[jira] [Commented] (CASSANDRA-9954) Improve Java-UDF timeout detection

Wed, 23 Dec 2015 08:59:42 -0800 

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-9954?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15069868#comment-15069868
 ] 

Robert Stupp commented on CASSANDRA-9954:
-----------------------------------------

Updated the branch with the following changes:
* rename "timeout" to "cpu time" to make clear that the values relate to CPU 
time and not wall clock
* let Java UDFs run in the calling thread and updated security-manager 
accordingly
* byte code inspection now checks class names against general UDF black/white 
lists
* refactorings to (hopefully) simplify code

I *think* the changes to Java UDFs are fine WRT class loading and security 
manager.

Still unsure about timeouts related wall-clock and (remaining) request-time. In 
order to not issue false-positive warnings and errors caused by "badly timed 
GCs" or an overloaded system, the timeouts need to be quite high.

Triggered cassci runs, too.

PS: while fixing the branches for another ticket, I ... up the branch for this 
ticket (both local and github)  and the only backup was in IntelliJ's history. 
Sorry, that the branch now appears squashed.


> Improve Java-UDF timeout detection
> ----------------------------------
>
>                 Key: CASSANDRA-9954
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-9954
>             Project: Cassandra
>          Issue Type: Improvement
>            Reporter: Robert Stupp
>            Assignee: Robert Stupp
>             Fix For: 3.x
>
>
> CASSANDRA-9402 introduced a sandbox using a thread-pool to enforce security 
> constraints and to detect "amok UDFs" - i.e. UDFs that essentially never 
> return (e.g. {{while (true)}}.
> Currently the safest way to react on such an "amok UDF" is to _fail-fast_ - 
> to stop the C* daemon since stopping a thread (in Java) is just no solution.
> CASSANDRA-9890 introduced further protection by inspecting the byte-code. The 
> same mechanism can also be used to manipulate the Java-UDF byte-code.
> By manipulating the byte-code I mean to add regular "is-amok-UDF" checks in 
> the compiled code.
> EDIT: These "is-amok-UDF" checks would also work for _UNFENCED_ Java-UDFs.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to