RuntimeContext should include Executor (thread pool) #11
Description
In order to prevent user-defined code (simple modules, marshaler plug-ins) from running when their class loaders have already been closed, all user-defined code should be run in a monitored Executor. The class loader contained in the RuntimeContext should only be closed after the the last task has terminated.
It may be acceptable (and in some cases preferable) if the Executor implementation only does bookkeeping and otherwise delegates to an existing Executor. However, an additional request (potentially to be tracked in a separate issue) is to restrict permissions of user-defined code. That is, associate an AccessControlContext with the new Executor. Also, a SecurityContext may come into play, in order to disallow, e.g., writing to stdout (which apparently can only be prevented reliably by overriding java.lang.SecurityManager#checkWrite(java.io.FileDescriptor)). This means there is good reason not to mix trusted and untrusted code in the same executor or thread.