Bukhtawar
diff --git a/‎sandbox/plugins/analytics-backend-datafusion/rust/src/ffm.rs‎
Lines changed: 2 additions & 2 deletions b/‎sandbox/plugins/analytics-backend-datafusion/rust/src/ffm.rs‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎sandbox/plugins/analytics-backend-datafusion/rust/src/memory.rs‎
Lines changed: 96 additions & 6 deletions b/‎sandbox/plugins/analytics-backend-datafusion/rust/src/memory.rs‎
Lines changed: 96 additions & 6 deletions
diff --git a/‎sandbox/plugins/analytics-backend-datafusion/rust/src/memory_guard.rs‎
Lines changed: 109 additions & 27 deletions b/‎sandbox/plugins/analytics-backend-datafusion/rust/src/memory_guard.rs‎
Lines changed: 109 additions & 27 deletions
@@ -158,11 +158,11 @@ pub extern "C" fn df_set_min_target_partitions(value: i64) {
 /// Sets memory guard thresholds. Values are thresholds multiplied by 1000
 /// (e.g., 700 = 0.70, 850 = 0.85, 950 = 0.95).
 #[no_mangle]
-pub extern "C" fn df_set_memory_guard_thresholds(admission_x1000: i64, operator_x1000: i64, kill_x1000: i64) {
+pub extern "C" fn df_set_memory_guard_thresholds(admission_x1000: i64, operator_x1000: i64, critical_x1000: i64) {
     crate::memory_guard::set_thresholds(crate::memory_guard::MemoryThresholds {
         admission: admission_x1000 as f64 / 1000.0,
         operator: operator_x1000 as f64 / 1000.0,
-        kill: kill_x1000 as f64 / 1000.0,
+        critical: critical_x1000 as f64 / 1000.0,
     });
 }
 
 
@@ -112,6 +112,39 @@ impl MemoryPool for DynamicLimitPool {
         reservation: &MemoryReservation,
         additional: usize,
     ) -> Result<(), DataFusionError> {
+        // Hard guard: reject immediately if physical RSS exceeds the critical threshold.
+        //
+        // hashbrown::reserve() allocates via jemalloc BEFORE this try_grow is called
+        // (malloc-first, ask-permission-later). Under concurrent load, multiple queries
+        // grow multi-GB hash tables in parallel before any pool check occurs. This guard
+        // catches that burst: even if pool accounting (CAS) would approve, we reject when
+        // physical memory is critically high, forcing the operator to spill.
+        //
+        // Aligned with the critical threshold (95%) rather than 100% to give spill a
+        // chance to recover before the cancel path fires. Without this, the CAS can pass
+        // at 96% RSS (pool accounting lags jemalloc) and the cancel check never fires
+        // (it's post-CAS-fail only).
+        //
+        // Uses a cached resident_bytes value (refreshed every 100ms) to avoid calling
+        // jemalloc epoch.advance() on every batch — amortized cost <1µs.
+        let limit = self.dynamic_limit.load(Ordering::Acquire);
+        let resident = crate::memory_guard::cached_resident_bytes();
+        if resident > 0 {
+            let critical_threshold = crate::memory_guard::get_thresholds().critical;
+            let critical_bytes = (limit as f64 * critical_threshold) as usize;
+            if resident as usize > critical_bytes {
+                self.tripped_count.fetch_add(1, Ordering::Relaxed);
+                let used = self.used.load(Ordering::Relaxed);
+                return Err(crate::native_error::pool_limit_error(
+                    additional,
+                    reservation.consumer().name(),
+                    reservation.size(),
+                    0,
+                    limit,
+                ));
+            }
+        }
+
         let dynamic_limit = &self.dynamic_limit;
 
         // Fast path: try the normal CAS against the pool limit.
@@ -148,21 +181,21 @@ impl MemoryPool for DynamicLimitPool {
         }
 
         // Both pool and jemalloc confirm pressure. Check if RSS is critical —
-        // if so, kill the query rather than spilling (spill can't help at 95%+).
-        if crate::memory_guard::should_kill_query(limit) {
+        // if so, cancel the query rather than spilling (spill can't help at 95%+).
+        if crate::memory_guard::should_cancel_query(limit) {
             native_bridge_common::log_info!(
-                "Memory KILL: RSS exceeds kill threshold for consumer [{}]. Cancelling query to protect node.",
+                "Memory CANCEL: RSS exceeds critical threshold for consumer [{}]. Cancelling query to protect node.",
                 reservation.consumer().name()
             );
             return Err(DataFusionError::ResourcesExhausted(format!(
-                "Query cancelled: native memory RSS exceeds kill threshold ({}% of pool limit {}B). \
+                "Query cancelled: native memory RSS exceeds critical threshold ({}% of pool limit {}B). \
                  Reduce query concurrency or increase datafusion.memory_pool_limit_bytes.",
-                (crate::memory_guard::get_thresholds().kill * 100.0) as u32,
+                (crate::memory_guard::get_thresholds().critical * 100.0) as u32,
                 limit
             )));
         }
 
