Feature: Track and limit heap memory allocations

Implemented a memory allocation tracking feature that allows measure and limit
heap allocations, useful for preventing out-of-bounds memory usage in
sandboxed environments.

- SetMemoryLimit(bytes): Configure maximum heap allocation limit
- GetAllocatedBytes(): Query current tracked memory usage
- ResetMemoryUsage(): Reset allocation counter

Tracked allocation paths:
- Table allocations (array and hash parts, growth/resizing)
- String operations (concat, rep, format, gsub, etc.)
- Function/closure allocations
- VM registry growth

Author: mdogan

.github/workflows/test.yaml

@@ -1,27 +1,19 @@
-on: [push, pull_request]
+on: [push, pull_request, workflow_dispatch]
 name: test
 jobs:
   test:
     strategy:
       fail-fast: false
       matrix:
-        go-version: [1.18.x, 1.19.x]
+        go-version: [1.24.x, 1.25.x]
         platform: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{ matrix.platform }}
     steps:
     - name: Install Go
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@v5
       with:
         go-version: ${{ matrix.go-version }}
     - name: Checkout code
-      uses: actions/checkout@v1
+      uses: actions/checkout@v5
     - name: Run tests
-      run: ./_tools/go-inline *.go && go fmt . &&  go test -v ./... -covermode=count -coverprofile=coverage.out -coverpkg=$(go list ./... | sed 's/\n/,/g')
-    - name: Send coverage
-      if: "matrix.platform == 'ubuntu-latest'"
-      env:
-        COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: |
-        GO111MODULE=off go get github.com/mattn/goveralls
-        ./_tools/go-inline *.go && go fmt .
-        $(go env GOPATH)/bin/goveralls -coverprofile=coverage.out -service=github
+      run: make test

Makefile

@@ -1,10 +1,16 @@
 .PHONY: build test glua
 
 build:
-	./_tools/go-inline *.go && go fmt . &&  go build
+	./_tools/go-inline *.go
+	go fmt .
+	go vet .
+	go build
 
 glua: *.go pm/*.go cmd/glua/glua.go
 	./_tools/go-inline *.go && go fmt . && go build cmd/glua/glua.go
 
 test:
-	./_tools/go-inline *.go && go fmt . &&  go test
+	./_tools/go-inline *.go
+	go fmt .
+	go vet .
+	go test

_state.go

@@ -11,6 +11,7 @@ import (
 	"sync"
 	"sync/atomic"
 	"time"
+	"unsafe"
 
 	"github.com/yuin/gopher-lua/parse"
 )
@@ -394,6 +395,15 @@ func (rg *registry) resize(requiredSize int) { // +inline-start
 } // +inline-end
 
 func (rg *registry) forceResize(newSize int) {
+	// Track memory growth for registry resize
+	oldSize := len(rg.array)
+	if newSize > oldSize {
+		additionalBytes := int64(newSize-oldSize) * 16 // LValue is 16 bytes
+		if ls, ok := rg.handler.(*LState); ok {
+			ls.TrackAlloc(additionalBytes)
+		}
+	}
+
 	newSlice := make([]LValue, newSize)
 	copy(newSlice, rg.array[:rg.top]) // should we copy the area beyond top? there shouldn't be any valid values there so it shouldn't be necessary.
 	rg.array = newSlice
@@ -589,6 +599,42 @@ func newLState(options Options) *LState {
 	return ls
 }
 
