Quest For "Unbreakable Java" Unites ABAP & Java 198
jg21 writes "Writing an article about "A Java Server That Never Goes Down" is pure hubris, but a German developer who says he's been "eating, sleeping, and drinking Java" for 8 years doesn't seem to care and his article brings to light the aspects of VM we rarely think of as he introduces "user isolation" and tells about some interesting work SAP in Germany is doing in that area, merging the Java and the ABAP worlds."
Throw it in jail (Score:5, Interesting)
Re:Throw it in jail (Score:2, Interesting)
Hrmpf! ABAP and/or R/3 should better not be taken as a model for anything. Hell, even Visual Basic is the work of a genius compared to the convoluted mess that ABAP R/3 is. Dont expect anything to come out of this 'Unbreakable Java' in the next 10 years. A lot of people at SAP would like to get rid of ABAP and see Java as the way out, but it wont be done overnight. Sure they can do interfaces so that you can call Java from ABAP
Re:Throw it in jail (Score:3, Interesting)
Note that a true chroot jal is not possible with vanilla java, as there currently is no way to modify filenames from within the usual Java security apparatus.
Re:Throw it in jail (Score:4, Interesting)
I don't see why different security managers would be necessary. What's needed is to give different rights to each thread, and JAAS allows you to do that.
Re:Ironic that Apache 2.x is going to threaded mod (Score:3, Interesting)
Just because people have found that a hammer is the most generalized tool does not make the world full of nails.
Re:Ironic that Apache 2.x is going to threaded mod (Score:2)
Linux has always been monolithic; it has not migrated from a microkernel-based model.
Indeed.
Larry
Re:Ironic that Apache 2.x is going to threaded mod (Score:3, Insightful)
I blame Windows.
fork(2) is way better than threads in any application where the forked part doesn't need much communication with the parent. Because when a forked process crashes, there's no way for it to harm the parent. Even if you do need communication, fork mixed with pipes, sockets, signals, or shared memory can be great - a little more programming effort than th
Re:Ironic that Apache 2.x is going to threaded mod (Score:4, Informative)
SFU and the POSIX subsystem have to use NtCreateProcess too, but take advantage of SectionHandle=NULL.
Cygwin uses copy-on-create to simulate copy-on-write by copying the entire address space to the child. This is slow and wastes memory. The cygwin mailing lists have had endless arguments on why they don't take advantage of NtCreateProcess. Here's [cygwin.com] a small thread.
Also, there is the problem that Win32 does a lot more than just call NtCreateProcess: the native function creates a new process but nothing else. It allocates no memory, creates no threads, and loads no libraries. When you call CreateProcess from Win32, it does all that for you. Since Cygwin implements Posix (and related) over Win32, not Posix over NT (as opposed to SFU which is over NT), they feel compelled to use only Win32 functions.
It would be nice to have a cygwin fork that creates its own subsystem, an open-source SFU, that would take advantage of this kind of thing.
Depending on fork to provide stability is a workaround for the real problem: the app crashing.
Besides, if your data areas are well defined, you can put them in shared memory sections and have the children map that copy-on-write at the same addresses.
Re:Ironic that Apache 2.x is going to threaded mod (Score:3, Interesting)
I fully agree that forking is a workaround, and it's better not to have the app crash, but better still is both forking and having the app not crash. It's like having computers in a LAN secure from each other - yes, the firewall should work, but it's better not to depend on that.
Re:Ironic that Apache 2.x is going to threaded mod (Score:2, Insightful)
See LoadLibrary [microsoft.com], GetProcAddress [microsoft.com], , GetVersionEx [microsoft.com] and VER_PLATFORM_WIN32_NT [microsoft.com].
Re:Ironic that Apache 2.x is going to threaded mod (Score:2)
Re:Ironic that Apache 2.x is going to threaded mod (Score:2)
Re:Ironic that Apache 2.x is going to threaded mod (Score:2)
To the programmer, it appears that fork() makes a copy of
Re:Ironic that Apache 2.x is going to threaded mod (Score:2)
Re:Ironic that Apache 2.x is going to threaded mod (Score:2)
In theory this is true in Unix as well, but if the thread crashed or got an exception it wasn't expecting how do you "know" that the memory space of the other threads aren't damaged. Also in theory even though you can allocate mutexes etc. in a way that they'll be released when this happens ... you weren't expecting it to happen and in theory theory and practice are the same.
The perfect solution... (Score:5, Funny)
Re:The perfect solution... (Score:5, Funny)
Scientists have discovered a food that takes away a woman's sex drive. Wedding cake.