-        // RSS between operator (85%) and kill (95%) — reject (operator will spill)
+        // RSS between operator (85%) and critical (95%) — reject (operator will spill)
         self.tripped_count.fetch_add(1, Ordering::Relaxed);
         let used = self.used.load(Ordering::Relaxed);
         Err(crate::native_error::pool_limit_error(
@@ -409,4 +442,61 @@ mod tests {
         assert_eq!(handle.tripped_count(), 0);
         assert_eq!(pool.reserved(), 100_000);
     }
+
+    #[test]
+    fn test_hard_guard_rejects_when_rss_exceeds_critical() {
+        // Create a pool with a limit smaller than the current process RSS.
+        // A Rust test process typically uses 50-200MB RSS, so 20MB should
+        // always trigger the hard guard (RSS > 95% of 20MB = 19MB).
+        let (pool, handle) = new_pool(20 * 1024 * 1024); // 20MB
+
+        let resident = crate::memory_guard::cached_resident_bytes();
+        if resident <= 0 {
+            return; // jemalloc not available in this test env
+        }
+
+        let critical_bytes = (20.0 * 1024.0 * 1024.0 * 0.95) as i64;
+        if resident < critical_bytes {
+            return; // RSS unexpectedly low — skip rather than false-fail
+        }
+
+        let consumer = MemoryConsumer::new("hard_guard_test");
+        let mut reservation = consumer.register(&pool);
+
+        // The hard guard fires before the CAS — even a tiny grow should be rejected
+        let result = reservation.try_grow(1024);
+        assert!(
+            result.is_err(),
+            "try_grow should fail when RSS ({}) exceeds critical threshold (95% of 20MB)",
+            resident
+        );
+        assert!(
+            handle.tripped_count() >= 1,
+            "tripped_count should increment on hard guard rejection"
+        );
+    }
+
+    #[test]
+    fn test_hard_guard_passes_when_rss_below_critical() {
+        // Create a pool with a huge limit (1TB). The test process RSS is well
+        // below 95% of 1TB, so the hard guard should NOT fire.
+        let limit = 1024 * 1024 * 1024 * 1024_usize; // 1TB
+        let (pool, handle) = new_pool(limit);
+
+        let consumer = MemoryConsumer::new("large_pool_test");
+        let mut reservation = consumer.register(&pool);
+
+        // A small allocation should succeed — RSS is far below 95% of 1TB
+        let result = reservation.try_grow(4096);
+        assert!(
+            result.is_ok(),
+            "try_grow should succeed when RSS is well below 95% of 1TB pool limit"
+        );
+        assert_eq!(
+            handle.tripped_count(),
+            0,
+            "tripped_count should remain 0 when hard guard does not fire"
+        );
+        assert_eq!(pool.reserved(), 4096);
+    }
 }
@@ -8,24 +8,54 @@
 
 //! Unified jemalloc-based memory guard for pool override decisions.
 //!
-//! Provides a single entry point (`should_override`) that both the admission
-//! layer (`query_budget.rs`) and the operator layer (`memory.rs`) call before
-//! reducing partitions or triggering spill respectively.
+//! All RSS checks go through [`cached_resident_bytes()`] — a single source of
+//! truth refreshed at most once per 100ms. This avoids expensive jemalloc
+//! `epoch.advance()` calls on the hot path while keeping the memory picture
+//! consistent across all decision layers (hard guard, override, cancel, admission).
 //!
 //! Thresholds are configurable at runtime via `set_thresholds`.
 
-use std::sync::atomic::{AtomicU64, Ordering};
+use std::sync::atomic::{AtomicI64, AtomicU64, Ordering};
+use std::time::Instant;
+
+// --- Cached RSS ---
+
+const RESIDENT_CACHE_INTERVAL_MS: u64 = 100;
+static CACHED_RESIDENT: AtomicI64 = AtomicI64::new(0);
+static LAST_CHECK_MS: AtomicU64 = AtomicU64::new(0);
+static EPOCH_BASE: std::sync::OnceLock<Instant> = std::sync::OnceLock::new();
+
+/// Returns jemalloc resident bytes, cached for up to 100ms.
+///
+/// Only one thread per interval pays the ~1-5µs `epoch.advance()` cost;
+/// all others get the cached value in <1ns (one atomic load).
+/// Used by all memory decision points: hard guard, override, cancel, admission.
+pub fn cached_resident_bytes() -> i64 {
+    let base = EPOCH_BASE.get_or_init(Instant::now);
+    let now_ms = base.elapsed().as_millis() as u64;
+    let last = LAST_CHECK_MS.load(Ordering::Relaxed);
+    if now_ms.saturating_sub(last) >= RESIDENT_CACHE_INTERVAL_MS {
+        if LAST_CHECK_MS.compare_exchange(last, now_ms, Ordering::Relaxed, Ordering::Relaxed).is_ok() {
+            let r = native_bridge_common::allocator::resident_bytes();
+            CACHED_RESIDENT.store(r, Ordering::Relaxed);
+            return r;
+        }
+    }
+    CACHED_RESIDENT.load(Ordering::Relaxed)
+}
+
+// --- Thresholds ---
 
