Update docs on CPU/memory limits

matneu · ntemmar · commit 49ca52b73450 · 2022-04-04T10:58:48.000Z
diff --git a/SECURITY.md b/SECURITY.md
@@ -11,4 +11,3 @@ GraalVM Community Edition security updates will be released on a quarterly basis
 ### Security-Related Information
 
 Please refer to the [GraalVM Security Guide](https://www.graalvm.org/docs/security-guide/) for security related topics such as how to support trusted and less trusted code execution using the Truffle language framework, or compiler mitigations for transitive execution attacks. However please note that we do not currently support the execution of untrusted or adversarial code. Non-vulnerability related security issues may be discussed on GitHub Issues or the Security channel in the [GraalVM Slack Workspace](https://graalvm.slack.com/)
-
diff --git a/ci.jsonnet b/ci.jsonnet
@@ -32,7 +32,7 @@ local javadoc = import "ci_includes/publish-javadoc.jsonnet";
 local vm = import 'vm/ci_includes/vm.jsonnet';
 
 # Add a guard to `build` that prevents it from running in the gate
-# for a PR that only touches *.md files, the docs, are config files for GitHub.
+# for a PR that only touches *.md files, the docs, are config files for GitHub
 local add_excludes_guard(build) = build + {
   guard+: {
     excludes+: ["**.md", "docs/**", ".github/**"]
diff --git a/docs/reference-manual/embedding/sandbox-options.md b/docs/reference-manual/embedding/sandbox-options.md
@@ -55,6 +55,9 @@ If the time limit is exceeded then the polyglot context is cancelled and the exe
 As soon as the time limit is triggered, no further application code can be executed with this context.
 It will continuously throw a `PolyglotException` for any method of the polyglot context that will be invoked.
 
+The used CPU time of a context includes time spent in callbacks to host code.
+This is also the case when running with [Polyglot Isolates].
+
 The used CPU time of a context typically does not include time spent waiting for synchronization or IO.
 The CPU time of all threads will be added and checked against the CPU time limit.
 This can mean that if two threads execute the same context then the time limit will be exceeded twice as fast.
@@ -161,9 +164,11 @@ Resetting resource limits does not affect thread limits.
 
 The `sandbox.MaxHeapMemory` option allows you to specify the maximum heap memory the application is allowed to retain during its run.
 `sandbox.MaxHeapMemory` must be positive. This option is only supported on a HotSpot-based VM.
-Enabling this option in AOT mode will result in PolyglotException.
+Enabling this option in a native executable will result in a `PolyglotException`.
+The option is also not supported with [Polyglot Isolates], which have different means of controlling memory consumption.
 When exceeding of the limit is detected, the corresponding context is automatically cancelled and then closed.
 
+Only objects residing in the guest application count towards the limit - memory allocated during callbacks to host code does not.
 The efficacy of this option (also) depends on the garbage collector used.
 
 #### Example Usage

Original file line number	Diff line number	Diff line change
`@@ -11,4 +11,3 @@ GraalVM Community Edition security updates will be released on a quarterly basis`
`11`	`11`	`### Security-Related Information`
`12`	`12`
`13`	`13`	Please refer to the [GraalVM Security Guide](https://www.graalvm.org/docs/security-guide/) for security related topics such as how to support trusted and less trusted code execution using the Truffle language framework, or compiler mitigations for transitive execution attacks. However please note that we do not currently support the execution of untrusted or adversarial code. Non-vulnerability related security issues may be discussed on GitHub Issues or the Security channel in the [GraalVM Slack Workspace](https://graalvm.slack.com/)
`14`		`-`