On Wed, Oct 30, 2013 at 3:17 PM, Niko Matsakis <n...@alum.mit.edu> wrote:
> But I guess it is a legitimate question: to what extent should we > permit safe rust code to bring a system to its knees? We can't truly > execute untrusted code, since it could invoke native things or include > unsafe blocks, but it'd be nice if we could give some guarantees as to > the limits of what safe code can do. Put differently, it'd be nice > if tasks could serve as an effective sandbox for *safe code*. > This is very important if Servo is to improve browser reliability as well as security. That means resource exhaustion should cause task failure with unwinding. It seems to me that the main way that safe code can cause problems for > a larger system are (1) allocating too much heap; (2) looping > infinitely; and (3) over-recursing. But no doubt there are more. > Maybe it doesn't make sense to address only one problem and not the > others; on the other hand, we should not let the perfect be the enemy > of the good, and perhaps we can find ways to address the others as > well (e.g., hard limits on total memory a task can ever allocate; > leveraging different O/S threads for pre-emption and killing, etc). > Since tasks don't share heaps, bounding their memory usage seems tractable; it becomes an accounting problem. Instead of using explicit counters I suggest following the lead of Gecko's MemShrink project and building infrastructure to compute the memory usage of a task by walking its heap. Rob -- Jtehsauts tshaei dS,o n" Wohfy Mdaon yhoaus eanuttehrotraiitny eovni le atrhtohu gthot sf oirng iyvoeu rs ihnesa.r"t sS?o Whhei csha iids teoa stiheer :p atroa lsyazye,d 'mYaonu,r "sGients uapr,e tfaokreg iyvoeunr, 'm aotr atnod sgaoy ,h o'mGee.t" uTph eann dt hwea lmka'n? gBoutt uIp waanndt wyeonut thoo mken.o w * *
_______________________________________________ Rust-dev mailing list Rust-dev@mozilla.org https://mail.mozilla.org/listinfo/rust-dev