Merge pull request #7169 from aaronb-stacks/feat/defensive-memcheck

Feat: add defensive memory allocation for miners/signers

Author: aaronb-stacks

changelog.d/defensive-mem-allocation.added

@@ -0,0 +1 @@
+Add defensive memory allocation checks for miners and signers. This adds two new config options: `max_assembly_mem_bytes` and `block_proposal_max_tx_mem_bytes`

clarity/src/vm/analysis/errors.rs

@@ -561,6 +561,11 @@ pub enum RuntimeCheckErrorKind {
     /// Unexpected condition or failure in the type-checker, indicating a catastrophic bug or invalid state.
     Unreachable(String),
 
+    /// Execution was deliberately aborted by the per-`eval` abort callback.
+    /// (e.g., by the memory limit enforcement in block proposal validation or
+    ///  miner block assembly)
+    AbortedByExecutionHook(String),
+
     // List typing errors
     /// List elements have mismatched types, violating type consistency.
     ListTypesMustMatch,
@@ -662,10 +667,12 @@ pub struct StaticCheckError {
 
 impl RuntimeCheckErrorKind {
     /// This check indicates that the transaction should be rejected.
-    /// Currently identical to `is_unreachable()` since `Unreachable` is the only
-    /// rejectable variant, but they answer different questions and may diverge.
     pub fn rejectable(&self) -> bool {
-        matches!(self, RuntimeCheckErrorKind::Unreachable(_))
+        matches!(
+            self,
+            RuntimeCheckErrorKind::Unreachable(_)
+                | RuntimeCheckErrorKind::AbortedByExecutionHook(_)
+        )
     }
 
     /// Returns true if this error is an unreachable error, indicating a potential bug.

clarity/src/vm/contexts.rs

@@ -22,6 +22,7 @@ use std::time::{Duration, Instant};
 use clarity_types::representations::ClarityName;
 use serde::Serialize;
 use serde_json::json;
+use stacks_common::alloc_tracker::{AllocationCounter, thread_allocated};
 use stacks_common::types::StacksEpochId;
 use stacks_common::types::chainstate::StacksBlockId;
 
@@ -275,6 +276,58 @@ pub enum ExecutionTimeTracker {
     },
 }
 
+/// Per-`eval` abort check. This operates alongside the execution time
+/// tracker.
+///
+/// The `None` variant is a no-op (the common case during
+/// block append/replay); other variants encode specific abort
+/// conditions and are dispatched statically via match.
+#[derive(Clone)]
+pub enum AbortCallback {
+    /// No abort check.
+    None,
+    /// Abort when net heap allocation since `baseline` exceeds
+    /// `limit_bytes` (per-thread).
+    ///
+    /// Used by miner block assembly and proposal validation.
+    MemAbort {
+        baseline: AllocationCounter,
+        limit_bytes: u64,
+    },
+    /// Test fixture: always aborts with the given reason.
+    #[cfg(test)]
+    AlwaysAbort(String),
+}
+
+impl AbortCallback {
+    /// Run the abort check.
+    ///
+    /// Returns:
+    ///   * `Ok(())` to continue
+    ///   * `Err(reason)` to abort execution with
+    ///     `RuntimeCheckErrorKind::AbortedByExecutionHook`.
+    pub fn check(&self) -> Result<(), String> {
+        match self {
+            Self::None => Ok(()),
+            Self::MemAbort {
+                baseline,
+                limit_bytes,
+            } => {
+                let net_alloc = thread_allocated().net_allocated(baseline);
+                if net_alloc > *limit_bytes {
+                    Err(format!(
+                        "Transaction heap usage ({net_alloc} bytes) exceeded limit ({limit_bytes} bytes)"
+                    ))
+                } else {
+                    Ok(())
+                }
+            }
+            #[cfg(test)]
+            Self::AlwaysAbort(reason) => Err(reason.clone()),
+        }
+    }
+}
+
 /** GlobalContext represents the outermost context for a single transaction's
      execution. It tracks an asset changes that occurred during the
      processing of the transaction, whether or not the current context is read_only,
@@ -294,6 +347,11 @@ pub struct GlobalContext<'a, 'hooks> {
     pub chain_id: u32,
     pub eval_hooks: Option<Vec<&'hooks mut dyn EvalHook>>,
     pub execution_time_tracker: ExecutionTimeTracker,
+    /// Callback checked at every `eval` call. When `check()` returns
+    /// `Err(reason)`, execution is aborted with
+    /// `VmExecutionError::RuntimeCheck(AbortedByExecutionHook)`. The
+    /// default `AbortCallback::None` is a no-op.
+    pub abort_callback: AbortCallback,
 }
 
