lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Quoth Shawn Fox <shawnkfox@gmail.com>, on 2010-08-15 00:03:49 -0500:
> I think that capping memory is such a common requirement that it ought to be
> part of the standard Lua implementation.  I don't care if it is by calling
> lua_gc or some other method, the point is that I should just be able to set
> a hard cap for memory and cpu usage in a sandbox environment and Lua should
> just abort if it goes over that limit.

That sounds like a prime candidate for Unix rlimits or similar
enforcement at the operating system level.  Particularly, measuring
the actual CPU usage of only a piece of a program can be tricky to do
without making everything slow in the process.  (I suppose the latter
doesn't actually say much, though.)

> Considering that Lua is generally used as an embedded language the
> requirement to be able to cap memory and CPU usage seems to be something
> that would be built into the language.

Embedded doesn't necessarily imply such intense trust boundaries.
E.g., using Lua to describe the behavior of game levels (which was my
first encounter with it, in Enigma) doesn't natively require or hugely
benefit from resource limits in many cases.  Or using a stripped-down
Lua in a robotics situation, or as a configuration language where
control of the configuration essentially implies control of the
process already, or for scripting a text editor or a graphics program
or...

> I'm using Lua (actually LuaJIT 2.0 beta4)  in a situation where users can
> submit arbitrary Lua code for execution in a massively parallel compute
> grid.  A single execution could be spread across 100s of systems and I'd
> like a good way to limit CPU and memory usage on any individual system.  The
> best case for me would be a new API call that allows me to specify a max
> memory and cpu usage, something like:
> 
> lua_pcall_limit(L, nargs, nresults, errorfunction, maxmemory, maxcpu);

Note that in a shared global state, a memory cap on only part of the
state is nearly nonsense unless you start tracking which objects were
allocated from which quotas of memory (ick).  CPU is at least more
well-defined within a contiguous chunk of time.

   ---> Drake Wilson