[concurrency-interest] Does "Thread.stop" do what is says it does?
dawidk at mathcs.emory.edu
Fri Aug 5 14:55:55 EDT 2005
Miles Sabin wrote:
>Dawid Kurzyniec wrote,
>>Sometimes, though, "friend" services are allowed to break the
>>isolation barriers and share data, so the "Isolates" API is not
>>applicable. Instead, we implement sandboxing via separate class
>>loaders, strict confinement, and security policies.
>I'm not going to comment on the ethics of using Thread.stop, but I can't
>let this pass ...
>Isolates really, really, really are exactly what you want. Yes, you'll
>most likely have to use message passing to achieve effects equivalent
>to shared state. But this will always be possible, and assuming a
>reasonably well behaved and efficient implementation of the Link API a
>message passing alternative shouldn't be problematic from a performance
>point of view.
>Sandboxing via classloader partitioning and security policies are the
>best we currently have, but they can't prevent interference due to
>buggy or malicious code, and they can't provide resource managment or
>revocation in any particularly general or reliable way ... Thread.stop
>is just the tip of the iceberg.
When isolates appear, we will definitely give them a second look - at
least, they may allow us to implement a configurable hierarchies of
isolation levels (process, isolate, class loader, shared). But our
system (http://www.mathcs.emory.edu/dcl/h2o/) is not an applet
container, or a servlet engine - it is a distributed computing and
resource sharing platform. Services (which we call pluglets) are pieces
of distributed applications, and they are in fact expected to
communicate. If they happen to be loaded into the same address space, it
is important that they can share data directly. In other words, in our
typical applications, communication performance requirements usually
outweight isolation requirements. The container owner provides a
security policy that prevents untrusted pluglets from loading; we can
thus expect certain level of cooperation from loaded pluglets, we just
need to shield the system from buggy ones. Given all that, I find the
abstraction of isolates too, well, isolating, to be used as a default in
our system. Nonetheless, as I said, it may be very interesting to allow
hierarchical levels of isolation in the future.
More information about the Concurrency-interest