feat: add memory limit option for cooperative cancellation

[rohan-b99]

Adds a memory_limit option to the experimental_cooperative_cancellation configuration that allows you to set a maximum memory allocation limit for query planning operations. When the memory limit is exceeded during query planning, the router will:

• In enforce mode: Cancel the query planning task and return an error to the client
• In measure mode: Record the cancellation outcome in metrics but allow the query planning to complete

In both modes, the query will be logged in a warn message.

The memory limit works alongside the existing timeout option, and whichever limit is reached first will trigger cancellation. This feature helps prevent excessive memory usage from complex queries or query planning operations that consume too much memory.

Platform requirements: This feature is only available on Unix platforms when the global-allocator feature is enabled and dhat-heap is not enabled (same requirements as memory tracking metrics).

Example configuration:

supergraph:
  query_planning:
    experimental_cooperative_cancellation:
      enabled: true
      mode: enforce  # or "measure" to only record metrics
      memory_limit: 50mb  # Supports formats like "50mb", "1gb", "1024kb", etc.
      timeout: 5s  # Optional: can be combined with memory_limit

---

Checklist

Complete the checklist (and note appropriate exceptions) before the PR is marked ready-for-review.

• PR description explains the motivation for the change and relevant context for reviewing
• PR description links appropriate GitHub/Jira tickets (creating when necessary)
• Changeset is included for user-facing changes
• Changes are compatible¹
• Documentation² completed
• Performance impact assessed and acceptable
• Metrics and logs are added³ and documented
• Tests added and passing⁴
  • Unit tests
  • Integration tests
  • Manual tests, as necessary

Exceptions

Note any exceptions here

Notes

Footnotes

1. It may be appropriate to bring upcoming changes to the attention of other (impacted) groups. Please endeavour to do this before seeking PR approval. The mechanism for doing this will vary considerably, so use your judgement as to how and when to do this. ↩

2. Configuration is an important part of many changes. Where applicable please try to document configuration examples. ↩

3. A lot of (if not most) features benefit from built-in observability and debug-level logs. Please read this guidance on metrics best-practices. ↩

4. Tick whichever testing boxes are applicable. If you are adding Manual Tests, please document the manual testing (extensively) in the Exceptions. ↩

[apollo-librarian]

✅ Docs preview has no changes

The preview was not built because there were no changes.

Build ID: ca679689729cf46982242e1c
Build Logs: View logs

[aaronArinder]

🙏

[aaronArinder]

I think getting the current stats happens in the main thread, no? It looks like the task is returned below; so, if we panic here, we'll unwind all the way to program termination; should we emit a warning/error instead and continue on as though cooperative cancellation isn't in enforce mode?

[rohan-b99]

Good catch, I've changed this to log an error and continue instead

[aaronArinder]

all the pain and sorrow that this line could have helped us avoid ❤️

[aaronArinder]

this will panic if it actually turns out to be unreachable for some reason (like someone being too quick with a refactor); should we return a CacheResolverError instead? That might save us a hard conversation with a customer later, but it's also sort of unlikely that someone would refactor this into a real panic without someone else catching it before merging

[rohan-b99]

Good forward thinking - since the underlying mode is an enum anyway, I removed the if and changed to a match so we only have the 2 cases to deal with in the first place