A way to limit non-heap allocations (i.e. V8 "Large Object Storage" / Deno.memoryUsage().external) in Web Workers for untrusted code

[josephrocca]

Context: I have a use case where I need to run some untrusted¹ code in a Worker without it being able to crash the whole Deno process.

To briefly summarize:

• ✅ Limiting heap memory: This is possible via a custom build using create_params.heap_limits and js_runtime.add_near_heap_limit_callback.
  • Full step-by-step instructions on how to do that (somewhat crudely, via a WEB_WORKER_HEAP_LIMIT_BYTES env variable): https://gist.github.com/josephrocca/cf66802299505c51933413521a16a8b5
• ❌ Limiting non-heap memory: If I understand correctly, V8 allocates large ArrayBuffers and typed arrays to a non-heap memory area - the "Large Object Space". I'm not sure if/how this can be limited in a robust way.
  • My current workaround: Add some code in the Worker that runs during init, which replaces ArrayBuffer and all typed arrays with copies that intercept and check that the bytes being allocated + Deno.memoryUsage().external will not exceed a threshold. Luckily Deno.memoryUsage().external does seem to be specific to the Web Worker that it's called from. But in general I'm not sure how full-proof this strategy is.

So I'm wondering:

1. Is there currently any deno_core or rusty_v8 feature which could allow limiting the Large Object Space size for a Web Worker?
2. Is there any chance of something like workerOptions.deno.memoryLimit.heap and workerOptions.deno.memoryLimit.external, so that a custom build wouldn't be required?

Related:

• Core: Allow fine-grained heap memory control #6916
• core: memory limits & callbacks #6914
• How can Worker memory usage be managed ? #12637 @ykahlon @inverted-capital
• Limiting the whole process memory usage is simple: https://stackoverflow.com/questions/66258381/how-to-limit-deno-memory-and-cpu-usage But is not what I'm trying to achieve here.
• https://docs.deno.com/api/node/v8/~/setHeapSnapshotNearHeapLimit
• https://docs.deno.com/api/node/worker_threads/~/ResourceLimits
  • ResourceLimits don't work for node:worker_threads #26156
• I considered using the v8 debugger protocol to monitor worker's memory, and terminate it if it exceeds threshold. But I think having debugger attached might slow down the performance significantly? And possibly wouldn't prevent "sudden" very large allocations from crashing the process. I'm not sure. I'm also not sure if it only supports heap memory monitoring.
• https://github.com/quickjs-ng/quickjs - For reference, some people may find this useful depending on what they're trying to achieve, since Deno supports running Web Assembly, of course. But note that since it doesn't have a JIT, I think it would be orders of magnitude slower than V8 for ~intensive tasks. And of course, there are a lot of things missing if you need a full web-compatible runtime (e.g. even stuff like setInterval needs to be implemented manually IIUC.
• Throttling of deno execution deno_core#629

---

[1] By "untrusted" I don't mean that I need to worry about Spectre-type security issues. I just need to prevent it from crashing the process due to memory usage issues.

[lucacasonato]

@josephrocca I think this falls outside of our security model. A user could allocate memory outside of V8's external heap, inside of the Rust heap. For example they could open a bunch of files.

It is too expensive for us to do heap size checks on every allocation in the entire system, so I suggest a better thing to do would be to use a subprocess and linux cgroups to enforce memory limits.