I hope so.... (Score:2)
Are all women insatiable like this or did I just happen to hit the motherload?
Re:I hope so.... (Score:2)
Is she approaching 40?
Did she attend a private church-funded school?
Those are the best reasons I've been able to come up with to explain my situation.
Knock her up. That put an end to it for me.. All they want to do for the first trimester is sleep.
satisfyability (Score:3)
Snicker actually.... (Score:2)
Re:satisfyability (Score:2)
For God's sake, differentiate between code and life, man...
Re:The perfect solution... (Score:2)
ABAP? (Score:2, Redundant)
Re:ABAP? (Score:3, Informative)
Re:ABAP? (Score:5, Informative)
If you enter the world of SAP, be prepared for a thousand acronyms.
first (Score:3, Insightful)
How come when I talk to a company executive, they're implementing SAP.
Nobody ever seem to have implemented it.
Re:ABAP? (Score:3, Informative)
Like Cobol. Or AppleScript
-WS
Re:ABAP? (Score:2)
but overall SAP R/3 is one big mess
you can "see" how it grew over the past 30 years
that it is a mess does not mean it is bad or something
you just can't learn something and append it to any other part of the system without some surprises
it's strongest part is that it integrates anything!!! so tight
you could even speak of "One system to rule them all" if you just tried hard enough i am sure you would find a module to manage your toilet paper usage
Re:ABAP? (Score:2)
Re:ABAP? (Score:2)
Here's what it stands for... (Score:2)
= 9J =
i think it just went down (Score:2)
Use DTrace to Isolate Bugs (Score:2, Interesting)
I think the first thing he should do is install Solaris 10 with DTrace [sun.com] and debug with a passion. DTrace will reveal all those nasty problem areas making it easier to fix.
Re:Use DTrace to Isolate Bugs (Score:2)
Not really. N1 Grid Containers [sun.com] will allow the admin to basically chop up a machine into "virtual machines" or "environments." For example, a 12 CPU machine can be changed from a single server into 4 three CPU machines making it possible to have a development server and 3 test servers. N1 Grid Containers are much more than this but it just an example.
DTrace comes with Solaris 10 and it allows you to watch basically ever aspect of a program's execution. It can tell you how many times it pounds a parti
Mirror @ MirrorDot (Score:2, Informative)
Java in one process (Score:2, Interesting)
Re:Java in one process (Score:2, Insightful)
That does not change the fact that those threads are handled by a virtual machine that provide no isolation between them.
--
Mickaël Rémond
http://www.erlang-projects.org/ [erlang-projects.org]
Already done? (Score:2, Insightful)
"eating, sleeping, and drinking Java" (Score:2, Funny)
R3
So basically... (Score:5, Interesting)
This sound like it's at least as much about fast and effective recovery on crash as it is crash prevention. Which to a web user is the same thing.
All VM's have bugs so crash-proof is a tall order.
Re:So basically... (Score:5, Informative)
This scenario breaks down when: there is a bug in the shared classes or the shared closures implementation, when there is a bug causing corrupt data to be written to the shared closuers, when one or more processes trigger a bug which cause them to hog a scarce system resource like memory or CPU time, when a OS bug or a hardware failiure is encountered, etc, etc, etc.
The ideas outlied are sound for an extremely high availability system, but they are not enough to make the clain unbreakable.
Some improvements to the outlined strategy: Use a validator to check that the information written to the shared closures is always correct. Mirror the shared closures to another computer. Have a backup computer which automatically picks up if the first one falls down.
Re:So basically... (Score:2, Informative)
If its a hardware failure and you can start from the beginning maybe. But thats a lot harder to do than you make is sound given that realtime systems often cant miss a heartbeat and must keep on processing. I have spent much of my professional life writing code to do just that, and without having facilities built into the OS you have to write a lot of application level code to make it happen. Each application needs to be awar
8 years of Java! (Score:4, Funny)
I'm getting the shakes even thinking about that.
Analogies Gone Wild! (Score:3, Funny)
First, it is possible to let the passengers share the ship with some others without meeting them at any time. Some invisible mechanism moves the sleeping passenger out of the ship, storing him or her somewhere outside and puts another active passenger into it, taking care that only one active passenger is in each ship at any moment.
Re:Analogies Gone Wild! (Score:2)
Basically embarrass the posters by highlighting their errors to everyone and at the same time draw their attention to the errors.
I bet after implementing such a system this sit
Shared memory w/ processes is no better (Score:3, Insightful)
If a process crashes then all memory that the process has access to is suspect. If that's all the jvm contexts then they're all suspect.