 #[derive(Serialize, Deserialize, Clone)]
@@ -739,6 +797,11 @@ impl<'a, 'hooks> OwnedEnvironment<'a, 'hooks> {
         }
     }
 
+    /// Set an abort callback that will be checked at every `eval` call.
+    pub fn set_abort_callback(&mut self, callback: AbortCallback) {
+        self.context.abort_callback = callback;
+    }
+
     pub fn get_exec_environment<'b>(
         &'b mut self,
         sender: Option<PrincipalData>,
@@ -1703,6 +1766,7 @@ impl<'a, 'hooks> GlobalContext<'a, 'hooks> {
             chain_id,
             eval_hooks: None,
             execution_time_tracker: ExecutionTimeTracker::NoTracking,
+            abort_callback: AbortCallback::None,
         }
     }
 

clarity/src/vm/costs/mod.rs

@@ -853,6 +853,7 @@ impl LimitedCostTracker {
         Self::Free
     }
 
+    /// Return the default cost contract name for the provided epoch.
     pub fn default_cost_contract_for_epoch(epoch_id: StacksEpochId) -> Result<String, CostErrors> {
         let result = match epoch_id {
             StacksEpochId::Epoch10 => {

clarity/src/vm/mod.rs

@@ -483,22 +483,31 @@ pub fn apply_evaluated(
     )
 }
 
-fn check_max_execution_time_expired(
+/// Check for interpreter-level abort conditions.
+///
+/// Currently, this is either the AbortCallback or the execution
+///  time limit.
+fn check_interpreter_abort_condition(
     global_context: &GlobalContext,
 ) -> Result<(), VmExecutionError> {
     match global_context.execution_time_tracker {
-        ExecutionTimeTracker::NoTracking => Ok(()),
+        ExecutionTimeTracker::NoTracking => {}
         ExecutionTimeTracker::MaxTime {
             start_time,
             max_duration,
         } => {
             if start_time.elapsed() >= max_duration {
-                Err(CostErrors::ExecutionTimeExpired.into())
-            } else {
-                Ok(())
+                return Err(CostErrors::ExecutionTimeExpired.into());
             }
         }
     }
+    if let Err(reason) = global_context.abort_callback.check() {
+        return Err(VmExecutionError::RuntimeCheck(
+            RuntimeCheckErrorKind::AbortedByExecutionHook(reason),
+        ));
+    }
+
+    Ok(())
 }
 
 pub fn eval<'a>(
@@ -511,7 +520,7 @@ pub fn eval<'a>(
         Atom, AtomValue, Field, List, LiteralValue, TraitReference,
     };
 
