Fix unbounded arena growth in CEL Evaluator (#831)

The Evaluator holds a single `google::protobuf::Arena` that was shared
across every `CompileAndEvaluate` call. Due to Arena being a monotonic
bump allocator that never frees individual allocations, this caused us
to leak compilation temporaries and materialized variable values (e.g.
args, envs etc. ) on each evaluation.

* `CompileAndEvaluate()` now creates a stack-local Arena that is
destroyed at end of scope, freeing all temporaries.
* Updated helpers to take an arena as an argument and pass in the
stack-local arena.

Added tests to ensure this actually fixes the problem and does not
regress.

Before these changes my tests showed 600MB+ of leak after 5000
iterations after these changes it's constant.

Author: pmarkowsky

Source/common/BUILD

@@ -1111,6 +1111,7 @@ test_suite(
         ":ScopedFileTest",
         ":ScopedIOObjectRefTest",
         ":TelemetryEventMapTest",
+        "//Source/common/cel:ArenaGrowthTest",
         "//Source/common/cel:CELTest",
         "//Source/common/faa:unit_tests",
         "//Source/common/ne:unit_tests",

Source/common/cel/ArenaGrowthTest.mm

@@ -0,0 +1,161 @@
+/// Copyright 2026 North Pole Security, Inc.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+#include "Source/common/cel/Activation.h"
+#include "Source/common/cel/CELProtoTraits.h"
+#include "Source/common/cel/Evaluator.h"
+
+#import <Foundation/Foundation.h>
+#import <XCTest/XCTest.h>
+
+#include <mach/mach.h>
+#include <cstddef>
+#include <string>
+#include <vector>
+
+#include "absl/status/statusor.h"
+
+static size_t GetResidentMemoryBytes() {
+  mach_task_basic_info_data_t info;
+  mach_msg_type_number_t count = MACH_TASK_BASIC_INFO_COUNT;
+  if (task_info(mach_task_self(), MACH_TASK_BASIC_INFO, (task_info_t)&info, &count) !=
+      KERN_SUCCESS) {
+    return 0;
+  }
+  return info.resident_size;
+}
+
+@interface ArenaGrowthTest : XCTestCase
+@end
+
+@implementation ArenaGrowthTest
+
+/// Regression test for unbounded arena growth in CompileAndEvaluate.
+///
+/// Previously, the Evaluator used a single protobuf Arena for every
+/// compile+evaluate cycle. Since Arena is a monotonic bump allocator that never
+/// frees individual allocations, every evaluation leaked materialized variable
+/// values (args strings, env maps, etc.) and compilation temporaries.
+///
+/// The fix uses a stack-local Arena in CompileAndEvaluate so temporaries are
+/// freed at end of scope. This test verifies memory stays bounded.
+- (void)testCompileAndEvaluateArenaGrowth {
+  using ExecutableFileT = santa::cel::CELProtoTraits<true>::ExecutableFileT;
+  using AncestorT = santa::cel::CELProtoTraits<true>::AncestorT;
+
+  auto sut = santa::cel::Evaluator<true>::Create();
+  if (!sut.ok()) {
+    XCTFail(@"Failed to create evaluator: %.*s", (int)sut.status().message().size(),
+            sut.status().message().data());
+    return;
+  }
+
+  // Build a large args list to amplify per-evaluation arena allocation.
+  // This simulates a process like `node` or `yarn` with many arguments.
+  std::vector<std::string> largeArgs;
+  largeArgs.reserve(200);
+  for (int i = 0; i < 200; i++) {
+    largeArgs.push_back(std::string(256, 'a' + (i % 26)));
+  }
+  const auto *argsPtr = &largeArgs;
+
+  // Expression that forces materialization of the full args list onto the arena.
+  absl::string_view expr = "args.exists(x, x == 'nonexistent_value')";
+
+  // Warm up: run a few iterations to stabilize RSS and JIT/lazy allocations.
+  for (int i = 0; i < 10; i++) {
+    @autoreleasepool {
+      auto f = std::make_unique<ExecutableFileT>();
+      f->mutable_signing_time()->set_seconds(1748436989);
+      santa::cel::Activation<true> activation(
+          std::move(f),
+          ^std::vector<std::string>() {
+            return *argsPtr;
+          },
+          ^std::map<std::string, std::string>() {
+            return {};
+          },
+          ^uid_t() {
+            return 501;
+          },
+          ^std::string() {
+            return "/usr/local/bin";
+          },
+          ^std::vector<AncestorT>() {
+            return {};
+          });
+      auto result = sut.value()->CompileAndEvaluate(expr, activation);
+      if (!result.ok()) {
+        XCTFail(@"Warmup failed: %.*s", (int)result.status().message().size(),
+                result.status().message().data());
+        return;
+      }
+    }
+  }
+
+  size_t rssBaseline = GetResidentMemoryBytes();
+  XCTAssertGreaterThan(rssBaseline, (size_t)0, @"Failed to read RSS");
+
+  // Run many iterations of CompileAndEvaluate. Each iteration materializes
+  // ~200 * 256 = ~50KB of arg strings onto the arena, plus compilation
+  // temporaries. Before the fix this grew by ~600MB+ over 5000 iterations.
+  const int iterations = 5000;
+  for (int i = 0; i < iterations; i++) {
+    @autoreleasepool {
+      auto f = std::make_unique<ExecutableFileT>();
+      f->mutable_signing_time()->set_seconds(1748436989);
+      santa::cel::Activation<true> activation(
+          std::move(f),
+          ^std::vector<std::string>() {
+            return *argsPtr;
+          },
+          ^std::map<std::string, std::string>() {
+            return {{"PATH", "/usr/bin"}, {"HOME", "/Users/test"}};
+          },
+          ^uid_t() {
+            return 501;
+          },
+          ^std::string() {
+            return "/usr/local/bin";
+          },
+          ^std::vector<AncestorT>() {
+            return {};
+          });
+      auto result = sut.value()->CompileAndEvaluate(expr, activation);
+      if (!result.ok()) {
+        XCTFail(@"Iteration %d failed: %.*s", i, (int)result.status().message().size(),
+                result.status().message().data());
+        return;
+      }
+    }
+  }
+
+  size_t rssAfter = GetResidentMemoryBytes();
+  size_t growth = rssAfter > rssBaseline ? rssAfter - rssBaseline : 0;
+
+  double growthMB = (double)growth / (1024.0 * 1024.0);
+  NSLog(@"Arena growth test: baseline=%.1fMB, after=%.1fMB, growth=%.1fMB over %d iterations",
+        (double)rssBaseline / (1024.0 * 1024.0), (double)rssAfter / (1024.0 * 1024.0), growthMB,
+        iterations);
+
+  // Threshold: 50MB is generous enough to avoid flakiness from normal heap
+  // activity, but will clearly catch unbounded arena growth (~600MB before fix).
+  double thresholdMB = 50.0;
+  XCTAssertLessThan(growthMB, thresholdMB,
+                    @"CompileAndEvaluate leaked %.1fMB over %d iterations "
+                    @"(threshold: %.0fMB). This indicates unbounded arena growth.",
+                    growthMB, iterations, thresholdMB);
+}
+
+@end

Source/common/cel/BUILD

@@ -84,3 +84,13 @@ santa_unit_test(
         "@northpolesec_protos//celv2:v2_cc_proto",
     ],
 )
+
+santa_unit_test(
+    name = "ArenaGrowthTest",
+    srcs = ["ArenaGrowthTest.mm"],
+    deps = [
+        ":CEL",
+        "@abseil-cpp//absl/status:statusor",
+        "@northpolesec_protos//celv2:v2_cc_proto",
+    ],
+)

Source/common/cel/Evaluator.h

@@ -65,7 +65,7 @@ class Evaluator {
 
   Evaluator(std::unique_ptr<::cel::Compiler> compiler,
             std::unique_ptr<google::protobuf::Arena> arena)
-      : arena_(std::move(arena)), compiler_(std::move(compiler)) {};
+      : compiler_(std::move(compiler)), compiler_arena_(std::move(arena)) {};
   ~Evaluator() = default;
 
   Evaluator(Evaluator &&other) = default;
@@ -76,25 +76,26 @@ class Evaluator {
   Evaluator &operator=(const Evaluator &other) = delete;
 
   // Compile a CEL expression from a string into an expression plan
-  // ready for evaluation. These expression plans could be cached but it's
-  // important that the compiled expression is not used after the Evaluator
-  // is destroyed.
+  // ready for evaluation. The caller-provided arena is used for constant
+  // folding and must outlive the returned expression plan.
   absl::StatusOr<std::unique_ptr<::google::api::expr::runtime::CelExpression>>
-  Compile(absl::string_view cel_expr);
+  Compile(absl::string_view cel_expr, google::protobuf::Arena *arena);
 
-  // Evaluate an expression plan with a SantaActivation object.
+  // Evaluate an expression plan with a SantaActivation object. The
+  // caller-provided arena is used for evaluation temporaries.
   absl::StatusOr<EvaluationResultT> Evaluate(
       ::google::api::expr::runtime::CelExpression const *expression_plan,
-      const ActivationT &activation);
+      const ActivationT &activation, google::protobuf::Arena *arena);
 
-  // Convenience method that combines Compile() and Evaluate() into a single
-  // call.
+  // Compile and evaluate a CEL expression in a single call. Uses a
+  // stack-local arena internally so no allocations persist after return.
   absl::StatusOr<EvaluationResultT> CompileAndEvaluate(
       absl::string_view cel_expr, const ActivationT &activation);
 
  private:
-  std::unique_ptr<google::protobuf::Arena> arena_;
   std::unique_ptr<::cel::Compiler> compiler_;
+  std::unique_ptr<google::protobuf::Arena>
+      compiler_arena_;  // Kept alive for compiler type refs
 };
 
 }  // namespace cel

Source/common/cel/Evaluator.mm

@@ -93,7 +93,7 @@
 
 template <bool IsV2>
 absl::StatusOr<std::unique_ptr<Evaluator<IsV2>>> Evaluator<IsV2>::Create() {
-  std::unique_ptr<google::protobuf::Arena> arena = std::make_unique<google::protobuf::Arena>();
+  auto arena = std::make_unique<google::protobuf::Arena>();
 
   auto compiler = CreateCompiler<IsV2>(arena.get());
   if (!compiler.ok()) {
@@ -104,7 +104,7 @@
 
 template <bool IsV2>
 absl::StatusOr<std::unique_ptr<::cel_runtime::CelExpression>> Evaluator<IsV2>::Compile(
-    absl::string_view expr) {
+    absl::string_view expr, google::protobuf::Arena *arena) {
   if (!compiler_) {
     return absl::InvalidArgumentError("Evaluator not properly initialized");
   }
@@ -127,7 +127,7 @@
   // Setup a default environment for building expressions.
   cel_runtime::InterpreterOptions options;
   options.constant_folding = true;
-  options.constant_arena = arena_.get();
+  options.constant_arena = arena;
   options.enable_regex_precompilation = true;
 
   std::unique_ptr<cel_runtime::CelExpressionBuilder> builder =
@@ -158,14 +158,13 @@
       builder->CreateExpression(&cel_expr);
 
   return expression_plan;
-};
+}
 
 template <bool IsV2>
 absl::StatusOr<typename Evaluator<IsV2>::EvaluationResultT> Evaluator<IsV2>::Evaluate(
-    const ::cel_runtime::CelExpression *expression_plan, const ActivationT &activation) {
-  // Evaluate the parsed expression.
-  absl::StatusOr<cel_runtime::CelValue> result =
-      expression_plan->Evaluate(activation, arena_.get());
+    const ::cel_runtime::CelExpression *expression_plan, const ActivationT &activation,
+    google::protobuf::Arena *arena) {
+  absl::StatusOr<cel_runtime::CelValue> result = expression_plan->Evaluate(activation, arena);
 
