[tayistay]

> The argument that a cooperative scheduling is doomed to fail is overblown. Apps are already very much cooperative. For proof, run a version of that on your nice preemptive system : [pathological example which creates tons of threads and files]

The example is just too contrived. On a preemptive OS, apps typically hang in ways that don't turn the whole thing cooperative (thread deadlock, infinite loop, etc.). Also, a preemptive system could kill an app if it creates too many threads, files, or uses too much RAM, long before it gets effectively cooperative. Our systems are just more permissive.

> [Sandboxing] comes free once you accept the premises.

and yet

> any app can casually check the ram of another app ^^. This is going to be a hard problem to solve.

So no, sandboxing doesn't come for free.

That said, it's a cool idea and I wish the author success!

[dclowd9901]

In browser land, all open sites share the memory of the browser heap, and there’s no crosstalk at all. I think the way out of that particular issue is creating a closure around the function (application) that effectively acts like the application’s own context. What if an app could open an app? Or put another way, what if an app could be an OS to another app?

[josephg]

There’s no cross talk because you can’t peek / poke arbitrary pointers in javascript. But you can in Rust.

And even then, I think modern browsers still isolate each tab in a separate process just to be safe. I don’t think they share memory.

[Symmetry]

Have you seen the "Birth and Death of Javascript" talk? https://www.destroyallsoftware.com/talks/the-birth-and-death...

But the basic idea of using a managed language like Java or something to eliminate the need for hardware process security goes way back. Microsoft's Singularity project is I think the best developed effort at this.

[Veserv]

The example is even more contrived because it assumes all systems have terrible sandboxing like Windows and Linux.

Any system competently designed for robust sandboxing would have limits for all resources and reject requests when the limit is reached.