rusty_racer 0.1.3 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 746bc2e7e881d601b38f6052fb45f4f87d72d4580a46ea738e2c716af6641f82
-  data.tar.gz: 4fcc456589eabd593e506d7c941b7fe95635400225aac9807908a008f63e73ad
+  metadata.gz: 329c875cb612dccca54a8c70302d26ad0a38b8a1821733aa6eac9c4795e77d8b
+  data.tar.gz: 4d2665db69e108f6ef37fa9d4f0ae4bc3224ab1756e911abec76cfad558f8bd4
 SHA512:
-  metadata.gz: 20aeb8c39cc3f321b5015b78ff2c4ae54553babd54735bbb256aeaea16c2428cccc03141a55c179ebad34822243d2d39508517df33f34d6236a7a368cbe274b5
-  data.tar.gz: 5ff495f94287dfd8464855d5e20c84c4743b91a3d320760decf17244dad5efa67c503b74dd2994792059e0f7236b10992157bfd5c4cb5681b02fe162b47a8a4d
+  metadata.gz: f95ae2f448af2ade88af369bea7c0b41c500e4028aeed04e34574e148c7d5f460ac068804bc49b409ab55ad352d063fcb0269064b27b1cf3a2a0453a8e245e2f
+  data.tar.gz: 4b853defb2dbde4c0455b9eefb5b6ba9d40002e94953f5d1540c4035087e8128c6b6df843463429b0e5cbcb404a0d1a1c625d13a24fee301a300eaf50dc9ad84

data/README.md

@@ -23,7 +23,9 @@ Embed [V8](https://v8.dev/) in Ruby, built on [rusty_v8](https://crates.io/crate
 - **Snapshots, realms (`Context`s), host callbacks, and a bytecode cache.**
 - **Resource limits on both axes** — a `timeout_ms` (time) and a `memory_limit`
   (space), each catchable: a runaway script fails just its own `eval`, leaving
-  the isolate usable, instead of aborting the process.
+  the isolate usable, instead of aborting the process. A heap runaway is caught
+  even with no explicit `memory_limit` — V8's default ceiling raises instead of
+  aborting.
 - **Precompiled gems** bundle V8 for Linux/macOS × Ruby 3.3–4.0 — no V8 build,
   no Rust toolchain.
 
@@ -106,6 +108,13 @@ iso.context.eval("a = []; for (;;) a.push(new Array(1e6))")
 iso.context.eval("1 + 1")                # => 2 (still usable)
 ```
 
+Even without an explicit `memory_limit`, a heap runaway raises
+`V8OutOfMemoryError` against V8's own default ceiling (~2 GB on 64-bit) rather
+than aborting the process — pass `memory_limit:` for a tighter bound. (One
+caveat: if the process's available memory — e.g. a container cgroup limit — sits
+below the active ceiling, the OS may kill the process before V8's callback
+fires; set an explicit `memory_limit` under that bound to keep it catchable.)
+
 ### Bytecode caching
 
 V8 compiles lazily: the top level up front, each function body on first call.

data/ext/rusty_racer/Cargo.toml

@@ -4,7 +4,7 @@
 # libv8-rusty needed under the cibuildgem native-per-platform model).
 [package]
 name = "rusty_racer"
-version = "0.1.3"
+version = "0.1.4"
 edition = "2021"
 publish = false
 

data/ext/rusty_racer/src/lib.rs

@@ -190,25 +190,36 @@ enum VmError {
     OutOfMemory, // memory_limit hit -> RustyRacer::V8OutOfMemoryError
 }
 
-// V8's near-heap-limit callback (registered per isolate when memory_limit > 0).
-// V8 calls this, synchronously on the owner thread, when a GC still leaves the
-// heap about to exceed the configured ceiling — i.e. the script is running away
-// on memory. `data` is the isolate ptr we registered (Core.iso_ptr). We flag the
-// isolate and terminate the running JS so it unwinds with a catchable error
-// rather than V8 aborting the process. The return value becomes V8's new ceiling:
-// hand it a DOUBLED limit so the unwind itself (and any pending finalizers) has
-// room to allocate without tripping a hard OOM abort mid-unwind. Core::run, once
-// the op has unwound, forces a GC to reclaim and resets the ceiling — see the OOM
-// recovery there. The bump is a no-op-after-the-fact: doubling here, GC + reset
-// after, so the limit keeps protecting later ops.
