a curated list of database news from authoritative sources

April 25, 2025

Percona Database Performance Blog

pgvector: The Critical PostgreSQL Component for Your Enterprise AI Strategy

You’re likely racing to enhance your applications with more intelligent, data-driven capabilities, whether through AI-powered models (which have moved into “must implement now!” territory), advanced search functions, real-time fraud detection, or geospatial analysis. As these demands grow, you face a significant challenge: efficiently storing, managing, and querying high-dimensional vector data within your existing database infrastructure. […]
by David Quilty

April 24, 2025

CedarDB Blog

What It Takes to Be PostgreSQL Compatible

What It Takes to Be PostgreSQL Compatible

We, and many other database enthusiasts, are big fans of PostgreSQL. Even though we built a database system from scratch, we believe there are many good reasons for using PostgreSQL. In fact, we like PostgreSQL so much that we made sure to build CedarDB to be compatible with PostgreSQL.

Because of PostgreSQL’s popularity, we were not the first to develop a PostgreSQL compatible database system. CMU’s “Database of Databases” lists over 40 database systems that claim to be PostgreSQL compatible. Among them you can find database systems from large cloud vendors such as AlloyDB from Google or Aurora from AWS.

April 23, 2025

Percona Database Performance Blog

Does FCV Have Any Impact on MongoDB Performance?

It is generally known and established that different database versions provide different sets of features and performance rates. Along with the binary versions, MongoDB has a property called Feature Compatibility Value, which allows administrators to run a binary version without enabling any features that are incompatible with the previous one. This property is generally helpful […]
by Pablo Claudino

April 22, 2025

Murat Demirbas

Multi-Grained Specifications for Distributed System Model Checking and Verification

This EuroSys 2025 paper wrestles with the messy interface between formal specification and implementation reality in distributed systems. The case study is ZooKeeper. The trouble with verifying something big like ZooKeeper is that the spec and the code don’t match. Spec wants to be succinct and abstract; code has to be performant and dirty. 

For instance, a spec might say, “this happens atomically.” But the actual system says, “yeah, buddy, right.” Take the case of FollowerProcessNEWLEADER: the spec bundles updating the epoch and accepting the leader’s history into a single atomic step. But in the real system, those steps are split across threads and separated by queuing, I/O, and asynchronous execution. Modeling them as atomic would miss real, observable intermediate states, and real bugs.

To bridge this model-code gap, the authors use modularization and targeted abstraction. Don’t write one spec, write multi-grained specs. Different parts of the system are modeled at different granularities, depending on what you're verifying. Some parts are modeled in fine detail; others are coarse and blurry. Like reading a novel and skimming the boring parts. These modules, written at different levels of abstraction, are composed into a mixed-grained spec, tailored to the verification task at hand.

Central to the method is the interaction-preserving principle, a key idea borrowed from a 2022 paper by some of the same authors. Coarsening is allowed, but only if you preserve interaction variables--shared state that crosses module boundaries. To abstract away things, modules can internally lie to themselves, but not to each other. Other modules should not be able to distinguish whether they are interacting with the original or a coarsened module. The paper formalizes this using dependency relations over actions and their enabling conditions. This sounds a lot like rely-guarantee, but encoded for TLA+.

What makes this paper stand out is its application. This is a full-on, hard-core TLA+ verification effort against a real-world messy codebase. It’s a good guide for how to do formal work practically, without having to rewrite the system in a verification-oriented language. This paper is not quite a tutorial as it skips a lot of the details, but the engineering is real, and the bugs are real too.


Technical details

The system decomposition follows the Zab protocol phases: Election, Discovery, Synchronization, Broadcast. This is a clever hack. Rather than inventing new module boundaries (say through roles or layers), the authors simply split along the natural phase boundaries in the protocol. The next-state action in the TLA+ spec is already a disjunction across phase actions; this decomposition just formalizes and exploits that.

They focus verification on log replication involving the Synchronization and Broadcast phases, while leaving Election and Discovery mostly coarse. They say that's where the bugs are. They also mention that the leader election is a tangle of nondeterminism and votes-in-flight, and models take days to check. Log replication, by contrast, is where local concurrency hits hard, and where many past bugs and failed fixes appear.

