What am I so hung up on Unbounded Result Set?

time to read 2 min | 232 words

Originally posted at 3/10/2011

You might have noticed that I am routinely pointing out that there are issues, drastic issues, with any piece of code that issues a query without setting a limit to the number of results.

I got several replies saying that I am worrying too much about this issue. I don’t really understand that sort of thinking. Leaving aside the possibility of literally killing our application (as a result of Out of Memory Exception), unbounded result sets are dangerous. The main problem is that they aren’t just a theoretical problem, it is a problem that happens with regular intervals in production systems.

The real issue is that it is not just System Down issues, this might be the best scenario, actually. In most production deployment, you are actually paying for the amount of data that you are passing around. When you start dealing with unbounded result set, you are literally writing an open check and handing it to strangers.

I don’t know many people who can do something like this with equanimity.

It doesn’t take a lot to get to the point where this sort of thing really hurts. Moreover, there are truly very few cases where you actually need to have access to the entire result set. For the most part, when I see developers doing that, it is usually out of sheer laziness.

Tweet Share Share 20 comments

Tags:

Comments

17 Mar 2011
10:30 AM

Paul Cox

One place I am using an unbounded result set is for populating drop-down lists, e.g. I have a search filter that can be filtered by organisation and I am fetching all the organisations from the database. Is the recommended way to handle this a text box with auto-complete or is an unbounded result set okay while the system is still small?

17 Mar 2011
11:22 AM

Daniel Lang

Oren, in which situation would you really call it "dangerous"? Isn't it YAGNI if I always limit the results, just because I load the user-table of a small web-app?

The other thing is, that if one limits the result set, then he also wants to implement a paging mechanism into his application. Otherwise it would be sarcastic. Pretty much overkill i think.

17 Mar 2011
11:39 AM

Ayende Rahien

Paul,

Think about the scenario from the user perspective, if you have a drop down list with 75 items, it is unusable from a UX perspective.

An auto complete / search is much better

17 Mar 2011
11:40 AM

Ayende Rahien

Daniel,

Think about something like Azure, where you are actually charged for those sort of things. You just gave ANONYMOUS_USER a credit line on your account.

And the main problem is that what you assume to be small won't always be small

17 Mar 2011
12:03 PM

Keith Bloom

Very good point. I was reading this post blog.serverfault.com/.../views-of-the-same-prob... which comes at the problem from a different angle.

In this situation a large result set, ~3000 rows, on the StackOverflow site. Now this query was bounded but the boundary was large. During operation it saturated the webs servers network connection. The post has a good explanation of how transferring large amounts of data is compounded by the way the data is broken apart for transmission. In this case it was the TCP packet size which compounded the problem. Any unbounded result set will suffer the same potential problems.

The post is through and includes some good links to tips which can help find the queries which are returning large datasets.

17 Mar 2011
22:50 PM

configurator

This isn't always an issue.

What if the data table is only editable by admins and is a system setting that would normally have 5-10 values? If they edit it obviously it would use more bandwidth but you would normally need all the possible values and not just a subset of them...

17 Mar 2011
23:39 PM

Daniel Hoelbling

My main concern with these unbounded result sets is not so much the exploitation..

Having someone exploit that usually means someone actually cares about your app (and 99% of the people don't)..

My main beef with that is that it's usually the kind of thing that comes back to bite me after 2 years in production. With users calling you telling you "the system is slow as hell and we have no clue why" ..

Throw in a little N+1 somewhere and your system performance is degrading gradually over time as the system grows.. Although none of the queries are a problem, the size of data you are pulling around will make the system crawl..

And I hate debugging that kind of problems ;)

Thank god I have NHProf, so at least my unbounded result sets that are in the App are intentional

18 Mar 2011
07:00 AM

Ayende Rahien

Configurator,

Then put a limit of 50 on it.

That way, if it ever grows too big, it is a bug in the program, and not a crashing emergency fix issue

18 Mar 2011
08:35 AM

Nick Aceves

"My main beef with that is that it's usually the kind of thing that comes back to bite me after 2 years in production"

^^^^ THIS.

While most of my problems with unbounded result sets are more philosophical in nature, I have been bitten TOO MANY TIMES by production code somebody else wrote that has this problem. I cannot count on two hands and two feet how many times this has come up for me even in the past year. And some of this code was written by "good" programmers... good programmers who didn't think ahead or thought "YAGNI".

The worst one actually brought a production server to its knees because someone requested did tried to do a search for "everything since inception" in one of our legacy applications. It OOMed the w3wp.exe instance that was running the app, crashing several other applications and causing the entire server's performance to go off a cliff. That led to me having to dig through logs, dust off my WinDBG skills, and spend hours figuring out what the cause was. All that instead of actually innovating and solving real business problems.

I'm hear to say that, from my experience, You ARE Going to Need It.

18 Mar 2011
08:37 AM

Nick Aceves

Wow, and my spelling and grammar both totally suck at 1:30 in the morning :)

18 Mar 2011
12:38 PM

Nick

@Nick Aceves

good and funny too.