-unsafe extern "C" fn near_heap_limit_cb(data: *mut c_void, current_heap_limit: usize, _initial: usize) -> usize {
+// V8's near-heap-limit callback (registered on EVERY isolate). V8 calls this,
+// synchronously on the owner thread, when a GC still leaves the heap about to
+// exceed the current ceiling — i.e. the script is running away on memory. That
+// ceiling is the configured memory_limit when one was set, otherwise V8's own
+// platform-derived default (the default-protection path), so a runaway raises a
+// catchable error either way instead of aborting the process. `data` is the
+// isolate ptr we registered (Core.iso_ptr). We flag the isolate and terminate the
+// running JS so it unwinds with that catchable error. The return value becomes
+// V8's new ceiling: hand it a DOUBLED limit so the unwind itself (and any pending
+// finalizers) has room to allocate without tripping a hard OOM abort mid-unwind.
+// Core::run, once the op has unwound, forces a GC to reclaim and resets the
+// ceiling — see the OOM recovery there. The bump is a no-op-after-the-fact:
+// doubling here, GC + reset after, so the limit keeps protecting later ops.
+unsafe extern "C" fn near_heap_limit_cb(data: *mut c_void, current_heap_limit: usize, initial: usize) -> usize {
     let isolate = unsafe { &mut *(data as *mut v8::Isolate) };
     // get_slot_mut (not istate!): this runs as an extern "C" callback from V8's
     // C++ allocator, where a panic would unwind across the FFI boundary. The slot
     // is always present once an op can run (set in Isolate::new before any JS), but
     // skip flagging rather than .expect()-panic in the impossible absent case.
-    // Setting the flag releases the &mut borrow before terminate_execution (&self).
-    if isolate.get_slot_mut::<IsolateState>().map(|s| s.oom_fired = true).is_some() {
+    // The closure releases the &mut borrow before terminate_execution (&self).
+    // Also record V8's `initial` ceiling so recovery can restore it when no
+    // explicit memory_limit was set (see oom_initial_limit).
+    let flagged = isolate
+        .get_slot_mut::<IsolateState>()
+        .map(|s| {
+            s.oom_fired = true;
+            s.oom_initial_limit = initial;
+        })
+        .is_some();
+    if flagged {
         isolate.terminate_execution();
     }
     current_heap_limit.saturating_mul(2)
@@ -567,12 +578,18 @@ struct IsolateState {
     instantiate_resolve: Option<RootedProc>,
     instantiate_resolve_err: Option<BoxValue<Exception>>,
     watchdog: Arc<WatchdogShared>,
-    // Set by near_heap_limit_cb when the configured memory_limit is hit: it
-    // terminates the running JS, and Core::run reads this after the op to relabel
-    // the terminate as OutOfMemory and recover the heap (GC + reset the ceiling).
+    // Set by near_heap_limit_cb when the heap ceiling is hit: it terminates the
+    // running JS, and Core::run reads this after the op to relabel the terminate as
+    // OutOfMemory and recover the heap (GC + reset the ceiling).
     // Plain bool (no atomic): the callback fires synchronously on the owner thread,
     // never concurrently with the bracket that reads it.
     oom_fired: bool,
+    // V8's original heap ceiling, captured from the callback's `initial` argument
+    // when it fires. Recovery resets the ceiling to memory_limit when one was set,
+    // but with no explicit limit (the default-protection path) the ceiling IS V8's
+    // platform-derived default, whose value we don't otherwise know — so we restore
+    // to this captured initial instead. 0 until the callback has fired at least once.
+    oom_initial_limit: usize,
 }
 
 impl IsolateState {
@@ -595,6 +612,7 @@ impl IsolateState {
             instantiate_resolve_err: None,
             watchdog: WatchdogShared::new(),
             oom_fired: false,
+            oom_initial_limit: 0,
         }
     }
 }
@@ -1085,10 +1103,12 @@ struct Core {
     // Default per-eval/call timeout (ms); 0 = none. eval(timeout_ms:)'s explicit
     // value overrides it. Guards against an in-V8 infinite loop without a watchdog.
     default_timeout_ms: u64,
-    // Per-isolate heap ceiling (bytes); 0 = none. When set, the isolate is created
-    // with this as V8's max heap and near_heap_limit_cb is registered; Core::run's
-    // OOM recovery resets the ceiling back to this after each OOM. Space-axis twin
-    // of default_timeout_ms.
+    // Per-isolate heap ceiling (bytes); 0 = V8's default ceiling. When set, the
+    // isolate is created with this as V8's max heap; near_heap_limit_cb is registered
+    // either way (against this ceiling when set, V8's default otherwise), so a runaway
+    // is always catchable rather than a process abort. Core::run's OOM recovery resets
+    // the ceiling after each OOM (to this when set, else V8's captured default — see
+    // oom_initial_limit). Space-axis twin of default_timeout_ms.
     memory_limit: usize,
     // Set by Context#dynamic_import_resolver=; called for a JS import() to map
     // (specifier, referrer) to an already-loaded Module. GC-rooted like procs.
