Cap search RAM Usage

[fulmicoton]

All of the data required to run a single split leaf search needs to sit in RAM for a few hundred ms. Right now we can limit Searcher RAM usage by limiting search concurrency.

However, the amount of RAM necessary to run a split search is difficult to foresee and it can vary a lot. Also limiting search concurrency can strongly impact search latency.

We also expose ourselves to "Query of death" phenomenons.

Capping memory is non-trivial... If we just used a semaphore for instance, we would expose ourselves to a possible deadlock.

We need a best-effort solution to cap the search RAM usage.

[fulmicoton]

We could do something like:

• have a global semaphore measure the searcher "working memory" RAM.
• reserve 100mb to start search on a split.
• tap on that reserved 100mb before downloading any extra data.
• if 100mb is exceeded for a given split, try to reserve more memory from the global semaphore with a timeout of 1s. If the timeout hits, fails the search request.
• release the reserved memory as soon as warmup is finished.

With this solution, as long as a split requires less than 100mb, no problem happens. Only pathological search request (taking more than 100mb per split) may fail.

[fulmicoton]

@rdettai can you take over this issue / PR

I tried to describe what this is doing in a the commit message.

Limit search memory usage associated with warmup.
Due to tantivy limitations, searching a split requires downloading all
of the required data, and keep them in memory. We call this phase
warmup.

Before this PR, the only thing that curbed memory usage was the search
permits: only N split search may happen concurrently.
Unfortunately, the amount of data required here varies vastly.

We need a mechanism to measure and avoid running more split search
when memory is tight.

Just using a semaphore is however not an option. We do not know
beforehands how much memory will be required by a split search, so it could easily
lead to a dead lock.

Instead, this commit builds upon the search permit provider.

The search permit provider is in charge of managing a configurable memory budget for this warmup memory.

We introduce here a configurable "warmup_single_split_initial_allocation".
A new leaf split search cannot be started if this memory is not
available. This initial allocation is meant to be greater than what will
be actually needed most of the time.

The split search then holds this allocation until the end of warmup.
After warmup, we can get the actual memory usage by interrogating the
warmup cache. We can then update the amount of memory held.
(most of the time, this should mean releasing some memory)

In addition, in this PR, at this point, we also release the warmup search permit:

We still have to perform the actual task of searching, but the thread
pool will take care of limiting the number of concurrent task.

Closes https://github.com/quickwit-oss/quickwit/issues/5355

A bunch of tasks are still required

• [ ] building unit test is broken at the moment.
• [ ] serde deserialization default value must be set.
• [ ] we need additional unit test for search permit provider. (it is easy for bugs to popup in that kind of logic, fortunately its isolation make it is easy to unit test.)
• [ ] adding a counter for this warmup memory usage
• [ ] document SearchPermitProvider
• [ ] cleanup... whatever you see fit