't reviewed everything but this looks reasonable. I guess my main concerns are:

1. This may lead to a lot of work/allocations per block sent.
2. Related, we're playing a lot of games with channels just to avoid a lock. A single mutex would likely be faster and have less code.

[Stebalien]

These defaults seem way too high. I'd expect something on the order of megabytes. (e.g., 8MiB per peer, total of 128MiB). That should be more than enough, right?

[Stebalien]

(ideally we'd profile the affects on performance somehow)

[hannahhoward]

I'm thinking 256 / 16MB. I just don't want the jittery ness of holding up a selector traversal to end up with a pipe that's not maxed out. I could be super wrong? (seems like a thing that definitely merits profiling in the future)

[Stebalien]

a.ctx.Err()?

[Stebalien]

return a.ctx.Err()?

[Stebalien]

ditto.

[Stebalien]

nit: Any reason not to move this into run() as a defer? (then just invoke go a.run() here)

[Stebalien]

The external loop here is strange.

[Stebalien]

Do we have a max request limit? IIRC, we do so this shouldn't be a huge issue. However, in the future, we should consider something like:

1. Take a ticket to allow allocating. We'd have limits (per-peer and total) on the number of outstanding tickets.
2. Load the block.
3. Allocate space.
4. Release the ticket.

The ticket effectively measures the maximum amount of space we might need. Then we can convert to a real allocation to free up that space.

[Stebalien]

ultra-stylistic-nit-you-should-probably-ignore:

select {
case <-prs.allocator.AllocateBlockMemory(prs.p, blkSize):
case <-prs.ctx.Done():
    return false
}

[Stebalien]

LGTM!

[Stebalien]

nit: Personally, I think in MiB, GiB, etc. I'd find these easier to read as uint64(256<<20) and uint64(16<<20).