@@ -1514,8 +1534,8 @@ fn build_snapshot(code: &str, base: Option<Vec<u8>>, warmup: bool) -> Result<Vec
                         VmError::Parse(m) | VmError::Runtime(m) => m,
                         VmError::JsError { message, .. } => message,
                         VmError::Terminated => "snapshot code was terminated".to_string(),
-                        // Unreachable: the snapshot-creator isolate carries no
-                        // memory_limit, so near_heap_limit_cb is never registered.
+                        // Unreachable: the snapshot-creator is a separate isolate
+                        // that never registers near_heap_limit_cb.
                         VmError::OutOfMemory => "snapshot code ran out of memory".to_string(),
                     });
                 }
@@ -1565,6 +1585,8 @@ impl Isolate {
         };
         // Cap V8's heap at the configured limit so its near-heap-limit callback
         // fires as the script approaches it (initial 0 = V8's default initial heap).
+        // With no explicit limit the callback is still registered below, against
+        // V8's own default ceiling, so a runaway raises instead of aborting.
         if memory_limit > 0 {
             create_params = create_params.heap_limits(0, memory_limit);
         }
@@ -1607,12 +1629,12 @@ impl Isolate {
         // registry moves only the 8-byte pointer; the boxed OwnedIsolate stays put.
         let mut boxed = Box::new(isolate);
         let iso_ptr = IsoPtr(&mut **boxed as *mut v8::Isolate);
-        // Arm the memory limit now that iso_ptr is stable: the callback's data IS
-        // this ptr (it reads the slot's oom_fired and terminates through it), and
-        // Core::run resets the ceiling through the same ptr on recovery.
-        if memory_limit > 0 {
-            boxed.add_near_heap_limit_callback(near_heap_limit_cb, iso_ptr.0 as *mut c_void);
-        }
+        // Arm the heap-limit callback now that iso_ptr is stable: the callback's
+        // data IS this ptr (it reads the slot's oom_fired and terminates through
+        // it), and Core::run resets the ceiling through the same ptr on recovery.
+        // Registered unconditionally — with memory_limit it guards that ceiling,
+        // without one it guards V8's default ceiling (catchable, not a process abort).
+        boxed.add_near_heap_limit_callback(near_heap_limit_cb, iso_ptr.0 as *mut c_void);
         let iso_id = NEXT_ISOLATE_ID.fetch_add(1, Ordering::SeqCst);
         isolates().lock().unwrap().insert(iso_id, SendIso(boxed));
         // Root the owner Thread VALUE so its address can't be reused while this
@@ -1735,19 +1757,26 @@ impl Core {
                 // OOM recovery. The near-heap-limit callback bumped the ceiling and
                 // terminated the op so it could unwind; the scope is closed and JS has
                 // stopped now. Reclaim the runaway allocation (a forced GC) and reset
-                // the ceiling back to memory_limit so the limit keeps protecting later
-                // ops, then relabel the terminate as OutOfMemory. watchdog_fired stays
-                // false for an OOM, so the request's end-sweep left the terminate flag
-                // set — cancel it here.
-                if self.memory_limit > 0 && std::mem::take(&mut istate!(unsafe { &mut *iso }).oom_fired) {
+                // the ceiling so the limit keeps protecting later ops, then relabel the
+                // terminate as OutOfMemory. watchdog_fired stays false for an OOM, so
+                // the request's end-sweep left the terminate flag set — cancel it here.
+                if std::mem::take(&mut istate!(unsafe { &mut *iso }).oom_fired) {
                     let iso_ref = unsafe { &mut *iso };
+                    // The ceiling to restore: the configured memory_limit when one was
+                    // set, otherwise V8's default ceiling, which the callback captured
+                    // in oom_initial_limit (we don't otherwise know its value).
+                    let restore_to = if self.memory_limit > 0 {
+                        self.memory_limit
+                    } else {
+                        istate!(iso_ref).oom_initial_limit
+                    };
                     // Reclaim the runaway allocation, then reset the ceiling from the
-                    // doubled bump back to memory_limit (V8 clamps it no lower than the
+                    // doubled bump back to restore_to (V8 clamps it no lower than the
                     // live heap — a genuinely-retained set above the limit necessarily
                     // loosens it, inherent to recovering the isolate rather than
                     // discarding it), and re-arm the callback for the next op.
                     iso_ref.low_memory_notification();
-                    iso_ref.remove_near_heap_limit_callback(near_heap_limit_cb, self.memory_limit);
+                    iso_ref.remove_near_heap_limit_callback(near_heap_limit_cb, restore_to);
                     iso_ref.add_near_heap_limit_callback(near_heap_limit_cb, iso as *mut c_void);
                     // Clear the terminate the OOM set (the request end-sweep skips it —
                     // that only sweeps watchdog_fired). Do this AFTER the GC: the forced
@@ -2173,9 +2202,8 @@ impl Core {
         // runs V8's teardown GC, which could otherwise re-invoke near_heap_limit_cb
         // (touching the just-reset slot of an isolate being destroyed). The watchdog
         // is already stopped above; this closes the matching space-axis hole.
