Skip to content

Design: bounded query execution — kernel fix for the /v1/query OOM (LLP 0054-0057)#215

Merged
philcunliffe merged 1 commit into
masterfrom
llp/query-oom-bounded-execution
Jun 30, 2026
Merged

Design: bounded query execution — kernel fix for the /v1/query OOM (LLP 0054-0057)#215
philcunliffe merged 1 commit into
masterfrom
llp/query-oom-bounded-execution

Conversation

@philcunliffe

@philcunliffe philcunliffe commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

What

Design docs (LLP) capturing the settled 1+2+3 kernel fix for the /v1/query OOM — hyparam/hypaware-server#9. Docs only; no code.

Unbounded ORDER BY / high-cardinality GROUP BY / COUNT(DISTINCT …) over the ~495k-row ai_gateway_messages buffer the whole scan, then collect() re-materializes it, and the daemon is OOM-killed mid-request. These docs make peak execution memory a function of a per-query budget, not the scanned row count.

Documents

  • 0054 specbounded query execution: execution budget + threaded AbortSignal added to ExecuteSqlOptions on the public hypaware/core/query surface — explicitly distinct from the output-shaped ContextControls. Extends LLP 0015. This is the reusable budget primitive the server's LLP 0006 #result-caps V1 note named.
  • 0055 decisionstream scalar/distinct aggregates via scanColumn over row-buffering (lights squirreling's dormant fast path on icebird + the core unionSources + ai-gateway's schema wrapper).
  • 0056 decisionrefuse over spill/truncate on budget exceed (spill = deferred follow-up; truncate is a wrong answer for aggregates).
  • 0057 plan — phased implementation across hypaware / squirreling / icebird / ai-gateway, with the @ref-to-add map and a bounded_query_refusal smoke.
  • 0015 — forward-ref to 0054 (Active doc — forward-ref only, no body rewrite).
  • 0038 — captures the daemon-isolation todo as the defense-in-depth sibling (bounding caps the common case; isolation contains the residual).

Paired PR

Server-side placement decision (fix-in-kernel as a named extension) + the LLP 0006 forward-ref: hyparam/hypaware-server#31.

Scope note

Signal-threading is a spec requirement (no real chose-X-over-Y), so it is folded into 0054 rather than minted as its own decision. The engine-side parts (#1 signal, #3 budget in squirreling; #2 scanColumn in icebird) land as upstream PRs to those first-party hyparam packages + a pinned kernel version bump — tracked in the 0057 plan.

Validation

ref-check-equivalent: filename types match **Type:**, all inter-LLP links + Related targets resolve, new numbers unique (the only duplicate in the tree is the pre-existing 0026 collision on master, untouched here).

🤖 Generated with Claude Code

…LP 0054-0057)

Captures the settled 1+2+3 kernel fix for hyparam/hypaware-server#9: unbounded
ORDER BY / GROUP BY / COUNT(DISTINCT) buffer the whole scan and OOM-kill the
daemon. Peak memory now tracks a per-query budget, not the scanned row count.

- 0054 spec: bounded query execution — execution budget + threaded abort signal
  on the public hypaware/core/query surface (distinct from the output-shaped
  ContextControls); extends LLP 0015.
- 0055 decision: stream scalar/distinct aggregates via scanColumn rather than
  buffering rows (lights squirreling's dormant fast path on icebird + the core
  union + ai-gateway schema wrapper).
- 0056 decision: refuse over spill/truncate on budget exceed (spill = deferred
  follow-up; truncate is a wrong answer for aggregates).
- 0057 plan: implementation across hypaware / squirreling / icebird / ai-gateway.
- 0015: forward-ref to 0054 (Active doc — forward-ref only).
- 0038: capture the daemon-isolation todo as the defense-in-depth sibling.

Docs only — no code; @ref annotations land with the implementation.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@philcunliffe philcunliffe merged commit 0fbce2b into master Jun 30, 2026
6 checks passed
@philcunliffe philcunliffe deleted the llp/query-oom-bounded-execution branch June 30, 2026 18:37
philcunliffe added a commit that referenced this pull request Jun 30, 2026
The bounded-query-execution design (merged Draft in #215) is reviewed and
approved for implementation: flips the spec, both decisions, and the plan to
Accepted. The 0038 isolation todo stays Draft (separately-owned track). Active
follows when the code lands.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant