[concurrency-interest] Does "Thread.stop" do what is says it does?

Dawid Kurzyniec dawidk at mathcs.emory.edu
Fri Aug 5 14:55:55 EDT 2005


Miles Sabin wrote:

>Dawid Kurzyniec wrote,
>  
>
>>Sometimes, though, "friend" services are allowed to break the
>>isolation barriers and share data, so the "Isolates" API is not
>>applicable. Instead, we implement sandboxing via separate class
>>loaders, strict confinement, and security policies.
>>    
>>
>
>I'm not going to comment on the ethics of using Thread.stop, but I can't 
>let this pass ...
>
>Isolates really, really, really are exactly what you want. Yes, you'll 
>most likely have to use message passing to achieve effects equivalent 
>to shared state. But this will always be possible, and assuming a 
>reasonably well behaved and efficient implementation of the Link API a 
>message passing alternative shouldn't be problematic from a performance 
>point of view.
>
>Sandboxing via classloader partitioning and security policies are the 
>best we currently have, but they can't prevent interference due to 
>buggy or malicious code, and they can't provide resource managment or 
>revocation in any particularly general or reliable way ... Thread.stop 
>is just the tip of the iceberg.
>
>  
>
When isolates appear, we will definitely give them a second look - at 
least, they may allow us to implement a configurable hierarchies of 
isolation levels (process, isolate, class loader, shared). But our 
system (http://www.mathcs.emory.edu/dcl/h2o/) is not an applet 
container, or a servlet engine - it is a distributed computing and 
resource sharing platform. Services (which we call pluglets) are pieces 
of distributed applications, and they are in fact expected to 
communicate. If they happen to be loaded into the same address space, it 
is important that they can share data directly. In other words, in our 
typical applications, communication performance requirements usually 
outweight isolation requirements. The container owner provides a 
security policy that prevents untrusted pluglets from loading; we can 
thus expect certain level of cooperation from loaded pluglets, we just 
need to shield the system from buggy ones. Given all that, I find the 
abstraction of isolates too, well, isolating, to be used as a default in 
our system. Nonetheless, as I said, it may be very interesting to allow 
hierarchical levels of isolation in the future.

Regards,
Dawid



More information about the Concurrency-interest mailing list