 /// Minimum pool size (bytes) for jemalloc override to activate.
 /// Below this, the pool is assumed to be a unit test / benchmark with
 /// artificial limits — never override.
 const MIN_POOL_FOR_OVERRIDE: usize = 16 * 1024 * 1024; // 16MB
 
 // Configurable thresholds stored as fixed-point (×1000) in atomics.
-// Defaults: admission=70%, operator=85%, kill=95%.
+// Defaults: admission=70%, operator=85%, critical=95%.
 static ADMISSION_THRESHOLD_X1000: AtomicU64 = AtomicU64::new(700);
 static OPERATOR_THRESHOLD_X1000: AtomicU64 = AtomicU64::new(850);
-static KILL_THRESHOLD_X1000: AtomicU64 = AtomicU64::new(950);
+static CRITICAL_THRESHOLD_X1000: AtomicU64 = AtomicU64::new(950);
 
 /// Which layer is asking for the override check.
 #[derive(Debug, Clone, Copy)]
@@ -49,17 +79,18 @@ pub struct MemoryThresholds {
     pub admission: f64,
     /// Threshold for operator decisions (trigger spill). Default: 0.85
     pub operator: f64,
-    /// Threshold for query kill (cancel in-flight query). Default: 0.95
-    /// When RSS exceeds this, spill can't save the node — cancel the query.
-    pub kill: f64,
+    /// Critical memory threshold. Default: 0.95
+    /// When RSS exceeds this: the hard guard forces spill (pre-CAS path), and
+    /// the cancel path terminates the query (post-CAS-fail path, last resort).
+    pub critical: f64,
 }
 
 impl Default for MemoryThresholds {
     fn default() -> Self {
         Self {
             admission: 0.70,
             operator: 0.85,
-            kill: 0.95,
+            critical: 0.95,
         }
     }
 }
@@ -75,8 +106,8 @@ pub fn set_thresholds(thresholds: MemoryThresholds) {
         (thresholds.operator * 1000.0) as u64,
         Ordering::Release,
     );
-    KILL_THRESHOLD_X1000.store(
-        (thresholds.kill * 1000.0) as u64,
+    CRITICAL_THRESHOLD_X1000.store(
+        (thresholds.critical * 1000.0) as u64,
         Ordering::Release,
     );
 }
@@ -86,25 +117,28 @@ pub fn get_thresholds() -> MemoryThresholds {
     MemoryThresholds {
         admission: ADMISSION_THRESHOLD_X1000.load(Ordering::Acquire) as f64 / 1000.0,
         operator: OPERATOR_THRESHOLD_X1000.load(Ordering::Acquire) as f64 / 1000.0,
-        kill: KILL_THRESHOLD_X1000.load(Ordering::Acquire) as f64 / 1000.0,
+        critical: CRITICAL_THRESHOLD_X1000.load(Ordering::Acquire) as f64 / 1000.0,
     }
 }
 
-/// Returns `true` if RSS exceeds the kill threshold — the query should be
-/// cancelled rather than spilled. Spill can't help at this pressure level;
-/// protecting the node is more important than completing the query.
+/// Returns `true` if RSS exceeds the critical threshold — the query should be
+/// cancelled. This is the last-resort path (post-CAS-fail, post-override-denied):
+/// the pool rejected, jemalloc confirms pressure, and spill alone can't recover
+/// fast enough. Cancel the query to protect the node.
 ///
-/// Only called from the operator spill path (after pool rejection + override blocked).
-pub fn should_kill_query(pool_limit_bytes: usize) -> bool {
+/// The same critical threshold is used by the hard guard (pre-CAS) to force spill
+/// earlier — that path is recoverable. This path fires only when spill was already
+/// attempted or cannot help.
+pub fn should_cancel_query(pool_limit_bytes: usize) -> bool {
     if pool_limit_bytes < MIN_POOL_FOR_OVERRIDE {
         return false;
     }
-    let resident = native_bridge_common::allocator::resident_bytes();
+    let resident = cached_resident_bytes();
     if resident <= 0 {
         return false;
     }
-    let kill_bytes = (pool_limit_bytes as u64).saturating_mul(KILL_THRESHOLD_X1000.load(Ordering::Acquire)) / 1000;
-    resident >= kill_bytes as i64
+    let critical_bytes = (pool_limit_bytes as u64).saturating_mul(CRITICAL_THRESHOLD_X1000.load(Ordering::Acquire)) / 1000;
+    resident >= critical_bytes as i64
 }
 
