Interesting!! I've been playing around with QuickJS lately and uses Elixir at work.
I'm interested to hear about your sandboxing approach running untrusted JS code. So you are setting an memory/reduction limit to the process which 100% is a good idea. What other defense-in-depth strategies are you using? possible support for seccomp in the future?
1. Are each of the JS processes running in its own process and mailbox? (I assume from the description is that each runtime instance is its own process)
2. can the BEAM scheduler pre-empt the JS processes?
3. How is memory garbage collected? Do the JS processes garbage collect for each individual process?
4. Are values within JS immutable?
5. If they are not immutable, are there risk for memory errors? And if there is a memory error, would it crash the JS process without crashing the rest of the system?
1. Yes. Each runtime is a GenServer (= own process + mailbox). There's also a lighter-weight mode where many JS contexts share one OS thread via a , but each context still maps 1:1 to a BEAM process.
2. No. JS runs on a dedicated OS thread, outside the BEAM scheduler. But there's an interrupt handler (_) that checks a deadline on every JS opcode boundary β pass : to and it interrupts after 1s, runtime stays usable. For contexts there's also _ β QuickJS-NG counts JS operations and interrupts when the budget runs out, closest analog to BEAM reductions.
3. QuickJS-NG uses refcounting with cycle detection. Each runtime/context has its own GC β one collecting doesn't touch another. When a Runtime GenServer terminates, _ + _ release everything.
4. No, standard JS mutability. But the JSβErlang boundary copies values β no shared mutable state across that boundary.
5. QuickJS-NG enforces _ per-runtime (default 256 MB) and _ per-context. Exceeding the limit raises a JS exception, not a segfault. It propagates as {:error, ...} to the caller. Since each runtime is a supervised GenServer, the supervisor restarts it. There are tests for OOM in one context not crashing the pool, and one runtime crashing not affecting siblings.
Running JS on the Beam VM, all written in C. I don't know if this is just cursed, or absolutely brilliant, either way I love it and will be following closely. Will definitely have to play with it.
This is very interest to me because we have accumulated a few node packages containing logic that services simply import. So in theory I could now use those node packages in elixir?
Yes, if the packages are pure JS logic (no native C++ addons, no Node-specific I/O like _ or ). The option auto-resolves imports from _/ and bundles via OXC. Node compat APIs (process, path, fs, os, Buffer) are available with : [:, :]. For packages with native .node addons, there's _/ which supports N-API.
Interesting!! I've been playing around with QuickJS lately and uses Elixir at work.
I'm interested to hear about your sandboxing approach running untrusted JS code. So you are setting an memory/reduction limit to the process which 100% is a good idea. What other defense-in-depth strategies are you using? possible support for seccomp in the future?
1. Are each of the JS processes running in its own process and mailbox? (I assume from the description is that each runtime instance is its own process)
2. can the BEAM scheduler pre-empt the JS processes?
3. How is memory garbage collected? Do the JS processes garbage collect for each individual process?
4. Are values within JS immutable?
5. If they are not immutable, are there risk for memory errors? And if there is a memory error, would it crash the JS process without crashing the rest of the system?
1. Yes. Each runtime is a GenServer (= own process + mailbox). There's also a lighter-weight mode where many JS contexts share one OS thread via a , but each context still maps 1:1 to a BEAM process.
2. No. JS runs on a dedicated OS thread, outside the BEAM scheduler. But there's an interrupt handler (_) that checks a deadline on every JS opcode boundary β pass : to and it interrupts after 1s, runtime stays usable. For contexts there's also _ β QuickJS-NG counts JS operations and interrupts when the budget runs out, closest analog to BEAM reductions.
3. QuickJS-NG uses refcounting with cycle detection. Each runtime/context has its own GC β one collecting doesn't touch another. When a Runtime GenServer terminates, _ + _ release everything.
4. No, standard JS mutability. But the JSβErlang boundary copies values β no shared mutable state across that boundary.
5. QuickJS-NG enforces _ per-runtime (default 256 MB) and _ per-context. Exceeding the limit raises a JS exception, not a segfault. It propagates as {:error, ...} to the caller. Since each runtime is a supervised GenServer, the supervisor restarts it. There are tests for OOM in one context not crashing the pool, and one runtime crashing not affecting siblings.
Running JS on the Beam VM, all written in C. I don't know if this is just cursed, or absolutely brilliant, either way I love it and will be following closely. Will definitely have to play with it.
love this! a while back i noodled around with this idea, but didn't get that far:
https://github.com/ityonemo/yavascript
glad to see someone do a fuller implementation!
This is very interest to me because we have accumulated a few node packages containing logic that services simply import. So in theory I could now use those node packages in elixir?
Yes, if the packages are pure JS logic (no native C++ addons, no Node-specific I/O like _ or ). The option auto-resolves imports from _/ and bundles via OXC. Node compat APIs (process, path, fs, os, Buffer) are available with : [:, :]. For packages with native .node addons, there's _/ which supports N-API.