Table 1 summarizes the spec configurations: baseline (system spec), coarsened, and fine-grained. The fine-grained specs are where the action is: they capture atomicity violations, thread interleavings, and missing transitions. These bugs don’t show up when model checking with the baseline spec. It is all about how deep granularity you are willing to go for capturing implementation. Targeted fine-granularity checking really helps keep this practical.

Table 5 shows model performance. Coarse specs are fast but miss bugs. Fine specs find bugs but blow up. Mixed specs get the best of both. For instance, mSpec-3 finds deep bugs in seconds, while the full system spec doesn’t terminate in 24 hours. The bottleneck is the leader election spec, which proves again that targeted coarsening pays when it preserves interaction.

Bug detection is driven by model checking with TLC. Violations are found in model traces when TLC reports a violation of an invariant. The violations found are then confirmed via code-level deterministic replay. The authors built a system (Remix) to instrument ZooKeeper, inject RPC hooks via AspectJ, and replay TLA-level traces using a centralized coordinator that schedules and controls the interleaving of code-level actions using the developer-provided mapping from model actions to code events. This deterministic replay allows them to validate that the model-level bug can actually manifest in real runs.

Figure 8 ties back to the core atomicity problem in FollowerProcessNEWLEADER. Many of these bugs arise when the update of epoch and the logging of history are not properly sequenced or observed. The spec treats them as one unit, but the implementation spreads them across threads and queues. By splitting the spec action into three, the authors model each thread’s contribution separately, and capturing the inter-thread handoff. With this, they catch data loss, inconsistency, and state corruption bugs that had previously escaped detection, or worse, had been "fixed" and re-broken.

The authors didn’t stop at finding bugs. They submitted fixes upstream to ZooKeeper, validating them with the same fine-grained specifications. To fix existing bugs and also make it easy to implement correctly, they removed the atomicity requirement of the two updates from the Zab protocol but require their order: the follower updates its history before updating its epoch. The patched version passed their model checks, and the PR was merged. This tight loop (spec, bug, fix, verify) is what makes this method stand out: formal methods not as theory, but as a workflow.


Conclusions

The results back the thesis: fine-grained modeling is essential to catch real bugs. Coarsening is essential to make model checking scale. Modularity and compositionality is a feasible way to manage verification of a complex, concurrent, evolving system. It's not push-button verification. But it's doable and useful.

The work opens several directions. Could this technique support test generation from the mixed model? If you already have deterministic replay and instrumentation hooks, generating inputs for fault-injection testing seems within reach.

More speculatively, are there heuristics to suggest good modular cuts? The current modularization is protocol-phase aligned, but could role-based, data-centric, or thread-boundary modularization give better results? That seems like a good area for exploration.

by Murat (noreply@blogger.com)
Percona Database Performance Blog

Behind the Scenes: How Percona Support Diagnosed a MongoDB FTDC Freeze

One of our customers recently reported that MongoDB’s diagnostic metrics—collected via FTDC (Full-Time Diagnostic Data Capture)—had stopped updating. As a result, no metrics were being collected, either through diagnostic data files or the getDiagnosticData command. Key metrics such as uptime were no longer progressing. While the cluster remained fully operational, the lack of observability introduced a […]
by Vinicius Grippa

April 21, 2025

Percona Database Performance Blog

Speeding Up Percona XtraDB Cluster State Transfers with Kubernetes Volume Snapshots

When using the Percona Operator for MySQL based on Percona XtraDB Cluster (PXC), it’s common to encounter scenarios where cluster nodes request a full State Snapshot Transfer (SST) when rejoining the cluster. One typical scenario where a State Snapshot Transfer (SST) is required is when a node has been offline long enough that the GCache […]
by Juan Arruti

April 20, 2025

Phil Eaton

Transactions are a protocol

Transactions are not an intrinsic part of a storage system. Any storage system can be made transactional: Redis, S3, the filesystem, etc. Delta Lake and Orleans demonstrated techniques to make S3 (or cloud storage in general) transactional. Epoxy demonstrated techniques to make Redis (and any other system) transactional. And of course there's always good old Two-Phase Commit.

If you don't want to read those papers, I wrote about a simplified implementation of Delta Lake and also wrote about a simplified MVCC implementation over a generic key-value storage layer.