It's funny laugh! (Score:2, Funny)
Thinking users?!?! I didn't know this article was supposed to be funny!
Re:It's funny laugh! (Score:2)
Now Lusers has an opposite
This has been the basis of Erlang for 18 years (Score:2, Interesting)
It was really fun reading this article as isolation as described in this article has been one of the founding principle of the Erlang VM. Erlang is a concurrency oriented langage created to support the development of robust scalable fault-tolerant applications.
I strongly recommand reading Joe Armstrong thesis. This is very enligthning regarding this topic and this is real world feedback:
armstrong_thesis.pdf [www.sics.se]
Fortunately, Erlang has been designed from the ground-up for robustness. All feature of Erla
Crash-only software (Score:5, Interesting)
Summary of the Crash-Only paper (Score:3, Interesting)
Re:Summary of the Crash-Only paper (Score:3, Interesting)
Not just that -- accept that crashing is a valid way of shutting down your program. In other words, be kill -9-safe. Also, include crash recovery in the first place; an orphaned pid file (hello, Jabberd [jabber.org]!) or an orphaned lock file (yo, Lucene [apache.org]!) should not prevent a program from starting up. It's incredible how prevalent these lit
Re:Summary of the Crash-Only paper (Score:2)
Re:Crash-only software (Score:2)
Hmmm (Score:3, Funny)
Re:Hmmm (Score:2)
Marry someone else.
-kgj
-1, Inevitable? (Score:2)
User isolation? (Score:2)
Preventing DOS, not security, is the target (Score:4, Informative)
However, the standard Java VM does not provide any way for a supervisory process to limit two key resources: memory and CPU. The Thread.stop() call is useless against a malicious DOS attack via Threads with infinite loops since the attacker can simply provide a "finally" clause that perpetuates the loop. Thread.stop() is even deprecated in later version of Java. Furthermore, there is no way to limit the memory that malicious code can allocate via new (unless I missed something in recent versions). So crashing a JVM via malicious applets or servlets is trivial. This is acceptable for a web browser (just restart the JVM), but not so good for server side Java. Furthermore, infinite loops and data cancer (actual memory leaks where the memory is allocated but not referenced anywhere are impossible in pure Java) are common failure modes of honest but buggy software, so JVMs too often crash due to either CPU or memory starvation even when only trusted code is running.
The goal of the system described is to provide a way to limit CPU and Memory consumption by leveraging the process model provided by the OS. Furthermore, the hardware enforced user mode helps protect against JVM and JNI bugs that might otherwise break the Java machine model (and allow memory leaks/corruption or malicious native code execution). Having multiple layers of protection is always good.
Re:Preventing DOS, not security, is the target (Score:2)
Misssing the point (Score:3, Interesting)
However, if a VM was running directly on top of the kernel, it could implement these features more efficiently than what must be done for native code and would need little hardware support from the CPU. For example, kernel and user code can pass objects to each other without making a copy or any security concerns.
Re:Misssing the point (Score:2)
Nothing new here (Score:3, Interesting)
What's needed is a transaction processing engine (Score:2)
If you want reliability, what you need is a transaction processing system, where transaction programs are quickly started, do their job for one user, and exit. There have been high-performance systems for transaction processing for decades. That's how mainframes work. CICS, TIP, and of course Tandem worked that way. CGI pr
Re:What's needed is a transaction processing engin (Score:2)
Congratulations - you've just invented FastCGI [fastcgi.com]. At least, you would have done if you'd come along a decade or
Re:What's needed is a transaction processing engin (Score:2)
Re:What's needed is a transaction processing engin (Score:2)
My understanding is that there is a preset number of "processes" for CICS. I think we have 4. So for CGI, you would start up 4 processes, get them through initialization, then let them loop on data (incoming requests). If one crashes, restart it.
To be efficient, all dynamic allocation of anything should be an exception, not SOP, including creating processes. That is why Unix appears slow for batch work; it lends itself to lots of dynamic allocation. Of course, most
Check out the Isolation JSR (Score:5, Interesting)
JSR 121: Application Isolation API Specification [jcp.org]
Problem is, this JSR is going nowhere. There are some big corps onboard, but no one seem's interested in defining a common API. Sun's management is clearly not interested (more precisely, "Sun's managment has decided not to commit any resources to this project in the short term.") So there are lots of research papers, prototypes and Master's thesis, which are all very interesting, but no working implementation that everyone can use.