-    check_max_execution_time_expired(exec_state.global_context)?;
+    check_interpreter_abort_condition(exec_state.global_context)?;
 
     if let Some(mut eval_hooks) = exec_state.global_context.eval_hooks.take() {
         for hook in eval_hooks.iter_mut() {

clarity/src/vm/tests/simple_apply_eval.rs

@@ -1869,3 +1869,33 @@ fn test_execution_time_expiration() {
         ClarityEvalError::Vm(CostErrors::ExecutionTimeExpired.into())
     );
 }
+
+#[test]
+fn test_abort_callback_stops_execution() {
+    use crate::vm::contexts::AbortCallback;
+    use crate::vm::execute_with_parameters_and_call_in_global_context;
+    let abort_msg = "abort callback fired";
+
+    // An abort callback that always fires
+    let result = execute_with_parameters_and_call_in_global_context(
+        "(+ 1 1)",
+        ClarityVersion::Clarity1,
+        StacksEpochId::Epoch20,
+        false,
+        clarity_types::types::StandardPrincipalData::transient(),
+        |g| {
+            g.abort_callback = AbortCallback::AlwaysAbort(abort_msg.into());
+            Ok(())
+        },
+        |_| Ok(()),
+    );
+    match result {
+        Err(ClarityEvalError::Vm(e)) => {
+            let expected = VmExecutionError::RuntimeCheck(
+                RuntimeCheckErrorKind::AbortedByExecutionHook(abort_msg.into()),
+            );
+            assert_eq!(e, expected);
+        }
+        other => panic!("Expected aborted-by-execution-hook error, got: {other:?}"),
+    }
+}

contrib/stacks-inspect/src/main.rs

@@ -21,6 +21,7 @@ use clarity::consts::CHAIN_ID_MAINNET;
 use clarity::types::StacksEpochId;
 use clarity::types::chainstate::StacksPrivateKey;
 use clarity_cli::{DEFAULT_CLI_EPOCH, read_file_or_stdin, read_file_or_stdin_bytes, vm_execute};
+use stacks_common::alloc_tracker::TrackingAllocator;
 use stacks_inspect::cli::{Cli, Command};
 use stacks_inspect::{
     CommonOpts, command_contract_hash, command_replay_mock_mining, command_try_mine,
@@ -41,7 +42,13 @@ use tikv_jemallocator::Jemalloc;
 
 #[cfg(not(any(target_os = "macos", target_os = "windows", target_arch = "arm")))]
 #[global_allocator]
-static GLOBAL: Jemalloc = Jemalloc;
+static GLOBAL: TrackingAllocator<Jemalloc> = TrackingAllocator { inner: Jemalloc };
+
+#[cfg(any(target_os = "macos", target_os = "windows", target_arch = "arm"))]
+#[global_allocator]
+static GLOBAL: TrackingAllocator<std::alloc::System> = TrackingAllocator {
+    inner: std::alloc::System,
+};
 
 use std::collections::{BTreeMap, HashMap, HashSet};
 use std::fs::File;