It is both the beauty and the burden of transactions that they are not intrinsic to a storage system. Postgres and MySQL and SQLite have transactions. But you don't need to use them. It isn't possible to require you to use transactions. Many developers, myself a few years ago included, do not know why you should use them. (Hint: read Designing Data Intensive Applications.)

And you can take it even further by ignoring the transaction layer of an existing transactional database and implement your own transaction layer as Convex has done (the Epoxy paper above also does this). It isn't entirely clear that you have a lot to lose by implementing your own transaction layer since the indexes you'd want on the version field of a value would only be as expensive or slow as any other secondary index in a transactional database. Though why you'd do this isn't entirely clear (I will like to read about this from Convex some time).

It's useful to see transaction protocols as another tool in your system design tool chest when you care about consistency, atomicity, and isolation. Especially as you build systems that span data systems. Maybe, as Ben Hindman hinted at the last NYC Systems, even proprietary APIs will eventually provide something like two-phase commit so physical systems outside our control can become transactional too.

April 19, 2025

Small Datum - Mark Callaghan

Battle of the Mallocators: part 2

This post addresses some of the feedback I received from my previous post on the impact of the malloc library when using RocksDB and MyRocks. Here I test:

  • MALLOC_ARENA_MAX with glibc malloc
    • see here for more background on MALLOC_ARENA_MAX. By default glibc can use too many arenas for some workloads (8 X number_of_CPU_cores) so I tested it with 1, 8, 48 and 96 arenas.
  • compiling RocksDB and MyRocks with jemalloc specific code enabled
    • In my previous results I just set malloc-lib in my.cnf which uses LD_LIBRARY_PATH to link with your favorite malloc library implementation.
tl;dr: jemalloc
  • For mysqld with jemalloc enabled via malloc-lib (LD_LIBRARY_PATH) versus mysqld with jemalloc specific code enabled
    • performance, VSZ and RSS were similar
  • After setting rocksdb_cache_dump=0 in the binary with jemalloc specific code
    • performance is slightly better (excluding the outlier, the benefit is up to 3%)
    • peak VSZ is cut in half
    • peak RSS is reduced by ~9%
tl;dr: glibc malloc on a 48-core server
  • With 1 arena performance is lousy but the RSS bloat is mostly solved
  • With 8, 48 or 96 arenas the RSS bloat is still there
  • With 48 arenas there are still significant (5% to 10%) performance drops
  • With 96 arenas the performance drop was mostly ~2%
Building MyRocks with jemalloc support

This was harder than I expected. The first step was easy -- I added these to the CMake command line, the first is for MyRocks and the second is for RocksDB. When the first is set then HAVE_JEMALLOC is defined in config.h. When the second is set then ROCKSDB_JEMALLOC is defined on the compiler command line.

  -DHAVE_JEMALLOC=1
  -DWITH_JEMALLOC=1
The hard part is that there were linker errors for unresolved symbols -- the open-source build was broken. The fix that worked for me is here. I removed libunwind.so and added libjemalloc.so in its place.

Running mysqld with MALLOC_ARENA_MAX

I wasn't sure if it was sufficient for me to set an environment variable when invoking mysqld_safe, so I just edited the mysqld_safe script to do that for me:

182a183,184
>   cmd="MALLOC_ARENA_MAX=1 $cmd"
>   echo Run :: $cmd

Results: jemalloc

The jemalloc specific code in MyRocks and RocksDB is useful but most of it is not there to boost performance. The jemalloc specific code most likely to boost performance is here in MyRocks and is enabled when rocksdb_cache_dump=0 is added to my.cnf.

