Isolate proposal

Goal
Isolates are intended to seperate java programs from each other, in order to protect java programs from (intentional) errors in other programs.

Proposal (in concept)
I propose to make an Isolates implementation that is somewhere between full isolatation and full sharing. With the goal in mind, programs should be protected from each other, which means that they should not interfere each other in terms of resources, which are typically:

  • Memory
  • Threads
  • Locks

This means that everything that can be used to interfere other programs on these items must somehow be protected. Everything else must be as shared as possible, in order to minimize resource usage.

Think can be achieved by isolating certain resources, and making serveral services aware of the fact that there are isolates. E.g. a network stack should be aware that network bandwidth is shared nicely across all users, in order to prevent a single program from eating away all network bandwitdh.

What is Isolated v.s. Shared
Isolated:

  • Static variables
  • Java class structures (Class, Field, Method)
  • Class initialization
  • Java threads (java.lang.Thread)
  • Java object heaps

Shared:

  • Static variable indexes (in statics table)
  • Internal class structures (VmType, VmField, VmMethod)
  • Compiled (native) code
  • Internal thread structures (VmThread)
  • OS services (drivers, filesystems, networking)
  • System resources (memory, IRQ)
  • Raw memory blocks (MemoryBlockManager)

Explaination:
Static variables in JNode are implemented in statics tables. The index (of a static variable) in this table must be constant across all isolates, otherwise the compiled code needs to retrieve the index on every static variable get/set which is very expensive. Havig said this, this does imply that statics table will become pretty large. This can be solved by implementing a cleanup strategy that frees indexes when they are no longer used.

For the rest, the seperation is made in terms of publicly accessible versus internal. E.g. a java program can synchronize on a Class instance, but since these are isolated, this will not block all other programs.

Isolated java heaps will have significant implications on the code of the shared services, so this will something to do in step 2.

isolation

i think there are 3 things that could be isolated:

- threads
- heaps
- code (classes)

in other words, an isolated 'domain' could have its own versions of classes loaded, its own threads (which never make calls directly into other domains' code), and its own object heap (whose objects are never shared with other domains).

inter-domain communication could happen through interfaces that are explicitly exposed, and registered with the OS. the classes for these interfaces would have to be available to all domains. from the api perspective, a cross-domain call would look like a normal method invocation, but the thread would not cross the domain boundary. rather, the thread will be blocked, and the call invoked in the callee domain on its own thread. this is similar to the STA (Single Threaded Apartment)/MTA (Multi Threaded Apartment) model of Microsoft's COM/COM+.

what does everyone think?

Re: Isolate proposal

Are isolates going to appear in Java 1.6? I thought there was a proposal for this, #161 or something.

A reference paper on some of the related research for isolating java applications:
http://www.cs.utah.edu/flux/papers/kaffeos-osdi00-base.html

The paper carefully explains how processes, shared heaps, and memory in general, are managed.