On Wed, Sep 20, 2006 at 04:22:47PM -0400, Tom Lane wrote: > "Jim C. Nasby" <[EMAIL PROTECTED]> writes: > > What would the failure mode be? Would we just keep going until the box > > ran out of memory? I think it'd be better to have some kind of hard > > limit so that a single backend can't grind a production server into a > > swap-storm. (Arguably, not having a limit is exposing a DoS > > vulnerability). > > [ shrug... ] If we tried to guarantee such a thing we'd be putting > arbitrary limits into hundreds if not thousands of different bits of the > backend. I think the correct answer for an admin who is worried about > such a thing is to make sure that the process ulimit is a sufficiently > small fraction of the machine's available RAM. Only if we can't > gracefully handle running up against ulimit is it our problem (hence, > we have a stack-size overflow check, but not any such thing for data size).
I didn't realize we had a lot of ways a backend could run a machine out of memory, or at least ways that didn't have some kind of limit (ie: work_mem). Are any of them very easy to run into? -- Jim Nasby [EMAIL PROTECTED] EnterpriseDB http://enterprisedb.com 512.569.9461 (cell) ---------------------------(end of broadcast)--------------------------- TIP 3: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faq
