Memory leak - SecretBuffer and SecretBytes #51
Description
I've been investigating an apparent memory leak in the native memory space when running a credo mediator agent under moderate load. The memory accumulates during crypto processing and then stops when encrypted payloads stops. See openwallet-foundation/credo-ts#2383.
After doing a deep profile with debug symbols using jeprof I was able to determine a majority of accumulating allocations are coming from askar libaries and crypto buffers. I believe there may be a problem in the ffi. This isn't occurring when askar is used via python.
Here is a couple interesting observations using chatGPT to analyze.
Big allocations are vector growth in crypto buffers
13.6 MB alloc::raw_vec::RawVecInner::try_allocate_in
7.9 MB alloc::vec::Vec::with_capacity
5.6 MB alloc::slice::to_vec_in
3.8 MB askar_crypto::buffer::secret::from (secret.rs:222)
These are standard Rust vector expansions, but they’re happening inside crypto buffer helpers (SecretBuffer, SecretBytes).
That means something is creating Vec<u8>s for sensitive material and keeping them around.
FFI boundary allocations
3.8 MB askar_crypto::buffer::secret::from (secret.rs:222)
1.0 MB askar_storage::protect::profile_key::decrypt_entry_tags (profile_key.rs:231)
4.3 MB aries_askar::ffi::key::askar_key_aead_decrypt::{{closure}}
0.5 MB aries_askar::ffi::handle::ArcHandle::create (handle.rs:19)
This is a smoking gun 👆 — memory growth is happening where values cross the Rust ⇄ Node.js FFI boundary.
In particular, ArcHandle::create suggests secrets/keys are wrapped in an Arc and registered in the FFI handle table.
If Node.js doesn’t call free (or the drop callback never fires), the handles accumulate.
I'm hoping someone with more experience in this project may have some ideas on how to fix it.
I think this problem basically prevents a credo mediator from operating correctly under load and I imagine issuer/verifier and mobile agents using asker will also have a memory leak.