cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Stupp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-9954) Improve Java-UDF timeout detection
Date Sun, 02 Aug 2015 15:10:04 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-9954?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14651041#comment-14651041
] 

Robert Stupp commented on CASSANDRA-9954:
-----------------------------------------

Background information (byte-code level).
All loops, branches, cases, jumps, gotos etc use _labels_ in the byte code.  The trick that
this patch uses is to inject a check-call after each label.
The check itself is quite cheap.

Example "amok UDF code":
{code:java}
        while (true)
        {
            if (System.currentTimeMillis() % 12345 == 99999)
                break;
        }
        return null;
{code}
This would compile to this byte-code (_FRAME_ and _LINENUMBER_ byte-code omitted for readability):
{noformat}
  L0
    INVOKESTATIC java/lang/System.currentTimeMillis ()J
    LDC 12345
    LREM
    LDC 99999
    LCMP
    IFNE L0
   L1
    GOTO L2
   L2
    ACONST_NULL
    ARETURN
   L3
...
{noformat}
The patch injects the following byte-code after each label:
{noformat}
    INVOKESTATIC org/apache/cassandra/cql3/functions/JavaUDF.checkTimeout ()Z
    IFEQ continueLabel
    ACONST_NULL
    ARETURN
{noformat}
resulting in:
{noformat}
  L0
    INVOKESTATIC org/apache/cassandra/cql3/functions/JavaUDF.checkTimeout ()Z
    IFEQ LCONTINUE1
    ACONST_NULL
    ARETURN
  LCONTINUE1
    INVOKESTATIC java/lang/System.currentTimeMillis ()J
    LDC 12345
    LREM
    LDC 99999
    LCMP
    IFNE L0
   L1
    INVOKESTATIC org/apache/cassandra/cql3/functions/JavaUDF.checkTimeout ()Z
    IFEQ LCONTINUE2
    ACONST_NULL
    ARETURN
  LCONTINUE2
    GOTO L2
   L2
    INVOKESTATIC org/apache/cassandra/cql3/functions/JavaUDF.checkTimeout ()Z
    IFEQ LCONTINUE2
    ACONST_NULL
    ARETURN
  LCONTINUE2
    ACONST_NULL
    ARETURN
   L3
...
{noformat}

> Improve Java-UDF timeout detection
> ----------------------------------
>
>                 Key: CASSANDRA-9954
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-9954
>             Project: Cassandra
>          Issue Type: Improvement
>            Reporter: Robert Stupp
>            Assignee: Robert Stupp
>             Fix For: 3.x
>
>
> CASSANDRA-9402 introduced a sandbox using a thread-pool to enforce security constraints
and to detect "amok UDFs" - i.e. UDFs that essentially never return (e.g. {{while (true)}}.
> Currently the safest way to react on such an "amok UDF" is to _fail-fast_ - to stop the
C* daemon since stopping a thread (in Java) is just no solution.
> CASSANDRA-9890 introduced further protection by inspecting the byte-code. The same mechanism
can also be used to manipulate the Java-UDF byte-code.
> By manipulating the byte-code I mean to add regular "is-amok-UDF" checks in the compiled
code.
> EDIT: These "is-amok-UDF" checks would also work for _UNFENCED_ Java-UDFs.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message