Isolation API vs Process Model
Submitted by birkey on Mon, 05/23/2005 - 12:06.
Hi all,
Isolation API provides a uniform mechanism for managing Java application life cycles that are isolated from each other, at least with respect to object reachability, but that can potentially share underlying implementation resources -- which means it's only concern about memory safety: it guarantee isolation of Java state (i.e. logically disjoint heap spaces, per application mutable static fields, etc), and communication between isolates by links. But memory safety alone is not sufficient for an os: the system needs to support the separation of application and limit their use of resources, such as memory, cpu, and network bandwidth, (and of course inter-application communication).
Currently,it seems that method MemoryResourceImpl.claimMemoryResource(..) doesn't enforce memory usage policy to limit the available memory to a plugin, right? If so, the result would be catastrophic imaging a malicious driver instantiates 100,000 objects! K0 is a java system at the University of Utah, it support sepearte heap and garbage collection for each K0 process, thus limite the memory resource a process can consume. JNode is also multi-heap system, but it looks more like buddy memory allocation than memory management, right?
So, do we need a process model in JNode besides support Isolation -- as a process support protection, resources management and IPC, where isolation is only about protection.
Cheers
-Birkey
- Login to post comments
www.jxos.org
there is a very cool research project which implemented protection domains (separate heaps, threads, failure model) in a Java operating system. it is called JX OS, and information and source can be found at http://www.jxos.org.
it provides a very nice isolation model, as well as domain level thread scheduling and GC. each domain can have its own heap with its own type of GC, potentially optimized for its allocation patterns. in addition each domain can have its own thread scheduler, again possibly optimized for its workload.
it may be a good inspiration for how to implement protection domains in JNode.
cheers,
Dan
Process model v.s. resource management..
I do not like the term "process model", because it it a well known term which people usually associate with seperate virtual address spaces.
However I do agree with you that resource management is an issue which should be addressed, I think the Barcelona project is defining an API for that right now.
About IPC, well that is covered as part of the isolate spec.
Ewout
Isolation
Hi Birkey,
could you please post a link to the homepage of the K0 project?
Isolates also provide a Link model to be used for efficient IPC.
The barcelona project at research.sun.com ( http://research.sun.com/projects/dashboard.php?id=9 ) works on a Resource Management API for Java.
Regards.
Sebastian
K0 & Resource Management Interface for Java
Hi Ewout,
I dislike 'process model' either, I just use it to refer the groups of functionalities (protection/res management/commu.). Maybe protection domain is more appropriate?
Hi Sebastian,
Sorry, I don't know any like to K0 project -- I read it from a paper,"Techniques for the Design of Java Operating Systems", which also discussed J-Kernel and Alta (another Java OS from University of Utah). If you need it I'd likt to send it to you.
Barcelona project deos has a tech report on Java resources management, "A Resource management interface for the java platform" which can be download freely.
--Birkey
Paper
Thanks for providing the title of the paper. I don't really want to read it (I have a bunch of other things to do). I simply thought it may be a good idea to provide a starting point for people who want to learn more about K0. The title is already a good reference, the paper shows as the number-one result on google.
Since Jnode already uses Isolates, maybe we can simply use the term 'isolate' and say 'isolates with resource management' or so. (ProtectionDomain is already the name of a class related to Java security.)
Sebastian