feat: US-107 - Add concurrent host timer cap

NathanFlurry · NathanFlurry · commit e14d21c8221b · 2026-03-18T06:36:14.000-07:00
diff --git a/packages/secure-exec-node/src/execution-driver.ts b/packages/secure-exec-node/src/execution-driver.ts
@@ -5,7 +5,7 @@ import { createCommandExecutorStub, createFsStub, createNetworkStub, filterEnv,
 import { executeWithRuntime } from "./execution.js";
 import type { NetworkAdapter, RuntimeDriver } from "@secure-exec/core";
 import type { StdioHook, ExecOptions, ExecResult, RunResult, TimingMitigation } from "@secure-exec/core/internal/shared/api-types";
-import { type DriverDeps, type NodeExecutionDriverOptions, createBudgetState, clearActiveHostTimers, killActiveChildProcesses, normalizePayloadLimit, getExecutionTimeoutMs, getTimingMitigation, DEFAULT_BRIDGE_BASE64_TRANSFER_BYTES, DEFAULT_ISOLATE_JSON_PAYLOAD_BYTES, DEFAULT_SANDBOX_CWD, DEFAULT_SANDBOX_HOME, DEFAULT_SANDBOX_TMPDIR } from "./isolate-bootstrap.js";
+import { type DriverDeps, type NodeExecutionDriverOptions, createBudgetState, clearActiveHostTimers, killActiveChildProcesses, normalizePayloadLimit, getExecutionTimeoutMs, getTimingMitigation, DEFAULT_BRIDGE_BASE64_TRANSFER_BYTES, DEFAULT_ISOLATE_JSON_PAYLOAD_BYTES, DEFAULT_MAX_TIMERS, DEFAULT_SANDBOX_CWD, DEFAULT_SANDBOX_HOME, DEFAULT_SANDBOX_TMPDIR } from "./isolate-bootstrap.js";
 import { shouldRunAsESM } from "./module-resolver.js";
 import { precompileDynamicImports, runESM, setupDynamicImport } from "./esm-compiler.js";
 import { setupConsole, setupRequire, setupESMGlobals } from "./bridge-setup.js";
@@ -76,7 +76,7 @@ export class NodeExecutionDriver implements RuntimeDriver {
 			isolateJsonPayloadLimitBytes,
 			maxOutputBytes: budgets?.maxOutputBytes,
 			maxBridgeCalls: budgets?.maxBridgeCalls,
-			maxTimers: budgets?.maxTimers,
+			maxTimers: budgets?.maxTimers ?? DEFAULT_MAX_TIMERS,
 			maxChildProcesses: budgets?.maxChildProcesses,
 			budgetState: createBudgetState(),
 			activeHttpServerIds: new Set(),
diff --git a/packages/secure-exec-node/src/isolate-bootstrap.ts b/packages/secure-exec-node/src/isolate-bootstrap.ts
@@ -65,6 +65,7 @@ export const MIN_CONFIGURED_PAYLOAD_BYTES = 1024;
 export const MAX_CONFIGURED_PAYLOAD_BYTES = 64 * 1024 * 1024;
 export const PAYLOAD_LIMIT_ERROR_CODE = "ERR_SANDBOX_PAYLOAD_TOO_LARGE";
 export const RESOURCE_BUDGET_ERROR_CODE = "ERR_RESOURCE_BUDGET_EXCEEDED";
+export const DEFAULT_MAX_TIMERS = 10_000;
 export const DEFAULT_SANDBOX_CWD = "/root";
 export const DEFAULT_SANDBOX_HOME = "/root";
 export const DEFAULT_SANDBOX_TMPDIR = "/tmp";
diff --git a/packages/secure-exec/tests/runtime-driver/node/resource-budgets.test.ts b/packages/secure-exec/tests/runtime-driver/node/resource-budgets.test.ts
@@ -294,6 +294,66 @@ describe("NodeRuntime resource budgets", () => {
 			expect(out).toContain("blocked:true");
 			expect(out).toContain("created:3");
 		});
+
+		it("cleared timers free slots for new ones", async () => {
+			const capture = createConsoleCapture();
+			proc = createTestNodeRuntime({
+				onStdio: capture.onStdio,
+				resourceBudgets: { maxTimers: 6 },
+			});
+
+			const result = await proc.exec(`
+				// Fill all 6 slots
+				const ids = [];
+				for (let i = 0; i < 6; i++) ids.push(setInterval(() => {}, 60000));
+				// Cap reached — next one should throw
+				let blocked = false;
+				try { setInterval(() => {}, 60000); } catch(e) { blocked = true; }
+				// Clear half
+				for (let i = 0; i < 3; i++) clearInterval(ids[i]);
+				// Now 3 slots are free — create 3 more
+				let created = 0;
+				for (let i = 0; i < 3; i++) {
+					try { setInterval(() => {}, 60000); created++; } catch(e) {}
+				}
+				// 7th total new one should be blocked again
+				let blocked2 = false;
+				try { setInterval(() => {}, 60000); } catch(e) { blocked2 = true; }
+				console.log('blocked:' + blocked);
+				console.log('created:' + created);
+				console.log('blocked2:' + blocked2);
+			`);
+
+			expect(result.code).toBe(0);
+			const out = capture.stdout();
+			expect(out).toContain("blocked:true");
+			expect(out).toContain("created:3");
+			expect(out).toContain("blocked2:true");
+		});
+
+		it("normal code with fewer than 100 timers works fine", async () => {
+			const capture = createConsoleCapture();
+			proc = createTestNodeRuntime({
+				onStdio: capture.onStdio,
+			});
+
+			const result = await proc.exec(`
+				let count = 0;
+				for (let i = 0; i < 50; i++) {
+					setTimeout(() => {}, 60000);
+					count++;
+				}
+				for (let i = 0; i < 30; i++) {
+					setInterval(() => {}, 60000);
+					count++;
+				}
+				console.log('timers:' + count);
+			`);
+
+			expect(result.code).toBe(0);
+			const out = capture.stdout();
+			expect(out).toContain("timers:80");
+		});
 	});
 
 	// -----------------------------------------------------------------------