 /// Check whether jemalloc says physical memory has headroom, meaning the
@@ -123,12 +157,11 @@ pub fn should_kill_query(pool_limit_bytes: usize) -> bool {
 /// - `pool_limit_bytes`: the pool's configured limit
 /// - `context`: which layer is asking (determines threshold)
 pub fn should_override(pool_limit_bytes: usize, context: OverrideContext) -> bool {
-    // Skip for tiny pools (unit tests, benchmarks with artificial limits)
     if pool_limit_bytes < MIN_POOL_FOR_OVERRIDE {
         return false;
     }
 
-    let resident = native_bridge_common::allocator::resident_bytes();
+    let resident = cached_resident_bytes();
     if resident <= 0 {
         return false;
     }
@@ -156,7 +189,7 @@ pub fn is_memory_pressured(pool_limit_bytes: usize) -> bool {
         return false;
     }
 
-    let resident = native_bridge_common::allocator::resident_bytes();
+    let resident = cached_resident_bytes();
     if resident <= 0 {
         return false;
     }
@@ -239,20 +272,20 @@ mod tests {
         let t = MemoryThresholds::default();
         assert!((t.admission - 0.70).abs() < 0.001);
         assert!((t.operator - 0.85).abs() < 0.001);
-        assert!((t.kill - 0.95).abs() < 0.001);
+        assert!((t.critical - 0.95).abs() < 0.001);
     }
 
     #[test]
     fn set_and_get_thresholds() {
         set_thresholds(MemoryThresholds {
             admission: 0.60,
             operator: 0.90,
-            kill: 0.97,
+            critical: 0.97,
         });
         let t = get_thresholds();
         assert!((t.admission - 0.60).abs() < 0.001);
         assert!((t.operator - 0.90).abs() < 0.001);
-        assert!((t.kill - 0.97).abs() < 0.001);
+        assert!((t.critical - 0.97).abs() < 0.001);
         // Restore defaults
         set_thresholds(MemoryThresholds::default());
     }
@@ -303,6 +336,55 @@ mod tests {
         assert!(!is_memory_pressured(1_000_000)); // 1MB — below MIN_POOL_FOR_OVERRIDE
     }
 
+    #[test]
+    fn cached_resident_bytes_returns_positive() {
+        // jemalloc is active in the test process — resident_bytes must be > 0
+        let resident = cached_resident_bytes();
+        assert!(resident > 0, "cached_resident_bytes() should return > 0 when jemalloc is active, got {}", resident);
+    }
+
+    #[test]
+    fn cached_resident_bytes_is_stable_within_interval() {
+        // Two calls within <100ms should return the same cached value
+        // (only one thread per interval refreshes the cache).
+        let first = cached_resident_bytes();
+        let second = cached_resident_bytes();
+        assert_eq!(
+            first, second,
+            "Two immediate calls should return the same cached value"
+        );
+    }
+
+    #[test]
+    fn should_cancel_query_false_for_small_pools() {
+        // Pools below MIN_POOL_FOR_OVERRIDE (16MB) always return false
+        assert!(!should_cancel_query(1_000_000)); // 1MB
+        assert!(!should_cancel_query(8 * 1024 * 1024)); // 8MB
+        assert!(!should_cancel_query(15 * 1024 * 1024)); // 15MB
+    }
+
+    #[test]
+    fn should_cancel_query_true_when_rss_exceeds_limit() {
+        // With a 20MB pool limit (above MIN_POOL_FOR_OVERRIDE), the current test
+        // process RSS should exceed 95% of 20MB = 19MB. A Rust test process
+        // typically uses 50-200MB RSS.
+        let small_pool = 20 * 1024 * 1024; // 20MB
+        let resident = native_bridge_common::allocator::resident_bytes();
+        if resident <= 0 {
+            return; // jemalloc not available in this test env
+        }
+        // Only assert if RSS actually exceeds the critical threshold
+        let critical_bytes = (small_pool as f64 * 0.95) as i64;
+        if resident >= critical_bytes {
+            assert!(
+                should_cancel_query(small_pool),
+                "should_cancel_query should return true when RSS ({}) exceeds 95% of pool ({})",
+                resident,
+                small_pool
+            );
+        }
+    }
+
     #[test]
     fn override_respects_operator_vs_admission_threshold() {
         // Operator threshold (85%) is more permissive than admission (70%).