Subject UDF sandbox?... (was: Re: [Firebird-Architect] Re: Database level triggers)
Author Fred Polizo
Claudio Valderrama C. wrote:
> UDF calls are protected. The problem is how the engine handles the
> ...

Hi Claudio,

Are you familiar with Oracle external procedures? The model is a bit
different from FB UDF's. When a server process calls an external
procedure it runs the procedure in a agent process, that it spawns on
the first call. Oracle also supports calling an external procedure in
a different database instance on the current or a remote machine.

The idea is that the agent process can crash and, most of the time,
not bring down the database server processes. Where reliability is
critical, Oracle suggests running another db instance on the same
machine to fully isolate external procedures from the real db.

Of course, executing UDFs in an agent process has more overhead than
executing them directly in the server process as FB does. So, there
are tradeoffs. If there is demand for better isolation from user UDF
bugs, perhaps giving users the option of running UDFs in an agent
process might be a viable solution. Then let the user decide if they
are willing to trade a little performance for more reliability.

Just a thought...

---Fred P.