0

Google's open sourced V8 engine is mature, performant JIT compiler.

Implemented primarily in C++, acting as JS centric execution runtime.

It has an isolation implementation (V8: Isolates), providing isolation granularity within a single process.

Leading to two part question.

(Generic) Can this capability be broadly used for isolation across server-side web application engines (e.g. nginx, apache) and programming languages?

(And more specific ->)

What I've grasped of V8 - is that it's designed for JS scripting lang (even though, it compiles directly to machine code). Wanting to use a programming language for source code - say Haskell, C++/C - then tends to still have JS interface in between. Would there be a much direct way to generate machine code, while still using V8: Isolates?

C. Derx
  • 326
  • 2
  • 13

1 Answers1

2

V8 is a JavaScript (and WebAssembly, in recent versions) engine and as such cannot be used to compile or execute any other languages.

If you have C++ code, you'll need to use a C++ compiler to generate executable machine code for it. Haskell code needs a Haskell compiler.

Depending on your requirements, WebAssembly might be interesting to you: it is a portable compilation target for languages like C++ that is more suitable for this purpose than JavaScript.

This should answer both your "more specific" and the "generic" question.

Note that there isn't really any magic in V8's Isolates that one might want to use for other purposes; the term mostly describes the ability to have several separate instances of V8 in the same process. That's rather easy to pull off if you start your own project from scratch (no matter what its purpose is), you just have to maintain a bit of coding discipline; for an existing codebase it requires refactoring of all global state (static variables etc).

Also, note that the world has learned this year that from a security point of view, there really is no such thing as in-process isolation. If you have strong security requirements, then at the very least you'll have to run separate processes for different security domains. (To be clear, V8's Isolates do not provide protection from side-channel attacks.)

jmrk
  • 34,271
  • 7
  • 59
  • 74
  • > world has learned this year that from a security point of view, there really is no such thing as in-process isolation. \n can you point to a specific event that you seem to be referring to? – C. Derx Dec 19 '18 at 16:43
  • 2
    The "Spectre" class of side channel attacks. – jmrk Dec 20 '18 at 01:54
  • is there an isolation solution which is *not* affected? – C. Derx Dec 21 '18 at 04:40
  • I believe separate processes are currently assumed to be effectively isolated from each other, as long as hyper threading is turned off. – jmrk Dec 22 '18 at 19:44