+/* Memory tracking {{{ */
+
+// TrackAlloc adds bytes to the memory allocation counter and checks against the limit.
+// Raises a Lua error if the allocation would exceed the memory limit.
+func (ls *LState) TrackAlloc(bytes int64) {
+	ls.allocatedBytes += bytes
+
+	// Only check limit if one is set
+	if ls.maxBytes > 0 && ls.allocatedBytes > ls.maxBytes {
+		ls.RaiseError("memory limit exceeded: %d bytes allocated, limit is %d bytes",
+			ls.allocatedBytes, ls.maxBytes)
+	}
+}
+
+// ResetMemoryUsage resets the allocated bytes counter to zero.
+func (ls *LState) ResetMemoryUsage() {
+	ls.allocatedBytes = 0
+}
+
+// SetMemoryLimit sets the maximum memory limit in bytes. Set to 0 to disable limiting.
+func (ls *LState) SetMemoryLimit(maxBytes int64) {
+	ls.maxBytes = maxBytes
+}
+
+// GetAllocatedBytes returns the current number of tracked allocated bytes.
+func (ls *LState) GetAllocatedBytes() int64 {
+	return ls.allocatedBytes
+}
+
+// GetMemoryLimit returns the current memory limit in bytes (0 if no limit).
+func (ls *LState) GetMemoryLimit() int64 {
+	return ls.maxBytes
+}
+
+/* }}} */
+
 func (ls *LState) printReg() {
 	println("-------------------------")
 	println("thread:", ls)
@@ -995,7 +1041,7 @@ func (ls *LState) initCallFrame(cf *callFrame) { // +inline-start
 			if CompatVarArg {
 				ls.reg.SetTop(cf.LocalBase + nargs + np + 1)
 				if (proto.IsVarArg & VarArgNeedsArg) != 0 {
-					argtb := newLTable(nvarargs, 0)
+					argtb := ls.newLTable(nvarargs, 0)
 					for i := 0; i < nvarargs; i++ {
 						argtb.RawSetInt(i+1, ls.reg.Get(cf.LocalBase+np+i))
 					}
@@ -1333,7 +1379,6 @@ func (ls *LState) Get(idx int) LValue {
 			return LNil
 		}
 	}
-	return LNil
 }
 
 func (ls *LState) Push(value LValue) {
@@ -1389,11 +1434,11 @@ func (ls *LState) Remove(index int) {
 /* object allocation {{{ */
 
 func (ls *LState) NewTable() *LTable {
-	return newLTable(defaultArrayCap, defaultHashCap)
+	return ls.newLTable(defaultArrayCap, defaultHashCap)
 }
 
 func (ls *LState) CreateTable(acap, hcap int) *LTable {
-	return newLTable(acap, hcap)
+	return ls.newLTable(acap, hcap)
 }
 
 // NewThread returns a new LState that shares with the original state all global objects.
@@ -1412,22 +1457,25 @@ func (ls *LState) NewThread() (*LState, context.CancelFunc) {
 }
 
 func (ls *LState) NewFunctionFromProto(proto *FunctionProto) *LFunction {
-	return newLFunctionL(proto, ls.Env, int(proto.NumUpvalues))
+	return ls.newLFunctionL(proto, ls.Env, int(proto.NumUpvalues))
 }
 
 func (ls *LState) NewUserData() *LUserData {
+	size := int64(unsafe.Sizeof(LUserData{}))
+	ls.TrackAlloc(size)
+
 	return &LUserData{
 		Env:       ls.currentEnv(),
 		Metatable: LNil,
 	}
 }
 
 func (ls *LState) NewFunction(fn LGFunction) *LFunction {
-	return newLFunctionG(fn, ls.currentEnv(), 0)
+	return ls.newLFunctionG(fn, ls.currentEnv(), 0)
 }
 
 func (ls *LState) NewClosure(fn LGFunction, upvalues ...LValue) *LFunction {
-	cl := newLFunctionG(fn, ls.currentEnv(), len(upvalues))
+	cl := ls.newLFunctionG(fn, ls.currentEnv(), len(upvalues))
 	for i, lv := range upvalues {
 		cl.Upvalues[i] = &Upvalue{}
 		cl.Upvalues[i].Close()
@@ -1806,7 +1854,7 @@ func (ls *LState) Load(reader io.Reader, name string) (*LFunction, error) {
 	if err != nil {
 		return nil, newApiErrorE(ApiErrorSyntax, err)
 	}
-	return newLFunctionL(proto, ls.currentEnv(), 0), nil
+	return ls.newLFunctionL(proto, ls.currentEnv(), 0), nil
 }
 
 func (ls *LState) Call(nargs, nret int) {
@@ -1882,7 +1930,7 @@ func (ls *LState) PCall(nargs, nret int, errfunc *LFunction) (err error) {
 }
 
 func (ls *LState) GPCall(fn LGFunction, data LValue) error {
-	ls.Push(newLFunctionG(fn, ls.currentEnv(), 0))
+	ls.Push(ls.newLFunctionG(fn, ls.currentEnv(), 0))
 	ls.Push(data)
 	return ls.PCall(1, MultRet, nil)
 }