Results are here for 3 setups:
  • fbmy8032_rel_o2nofp_end_241023_ba9709c9_971.za4_jemalloc_c32r128
    • This is the base case in the table below
    • this is what I used in my previous post and jemalloc is enabled via setting malloc-lib in my.cnf which uses LD_LIBRARY_PATH
  • fbmy8032_rel_o2nofp_end_je_241023_ba9709c9_971.za4_c32r128
    • This is col-1 in the table below
    • MySQL with jemalloc specific code enabled at compile time
  • fbmy8032_rel_o2nofp_end_je_241023_ba9709c9_971.za5_c32r128
    • This is col-2 in the table below
    • MySQL with jemalloc specific code enabled at compile time and rocksdb_cache_dump=0 added to my.cnf
These results use the relative QPS, which is the following where $allocator is tcmalloc or jemalloc. When this value is larger than 1.0 then QPS is larger with tcmalloc or jemalloc.
(QPS with $allocator) / (QPS with glibc malloc)
From the results below:
  • results in col-1 are similar to the base case. So compiling in the jemalloc specific code didn't help performance.
  • results in col-2 are slightly better than the base case with one outlier (hot-points). So consider setting rocksdb_cache_dump=0 in my.cnf after compiling in jemalloc specific code.
Relative to: fbmy8032_rel_o2nofp_end_241023_ba9709c9_971.za4_jemalloc_c32r128

col-1 : fbmy8032_rel_o2nofp_end_je_241023_ba9709c9_971.za4_c32r128
col-2 : fbmy8032_rel_o2nofp_end_je_241023_ba9709c9_971.za5_c32r128

col-1   col-2
0.92    1.40    hot-points_range=100
1.00    1.01    point-query_range=100
1.01    1.02    points-covered-pk_range=100
0.94    1.03    points-covered-si_range=100
1.01    1.02    points-notcovered-pk_range=100
0.98    1.02    points-notcovered-si_range=100
1.01    1.03    random-points_range=1000
1.01    1.02    random-points_range=100
0.99    1.00    random-points_range=10
0.98    1.00    range-covered-pk_range=100
0.96    0.97    range-covered-si_range=100
0.98    0.98    range-notcovered-pk_range=100
1.00    1.02    range-notcovered-si_range=100
0.98    1.00    read-only-count_range=1000
1.01    1.01    read-only-distinct_range=1000
0.99    0.99    read-only-order_range=1000
1.00    1.00    read-only_range=10000
0.99    0.99    read-only_range=100
0.99    1.00    read-only_range=10
0.98    0.99    read-only-simple_range=1000
0.99    0.99    read-only-sum_range=1000
0.98    0.98    scan_range=100
1.01    1.02    delete_range=100
1.01    1.03    insert_range=100
0.99    1.01    read-write_range=100
1.00    1.01    read-write_range=10
1.00    1.02    update-index_range=100
1.02    1.02    update-inlist_range=100
1.01    1.03    update-nonindex_range=100
0.99    1.01    update-one_range=100
1.01    1.03    update-zipf_range=100
1.00    1.01    write-only_range=10000

The impact on VSZ and RSS is interesting. The tables below show the peak values for VSZ and RSS from mysqld during the benchmark. The last column is the ratio (peak RSS / buffer pool size). To save space I use abbreviated names for the binaries.
  • jemalloc.1
    • base case, fbmy8032_rel_o2nofp_end_241023_ba9709c9_971.za4_jemalloc_c32r128
  • jemalloc.2
    • col-1 above, fbmy8032_rel_o2nofp_end_je_241023_ba9709c9_971.za4_c32r128
    • This has little impact on VSZ and RSS
  • jemalloc.3
    • col-2 above, fbmy8032_rel_o2nofp_end_je_241023_ba9709c9_971.za5_c32r128
    • This cuts peak VSZ in half and reduces peak RSS by 9%
Peak values for MyRocks with 10G buffer pool
alloc           VSZ     RSS     RSS/10
jemalloc.1      45.6    12.2    1.22
jemalloc.2      46.0    12.5    1.25
jemalloc.3      20.2    11.6    1.16

