A way to limit non-heap allocations (i.e. V8 "Large Object Storage" / `Deno.memoryUsage().external`) in Web Workers for untrusted code

[josephrocca]

Context: I have a use case where I need to run some untrusted¹ code in a Worker without it being able to crash the whole Deno process.

To briefly summarize:

• ✅ Limiting heap memory: This is possible via a custom build using create_params.heap_limits and js_runtime.add_near_heap_limit_callback.
  • Full step-by-step instructions on how to do that (somewhat crudely, via a WEB_WORKER_HEAP_LIMIT_BYTES env variable): https://gist.github.com/josephrocca/cf66802299505c51933413521a16a8b5
• ❌ Limiting non-heap memory: If I understand correctly, V8 allocates large ArrayBuffers and typed arrays to a non-heap memory area - the "Large Object Space". I'm not sure if/how this can be limited in a robust way.
  • My current workaround: Add some code in the Worker that runs during init, which replaces ArrayBuffer and all typed arrays with copies that intercept and check that the bytes being allocated + Deno.memoryUsage().external will not exceed a threshold. Luckily Deno.memoryUsage().external does seem to be specific to the Web Worker that it's called from. But in general I'm not sure how full-proof this strategy is.

So I'm wondering:

1. Is there currently any deno_core or rusty_v8 feature which could allow limiting the Large Object Space size for a Web Worker?
2. Is there any chance of something like workerOptions.deno.memoryLimit.heap and workerOptions.deno.memoryLimit.external, so that a custom build wouldn't be required?

Related:

• Core: Allow fine-grained heap memory control #6916
• core: memory limits & callbacks #6914
• How can Worker memory usage be managed ? #12637 @ykahlon @inverted-capital
• Limiting the whole process memory usage is simple: https://stackoverflow.com/questions/66258381/how-to-limit-deno-memory-and-cpu-usage But is not what I'm trying to achieve here.
• https://docs.deno.com/api/node/v8/~/setHeapSnapshotNearHeapLimit
• https://docs.deno.com/api/node/worker_threads/~/ResourceLimits
  • Deno ignores ResourceLimits for node:worker_threads #26156
• I considered using the v8 debugger protocol to monitor worker's memory, and terminate it if it exceeds threshold. But I think having debugger attached might slow down the performance significantly? And possibly wouldn't prevent "sudden" very large allocations from crashing the process. I'm not sure. I'm also not sure if it only supports heap memory monitoring.
• https://github.com/quickjs-ng/quickjs - For reference, some people may find this useful depending on what they're trying to achieve, since Deno supports running Web Assembly, of course. But note that since it doesn't have a JIT, I think it would be orders of magnitude slower than V8 for ~intensive tasks. And of course, there are a lot of things missing if you need a full web-compatible runtime (e.g. even stuff like setInterval needs to be implemented manually IIUC.
• Throttling of deno execution deno_core#629

---

[1] By "untrusted" I don't mean that I need to worry about Spectre-type security issues. I just need to prevent it from crashing the process due to memory usage issues.

[lucacasonato]

@josephrocca I think this falls outside of our security model. A user could allocate memory outside of V8's external heap, inside of the Rust heap. For example they could open a bunch of files.

It is too expensive for us to do heap size checks on every allocation in the entire system, so I suggest a better thing to do would be to use a subprocess and linux cgroups to enforce memory limits.

[josephrocca]

Ah gotcha. I did look into OS stuff, but thought that it wouldn't be possible to apply limits to threads, which IIUC is what workers are. But maybe what you mean is one Deno process per worker, but in that case the per-worker memory usage/overhead is way too large.

Anyway, since this is likely not within scope, I'll close this. Thanks for the response!

(In case others hit this issue via a web search, perhaps the best approach for now is QuickJS which can be run within Deno, and possibly combined with Porffor for hot/performance-sensitive code, when it becomes more stable.)

[GwiYeong]

@josephrocca hello. I'm struggling with the same problem and wanted to ask you a question.
Can you give me a example of what you eventually chose and how you implemented it?
I am also researching Deno as it is very attractive in that it can run without node_modules.
Is it possible to achieve memory limiting through QuickJS while using Deno's own module system?

[josephrocca]

I put that project on hold so I don't have an answer for you but you run run QuickJS in Deno: https://github.com/justjake/quickjs-emscripten