   if (!result.ok()) {
     return result.status();
@@ -219,11 +218,12 @@
 template <bool IsV2>
 absl::StatusOr<typename Evaluator<IsV2>::EvaluationResultT> Evaluator<IsV2>::CompileAndEvaluate(
     absl::string_view cel_expr, const ActivationT &activation) {
-  absl::StatusOr<std::unique_ptr<::cel_runtime::CelExpression>> expr = Compile(cel_expr);
+  google::protobuf::Arena arena;
+  auto expr = Compile(cel_expr, &arena);
   if (!expr.ok()) {
     return expr.status();
   }
-  return Evaluate(expr->get(), activation);
+  return Evaluate(expr->get(), activation, &arena);
 }
 
 // Explicit template instantiations

Source/common/cel/Test.mm

@@ -90,12 +90,14 @@ - (void)testBasic {
   }
   {
     // Re-use of a compiled expression.
-    auto expr = sut.value()->Compile("target.signing_time >= timestamp('2025-05-28T12:00:00Z')");
+    google::protobuf::Arena arena;
+    auto expr =
+        sut.value()->Compile("target.signing_time >= timestamp('2025-05-28T12:00:00Z')", &arena);
     if (!expr.ok()) {
       XCTFail("Failed to compile: %s", expr.status().message().data());
     }
 
-    auto result = sut.value()->Evaluate(expr.value().get(), activation);
+    auto result = sut.value()->Evaluate(expr.value().get(), activation, &arena);
     if (!result.ok()) {
       XCTFail("Failed to evaluate: %s", result.status().message().data());
     } else {
@@ -123,7 +125,7 @@ - (void)testBasic {
           return {};
         });
 
-    auto result2 = sut.value()->Evaluate(expr.value().get(), activation2);
+    auto result2 = sut.value()->Evaluate(expr.value().get(), activation2, &arena);
     if (!result2.ok()) {
       XCTFail("Failed to evaluate: %s", result2.status().message().data());
     } else {

Source/santad/DataLayer/SNTRuleTable.mm

@@ -576,12 +576,12 @@ - (BOOL)addExecutionRules:(NSArray<SNTRule *> *)executionRules
     }
 
     if (rule.state == SNTRuleStateCEL || rule.state == SNTRuleStateCELv2) {
+      google::protobuf::Arena arena;
       absl::StatusOr<std::unique_ptr<::google::api::expr::runtime::CelExpression>> celExpr;
-
       if (rule.state == SNTRuleStateCEL && _celEvaluator != nullptr) {
-        celExpr = _celEvaluator->Compile(santa::NSStringToUTF8StringView(rule.celExpr));
+        celExpr = _celEvaluator->Compile(santa::NSStringToUTF8StringView(rule.celExpr), &arena);
       } else if (rule.state == SNTRuleStateCELv2 && _celV2Evaluator != nullptr) {
-        celExpr = _celV2Evaluator->Compile(santa::NSStringToUTF8StringView(rule.celExpr));
+        celExpr = _celV2Evaluator->Compile(santa::NSStringToUTF8StringView(rule.celExpr), &arena);
       }
       if (!celExpr.ok()) {
         [errors addObject:
@@ -854,7 +854,8 @@ - (void)updateStaticRules:(NSArray<NSDictionary *> *)staticRules {
     if (!r) continue;
 
     if (r.state == SNTRuleStateCEL && _celEvaluator) {
-      auto celExpr = _celEvaluator->Compile(santa::NSStringToUTF8StringView(r.celExpr));
+      google::protobuf::Arena arena;
+      auto celExpr = _celEvaluator->Compile(santa::NSStringToUTF8StringView(r.celExpr), &arena);
       if (!celExpr.ok()) {
         LOGE(@"Failed to compile CEL expression for static rule %@: %s", r.identifier,
              std::string(celExpr.status().message()).c_str());