That's really sucks because with an implementation of this JSR, the JVM could get a lot more OS-like. Too bad.
Ever hear of Tandem (Score:2, Interesting)
You could write programs in a language called TAL (Transaction Application Language) which provided the ability to checkpoint. Doing this, your program could initialte a primary and backup process. The backup process would run on a different CPU. By checkpointing, the application could keep the primary and backup process in sync. If, for some reason, the primary proces
Where is "down"? (Score:2)
INSTRUCTION1: EXECUTE INSTRUCTION2
INSTRUCTION2: EXECUTE INSTRUCTION1
resulting from memory corruption inserting those bra
Re:Where is "down"? (Score:2)
HotSpot source code is a bad joke (Score:2)
Before you put too much faith in "unbreakable" JVMs, you should read the comments about Sun's JVM source code on Slava Pestov's Weblog: "HotSpot source code is a bad joke" [jroller.com]. scary!
Cleverly Pimping Net Weaver (Score:2)
First and foremost SAP I do not want to have to run your hacked up JVM. Is it a good idea, yea probably but implementing it is gonna be hard because of the closed nature of JVM.
No sys admin and or programmer in his right mind wants to work with or support some third party JVM.
All that being said what's up JBOSS developers? Is this a good idea? I most certainly trust your skill far and beyond anything these guys can produ
Pretty Old Insights (Score:2)
For example, when the author talks about the ABAP's process model and how it should probably be rebuild with Java. The idea is basically: One process (or thread) per request, shared session
Re:Why web processes don't communicate with IPC? (Score:2, Funny)
Re:Why web processes don't communicate with IPC? (Score:2)
I don't remember the names of all the different ones I evaluated but we wound up using Bluestone Sapphire/Web. You would create application servers that would run on your web server or on other boxes that your webserver would talk to. The web server would connect to an application server instance that ran continually.
Sapphire/Web was a really good development tool. Th
Re:Step on those Beans! (Score:5, Insightful)
I have been doing Java since 2000, coming from C++.
Java isn't bad. It is complete; it has a threading model with appropriate concurrency controls. It isn't that different from other imperitive object-oriented languages. It has automatic garbage collection. After startup, on our applications, the performance difference with C++ is negligible, and what we save with automatic GC is quite bankable.
My employer used two strengths of Java to justify the move from C++: platform independence, and garbage collection.
I don't know what jbich wants to see in a language.
my thoughts on java (Score:4, Interesting)
And development overall in a real-world environment wasn't bad at all. In face I've written in Windows and deployed on Linux for multiple projects now.
However, with Java client apps it's write-once, debug-everywhere, since every VM has its quirks you have to troubleshoot, and suddenly I have several versions of my software to troubleshoot (last time I did that was circa 99, so maybe it's better now)
My last java project was a system of servlets for Tomcat which were needed to be up 24/7. The thing works, but the memory leaks were terrible, even making sure I set everything to null after using it, it was a memory bleeding dog.
My current job uses primarily C# on Windows server, and I'm much more impressed with
foreach (SomeObject i in SomeCollection)
but there's a ton of language features that I don't want to get into here.
It's the stability and deployment that really got me. I can just compile my code to a DLL (and a couple of stub
I still have to reboot windows 2003, but that's just because I keep my patches up-to-date. If I neglect to patch a server, it would stay up longer than the Java boxes. And this stuff runs much faster... almost as fast a C. Sounds absolutely nuts, but it's true.
Re:my thoughts on java (Score:3, Insightful)
However, with Java client apps it's write-once, debug-everywhere, since every VM has its quirks you have to troubleshoot, and suddenly I have several versions of my software to troubleshoot (last time I did that was circa 99, so maybe it's better now)
I have
Re:my thoughts on java (Score:3, Insightful)
Thats not Java, thats your programming.
[Re C#] It's the stability and deployment that really got me...And this stuff runs much faster...
Right... My experience is otherwise. The JIT in Java 1.5, JRockit and other high performance JVMs leaves .NET for dead, even for Desktop Graphics, which was an area I was expecting big improvements in due to its tight binding wit
Re:my thoughts on java (Score:2)
Check again. The garbage collection process as well as the fact that it does not release memory in some situations for 1 hour or until the application is closed constitutes a leak.
Re:my thoughts on java (Score:3, Interesting)
>Check again. The garbage collection process
The garbage collection process is a memory leak how?
as well as the fact that it does not release memory in some situations for 1 hour or until the application is closed constitutes a leak.