stacks-common/src/alloc_tracker.rs

@@ -0,0 +1,140 @@
+// Copyright (C) 2026 Stacks Open Internet Foundation
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+use core::cell::Cell;
+use std::alloc::{GlobalAlloc, Layout};
+use std::sync::OnceLock;
+
+thread_local! {
+    static THREAD_ALLOCATIONS: Cell<AllocationCounter> = const { Cell::new(AllocationCounter::ZERO) };
+}
+
+/// A static bool for checking if the tracking allocator is installed
+///  as the global allocator
+static TRACKING_ALLOCATOR_INSTALLED: OnceLock<bool> = OnceLock::new();
+
+/// Counter for net allocated bytes
+#[derive(Clone, Copy)]
+pub struct AllocationCounter {
+    net_allocated: u64,
+}
+
+impl AllocationCounter {
+    pub const ZERO: Self = Self { net_allocated: 0 };
+
+    /// Net allocation (allocated - deallocated) over a `baseline`
+    pub fn net_allocated(&self, baseline: &AllocationCounter) -> u64 {
+        self.net_allocated.saturating_sub(baseline.net_allocated)
+    }
+
+    /// Return `self` with net allocated incremented by `increment`
+    fn increment(mut self, increment: u64) -> Self {
+        self.net_allocated = self.net_allocated.saturating_add(increment);
+        self
+    }
+
+    /// Return `self` with net allocated decremented by `decrement`
+    fn decrement(mut self, decrement: u64) -> Self {
+        self.net_allocated = self.net_allocated.saturating_sub(decrement);
+        self
+    }
+}
+
+/// Check if the tracking allocator is installed
+///
+/// If the check has already been performed in this process,
+///  it returns the prior value. Otherwise, it forces an allocation
+///  and checks if the tracker picked it up.
+pub fn tracking_allocator_installed() -> bool {
+    *TRACKING_ALLOCATOR_INSTALLED.get_or_init(|| {
+        let before = thread_allocated();
+        let probe: Vec<u8> = Vec::with_capacity(1024);
+        // Prevent the optimizer from eliding the allocation.                                                             
+        std::hint::black_box(&probe);
+        let installed = thread_allocated().net_allocated(&before) > 0;
+        if !installed {
+            error!(
+                "TrackingAllocator is not installed as the global allocator; any configured memory limits will never trigger"
+            );
+        }
+        drop(probe);
+        installed
+    })
+}
+
+/// Read the allocation counter for the current thread.
+///
+/// Returns AllocationCounter::ZERO if the tracking allocator is not installed or if TLS is
+/// being torn down (thread shutdown).
+pub fn thread_allocated() -> AllocationCounter {
+    THREAD_ALLOCATIONS
+        .try_with(Cell::get)
+        .unwrap_or(AllocationCounter::ZERO)
+}
+
+/// A `GlobalAlloc` wrapper that counts per-thread allocations and
+/// deallocations. Delegates all actual allocation work to the inner
+/// allocator `A`.
+pub struct TrackingAllocator<A: GlobalAlloc> {
+    /// The underlying allocator that performs the real work.
+    pub inner: A,
+}
+
+unsafe impl<A: GlobalAlloc> GlobalAlloc for TrackingAllocator<A> {
+    unsafe fn alloc(&self, layout: Layout) -> *mut u8 {
+        let ptr = unsafe { self.inner.alloc(layout) };
+        if !ptr.is_null() {
+            let _ = THREAD_ALLOCATIONS.try_with(|c| {
+                let next = c.get().increment(layout.size() as u64);
+                c.set(next);
+            });
+        }
+        ptr
+    }
+
+    unsafe fn dealloc(&self, ptr: *mut u8, layout: Layout) {
+        unsafe { self.inner.dealloc(ptr, layout) };
+        let _ = THREAD_ALLOCATIONS.try_with(|c| {
+            let next = c.get().decrement(layout.size() as u64);
+            c.set(next);
+        });
+    }
+
+    unsafe fn alloc_zeroed(&self, layout: Layout) -> *mut u8 {
+        let ptr = unsafe { self.inner.alloc_zeroed(layout) };
+        if !ptr.is_null() {
+            let _ = THREAD_ALLOCATIONS.try_with(|c| {
+                let next = c.get().increment(layout.size() as u64);
+                c.set(next);
+            });
+        }
+        ptr
+    }
+
+    unsafe fn realloc(&self, ptr: *mut u8, layout: Layout, new_size: usize) -> *mut u8 {
+        let new_ptr = unsafe { self.inner.realloc(ptr, layout, new_size) };
+        // Note: if `new_ptr` is null, no deallocation or allocation
+        // happened, `ptr` remains valid.
+        if !new_ptr.is_null() {
+            let _ = THREAD_ALLOCATIONS.try_with(|c| {
+                let next = c
+                    .get()
+                    .decrement(layout.size() as u64)
+                    .increment(new_size as u64);
+                c.set(next);
+            });
+        }
+        new_ptr
+    }
+}

stacks-common/src/libcommon.rs

@@ -45,6 +45,8 @@ pub mod deps_common {
     pub mod ctrlc;
 }
 
+pub mod alloc_tracker;
+
 pub mod bitvec;
 
 pub mod consts {