YAGNI is a great concept. But people also use it as an excuse to be lazy. You build up loads of technical debt and then forget what you owe. And then you pay back the debt and the time to find out it takes "who" you owe the debt too.

18 Mar 2011
21:35 PM

Daniel

I've always seen this as more of a library issue, back when I had the energy bother, I'd wrap all NHibernate calls to force a maxresults if the user hadn't attempted to set one themselves (with the option of limiting to -1 for unbounded.)

I agree that it's something that always has to be set, but I don't really like it when my libraries set their default behavior to something outright dangerous.

18 Mar 2011
21:58 PM

João Bragança

I get this for free by using Rhino ESB. It prevents you from submitting a message with a collection with more than 256 items in it. And the message always contains a business key of some kind. So no one can POST an unbounded result set. If I make sure all my GETs use the business key when querying I can be fairly certain an actual unbounded result set won't happen.

18 Mar 2011
22:59 PM

Ayende Rahien

Joao,

That is because the same set of reasoning guided me when I built it

22 Mar 2011
18:17 PM

Craig Quillen

How do you deal with one to many association collections? Those are basically unbounded result sets too.

I think NHibernate has some method for setting a bound on the collection. What happens when such a "bounded" collection only loads a subset of the association and the association is subsequently modified? Do the items that were not loaded get deleted from the database?

21 Apr 2011
10:12 AM

remi bourgarel

Ayende,

The problem is that we can't always figure out the good boundaries in the data access layer : for instance I have an online booking system for hotel.

I select the first 10 hotels filling the user's request
I select theirs 20 first rooms
I select the 40 pricing strategies
I select the 100 first available dates

-> I get 0 results because the first 10 hotels want only 7 days stay and the user asked for 1 day.

Problem :

an hotel with availability might not be shown
a room with availability might not be shown
an available date might not be shown

Maybe it's a very stupid question, but how do you deal with that kind of problems ? (I don't think here the problematic is linked to nhibernate or any other ORM)

21 Apr 2011
10:17 AM

Ayende Rahien

Remi,

Start with selecting the hotels, then move from there. It is actually something that I would push into a service where they can answer those results much easier by building a specialized service just for that.

21 Apr 2011
10:28 AM

remi bourgarel

You mean that I should select my hotels more finely (ie : select only those who have available rooms at the right date) or that I should not apply boundaries to my request ? Frankly I didn't get your answer.

21 Apr 2011
10:39 AM

Ayende Rahien

Remi,

I'll have a full blog post about the topic.

But yes, the first part is to select only the ones who are actually available. Then you can fetch the rest of the required information.

The second part is to make this fast, you do that by creating a service dedicate to answering availability questions, and optimizing that in isolation.

21 Apr 2011
13:01 PM

remi bourgarel

OK, looking forward to your article.

But the thing is, the business rule to say that an hotel is available might be really hard to explain with only SQL (or this might slow down the process), or even to cache in a temporary table is too complex. So I can't do a query that'll return 50 available hotel.

Comment preview

Comments have been closed on this topic.

Markdown turns plain text formatting into fancy HTML formatting.

Phrase Emphasis

*italic*   **bold**
_italic_   __bold__

Links

Inline:

An [example](http://url.com/ "Title")

Reference-style labels (titles are optional):

An [example][id]. Then, anywhere
else in the doc, define the link:
  [id]: http://example.com/  "Title"

Images

Inline (titles are optional):

![alt text](/path/img.jpg "Title")

Reference-style:

![alt text][id]
[id]: /url/to/img.jpg "Title"

Headers

Setext-style:

Header 1
========
Header 2
--------

atx-style (closing #'s are optional):

# Header 1 #
## Header 2 ##
###### Header 6

Lists

Ordered, without paragraphs:

1.  Foo
2.  Bar

Unordered, with paragraphs:

*   A list item.
    With multiple paragraphs.
*   Bar

You can nest them:

*   Abacus
    * answer
*   Bubbles
    1.  bunk
    2.  bupkis
        * BELITTLER
    3. burper
*   Cunning

Blockquotes

> Email-style angle brackets
> are used for blockquotes.
> > And, they can be nested.
> #### Headers in blockquotes
> 
> * You can quote a list.
> * Etc.

Horizontal Rules

Three or more dashes or asterisks:

---
* * *
- - - -

Manual Line Breaks

End a line with two or more spaces:

Roses are red,   
Violets are blue.

Fenced Code Blocks

Code blocks delimited by 3 or more backticks or tildas:

```
This is a preformatted
code block
```

Header IDs

Set the id of headings with {#<id>} at end of heading line:

## My Heading {#myheading}

Tables

Fruit    |Color
---------|----------
Apples   |Red
Pears	 |Green
Bananas  |Yellow

Definition Lists

Term 1
: Definition 1
Term 2
: Definition 2

Footnotes

Body text with a footnote [^1]
[^1]: Footnote text here

Abbreviations

MDD <- will have title
*[MDD]: MarkdownDeep

Oren Eini

Oren Eini

CEO of RavenDB