I can't comment on all java applications of course, but this IS usually a mistake in programming. One possible example - an application which has a separate window for configuration etc. The programmer remembers to null th
Re:my thoughts on java (Score:3, Insightful)
As in groovy, beanshell, jython, jcl...
Re:Step on those Beans! (Score:2)
I know perl, php, java, C (although I haven't used it for so long I can barely code a hello world anymore), and have dabbled a little in lisp and prolog.
I like Java.
I like java... (Score:2, Insightful)
I've been doing a lot of Java in the last few years, and I like it.
There are some warts. It uses a lot of memory, RMI should be transparent, the package setup is not very helpful, and iteration is still uglier than python, but in general most things are there for a reason, with an eye on large project development. This is where things make sense -- you can move, refactor, or
Re:Step on those Beans! (Score:3, Insightful)
I have used Perl and Python.
I prefer Java for the following reasons:
1) I like programming in an object oriented style.
2) C++ has lots of gotchas. My favorite is having to recompile client code for a class when the size of instances changes.
3) Java has a thriving job market. Smalltalk was to hard to get ahold of a widely used compiler (fork over a thousand dollars or more).
And then once you learned it, you had to move to the few towns
Re:Step on those Beans! (Score:2)
One reason I use Java is performance. Java used to be seriously slow, but now comes close to C++ speed in real applications. Python is a great language, but remains slow and interpreted. I know there are extensions for uses such as scientific computing, but those are external to python and written in C.
Re:Step on those Beans! (Score:2)
Of the languages I listed, I perfer Java?
Re:Step on those Beans! (Score:2)
Re:Java and memory leaks and slowness (Score:5, Informative)
Every one? I doubt that very much. If you have used commercial websites you are sure to have used a significant number of websites powered by Java application servers (check the number of
This is the norm, not the exception. It is not flamebait.
Generally, they are memory leaking pig apps.
Eclipse, Tomcat, JBoss, ant and all such widely used and successful applications are all memory leaking pigs? This would be surprise to the developers of these applications who have honed and tuned them over the years, and the thousands of contented users.
How about the thousands of Java games running on mobile devices in a few MB? Are they memory leaking pigs too?
Sure, there are memory leaking pig Java apps. There are memory leaking pig X apps where X is the language of your choice.
Re:Java and memory leaks and slowness (Score:2)
However, if you sincerely think that Eclipse doesn't leak memory like a sieve, then I claim that you don't do your day-to-day in it.
Re:Java and memory leaks and slowness (Score:3, Interesting)
It's certainly not simple! It is used for large-scale production builds and scripting. It's also used as a plug-in, often for repeated and automated tasks within other programs, where leaks would definitely show. (Actually, there have been *past* memory leaks in Ant, which caused problems in these situations).
However, if you sincerely think that Eclipse doesn't leak memory like a sieve, then I claim that yo
Re:Java and memory leaks and slowness (Score:2)
No. You said you 'loathed' all java apps you had used. You did not qualify this. There was no 'focus' on what you said - it was a clear statement.
If the memory leaks on someone else's system, it isn't my problem, is it?
Yes, because if memory *really* leaked on those systems, they would become unstable and unusable. Java is used widely in critical applications like banking, and ticketing systems. If these systems become unsta
Re:Java and memory leaks and slowness (Score:2)
Not true. Java application servers can be very stable indeed. For example, the free Tomcat server can be run for a very long time without problems (memory issues arise if JSP pages are being constantly recompiled, but this is more likely in a development context, not a deployment).
Memory leaks (or rather, poor memory management) are common in badly written web ap
Re:Java and memory leaks and slowness (Score:3, Informative)
There are very few types of memory leaks in Java, and they are very well understood and isolated. Compare that with C++ which has a greater propensity to leak memory than even c (since many c programmers use the stack instead of dynamic allocation wherever possible).
In Java, if you have a memory leak, you'll learn about it very quickly, and the memory error/stack-trace/profileability can usually quickly point you in the right direc
Re:Java and memory leaks and slowness (Score:2)
If responding to vague generatisations with counter examples and facts counts me as an asshole, then I celebrate my assholeness!
Re:Allow me to explain... (Score:2)
Switching to Java had a negligable change in our hardware budget. "More money for servers" is a myth.
Re:pffffff dünschiss wie immer..... (Score:2)
Already been done! There is J#, and Java support in
Re:Careful... (Score:2)
Those are max heap sizes. Few applications need anything like that, and very few set the size to that value. Before java 5.0, the default max heap was only 64MB. Now its the smaller of 1/4 of memory or 1GB. But, its only a command like switch to red