cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Stupp (JIRA)" <>
Subject [jira] [Commented] (CASSANDRA-9954) Improve Java-UDF timeout detection
Date Wed, 23 Dec 2015 16:58:46 GMT


Robert Stupp commented on CASSANDRA-9954:

Updated the branch with the following changes:
* rename "timeout" to "cpu time" to make clear that the values relate to CPU time and not
wall clock
* let Java UDFs run in the calling thread and updated security-manager accordingly
* byte code inspection now checks class names against general UDF black/white lists
* refactorings to (hopefully) simplify code

I *think* the changes to Java UDFs are fine WRT class loading and security manager.

Still unsure about timeouts related wall-clock and (remaining) request-time. In order to not
issue false-positive warnings and errors caused by "badly timed GCs" or an overloaded system,
the timeouts need to be quite high.

Triggered cassci runs, too.

PS: while fixing the branches for another ticket, I ... up the branch for this ticket (both
local and github)  and the only backup was in IntelliJ's history. Sorry, that the branch now
appears squashed.

> Improve Java-UDF timeout detection
> ----------------------------------
>                 Key: CASSANDRA-9954
>                 URL:
>             Project: Cassandra
>          Issue Type: Improvement
>            Reporter: Robert Stupp
>            Assignee: Robert Stupp
>             Fix For: 3.x
> CASSANDRA-9402 introduced a sandbox using a thread-pool to enforce security constraints
and to detect "amok UDFs" - i.e. UDFs that essentially never return (e.g. {{while (true)}}.
> Currently the safest way to react on such an "amok UDF" is to _fail-fast_ - to stop the
C* daemon since stopping a thread (in Java) is just no solution.
> CASSANDRA-9890 introduced further protection by inspecting the byte-code. The same mechanism
can also be used to manipulate the Java-UDF byte-code.
> By manipulating the byte-code I mean to add regular "is-amok-UDF" checks in the compiled
> EDIT: These "is-amok-UDF" checks would also work for _UNFENCED_ Java-UDFs.

This message was sent by Atlassian JIRA

View raw message