Results: MALLOC_ARENA_MAX

The binaries tested are:
  • fbmy8032_rel_o2nofp_end_241023_ba9709c9_971.za4_glibcmalloc_c32r128
    • base case in the table below
  • fbmy8032_rel_o2nofp_end_241023_ba9709c9_971.za4_glibcmalloc_1arena_c32r128
    • col-1 in the table below
    • uses MALLOC_ARENA_MAX=1
  • fbmy8032_rel_o2nofp_end_241023_ba9709c9_971.za4_glibcmalloc_8arena_c32r128
    • col-2 in the table below
    • uses MALLOC_ARENA_MAX=8
  • fbmy8032_rel_o2nofp_end_241023_ba9709c9_971.za4_glibcmalloc_48arena_c32r128
    • col-3 in the table below
    • uses MALLOC_ARENA_MAX=48
  • fbmy8032_rel_o2nofp_end_241023_ba9709c9_971.za4_glibcmalloc_96arena_c32r128
    • col-4 in the table below
    • uses MALLOC_ARENA_MAX=48
These results use the relative QPS, which is the following where $allocator is tcmalloc or jemalloc. When this value is larger than 1.0 then QPS is larger with tcmalloc or jemalloc.
(QPS with $allocator) / (QPS with glibc malloc)
From the results below:
  • performance with 1 or 8 arenas is lousy
  • performance drops some (often 5% to 10%) with 48 arenas
  • performance drops ~2% with 96 arenas
Relative to: fbmy8032_rel_o2nofp_end_241023_ba9709c9_971.za4_glibcmalloc_c32r128

col-1 : fbmy8032_rel_o2nofp_end_241023_ba9709c9_971.za4_glibcmalloc_1arena_c32r128
col-2 : fbmy8032_rel_o2nofp_end_241023_ba9709c9_971.za4_glibcmalloc_8arena_c32r128
col-3 : fbmy8032_rel_o2nofp_end_241023_ba9709c9_971.za4_glibcmalloc_48arena_c32r128
col-4 : fbmy8032_rel_o2nofp_end_241023_ba9709c9_971.za4_glibcmalloc_96arena_c32r128

col-1   col-2   col-3   col-4
0.89    0.78    0.72    0.78    hot-points_range=100
0.23    0.61    0.96    0.98    point-query_range=100
0.31    0.86    0.96    1.01    points-covered-pk_range=100
0.24    0.87    0.95    1.01    points-covered-si_range=100
0.31    0.86    0.97    1.01    points-notcovered-pk_range=100
0.20    0.86    0.97    1.00    points-notcovered-si_range=100
0.35    0.79    0.96    1.01    random-points_range=1000
0.30    0.87    0.96    1.01    random-points_range=100
0.23    0.67    0.96    0.99    random-points_range=10
0.06    0.48    0.92    0.96    range-covered-pk_range=100
0.14    0.52    0.97    0.99    range-covered-si_range=100
0.13    0.46    0.91    0.97    range-notcovered-pk_range=100
0.23    0.87    0.96    1.01    range-notcovered-si_range=100
0.23    0.76    0.97    0.99    read-only-count_range=1000
0.56    1.00    0.96    0.97    read-only-distinct_range=1000
0.20    0.47    0.90    0.94    read-only-order_range=1000
0.68    1.04    1.00    1.00    read-only_range=10000
0.21    0.76    0.98    0.99    read-only_range=100
0.19    0.70    0.97    0.99    read-only_range=10
0.21    0.58    0.94    0.98    read-only-simple_range=1000
0.19    0.57    0.95    1.00    read-only-sum_range=1000
0.53    0.98    1.00    1.01    scan_range=100
0.30    0.81    0.98    1.00    delete_range=100
0.50    0.92    1.00    1.00    insert_range=100
0.23    0.72    0.97    0.98    read-write_range=100
0.20    0.67    0.96    0.98    read-write_range=10
0.33    0.88    0.99    1.00    update-index_range=100
0.36    0.76    0.94    0.98    update-inlist_range=100
0.30    0.85    0.98    0.99    update-nonindex_range=100
0.86    0.98    1.00    1.01    update-one_range=100
0.32    0.86    0.98    0.98    update-zipf_range=100
0.27    0.80    0.97    0.98    write-only_range=10000

The impact on VSZ and RSS is interesting. The tables below show the peak values for VSZ and RSS from mysqld during the benchmark. The last column is the ratio (peak RSS / buffer pool size). To save space I use abbreviated names for the binaries.

Using 1 arena prevents RSS bloat but comes at a huge cost in performance. If I had more time I would have tested for 2, 4 and 6 arenas but I don't think glibc malloc + RocksDB are meant to be.

Peak values for MyRocks with 10G buffer pool
alloc           VSZ     RSS     RSS/10
default         46.1    36.2    3.62
arena = 1       15.9    14.1    1.41
arena = 8       32.6    27.7    2.77
arena = 48      35.2    29.2    2.92
arena = 96      39.3    32.5    3.25


by Mark Callaghan (noreply@blogger.com)