-        if self.memory_limit > 0 {
-            unsafe { &mut *self.iso_ptr.0 }.remove_near_heap_limit_callback(near_heap_limit_cb, 0);
-        }
+        // Registered unconditionally (default protection), so always remove it.
+        unsafe { &mut *self.iso_ptr.0 }.remove_near_heap_limit_callback(near_heap_limit_cb, 0);
         // Remove (and drop) the OwnedIsolate — V8 disposal runs here — AFTER the
         // watchdog joined and the Globals were cleared, while the isolate is
         // entered (above). Drop outside the lock so V8 teardown can't deadlock on

data/lib/rusty_racer/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RustyRacer
-  VERSION = "0.1.3"
+  VERSION = "0.1.4"
 end

data/lib/rusty_racer.rb

@@ -27,8 +27,9 @@ module RustyRacer
   class ParseError < EvalError; end
   class RuntimeError < EvalError; end
   class ScriptTerminatedError < EvalError; end
-  # Raised when JS allocation exceeds the isolate's memory_limit. Catchable like
-  # any eval error — a runaway script fails its own eval instead of aborting the
+  # Raised when JS allocation exceeds the isolate's heap ceiling (the configured
+  # memory_limit, or V8's default ceiling when none was set). Catchable like any
+  # eval error — a runaway script fails its own eval instead of aborting the
   # process. The space-axis twin of ScriptTerminatedError (the time axis).
   class V8OutOfMemoryError < EvalError; end
   class SnapshotError < Error; end
@@ -45,12 +46,19 @@ module RustyRacer
     # Keyword-arg constructor over the positional Rust primitive. A snapshot
     # (RustyRacer::Snapshot) boots the isolate with its baked-in state;
     # timeout_ms caps each eval/call (0 = no limit) against in-V8 infinite
-    # loops. memory_limit caps the V8 heap in bytes (0 = no limit): a script
-    # that exceeds it is terminated and raises V8OutOfMemoryError rather than
-    # aborting the process, and the isolate stays usable afterward. It is a soft
-    # limit — V8 enforces it at GC granularity, so usage may briefly overshoot,
-    # and it must comfortably exceed the isolate's baseline (and any snapshot's
-    # baked-in heap), since the limit is only armed once the isolate has booted.
+    # loops. memory_limit caps the V8 heap in bytes: a script that exceeds the
+    # ceiling is terminated and raises V8OutOfMemoryError rather than aborting
+    # the process, and the isolate stays usable afterward. 0 (the default) does
+    # NOT disable this — it leaves V8's own platform-derived default ceiling
+    # (typically ~2 GB on 64-bit) in place, so a runaway is still catchable
+    # instead of a fatal abort; pass a smaller value for a tighter bound. It is
+    # a soft limit — V8 enforces it at GC granularity, so usage may briefly
+    # overshoot, and an explicit limit must comfortably exceed the isolate's
+    # baseline (and any snapshot's baked-in heap), since it is only armed once
+    # the isolate has booted. Caveat: if the process's available memory (e.g. a
+    # container cgroup limit) is below the active ceiling, the OS may kill the
+    # process before V8's callback fires — set an explicit memory_limit under
+    # that bound to keep the error catchable.
     # microtasks mirrors V8's kAuto/kExplicit: :auto (default) drains
     # the microtask queue when the outermost eval/call/run/evaluate completes
     # (the standard embedder contract); :explicit drains only on

metadata

@@ -1,11 +1,11 @@
 --- !ruby/object:Gem::Specification
 name: rusty_racer
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.4
 platform: ruby
 authors:
 - Keita Urashima
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
 date: 2026-06-14 00:00:00.000000000 Z
@@ -54,7 +54,7 @@ metadata:
   source_code_uri: https://github.com/ursm/rusty_racer
   bug_tracker_uri: https://github.com/ursm/rusty_racer/issues
   rubygems_mfa_required: 'true'
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -70,7 +70,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.5.22
-signing_key: 
+signing_key:
 specification_version: 4
 summary: Embed V8 in Ruby via rusty_v8 + Magnus (rb-sys)
 test_files: []