Resource Usage Limits on Sandboxed Solutions in SharePoint 2010

This topic describes the system resource usage limitations that Microsoft SharePoint Foundation imposes on sandboxed solutions.

Applies to: SharePoint Foundation 2010

Available in SharePoint Online

Sandboxed solutions are subject to three kinds of resource usage restrictions that can be categorized by (1) the kind of entity to which the restriction applies, and (2) the kind of entity on which the penalty for exceeding the restriction is imposed. The penalties are imposed automatically by the SharePoint Foundation solution monitoring infrastructure. Farm administrators can also manually block any sandboxed solution in the Central Administration application for any reason.

Warning

The Sandbox Solution framework provides a mechanism for executing user-provided code outside of the IIS worker process. The Sandbox Solution framework should not be used as a mechanism for enforcing security boundaries when executing user code. Sandbox Solutions are not supported as a security boundary with user code, especially code of unknown origin. We advise against executing Sandbox Solutions of unknown origins.

Types of Resource Usage Restrictions on Sandboxed Solutions in SharePoint 2010

The following are the three kinds of resource usage restrictions.

  • Per Request, with the Request Penalized: There is a hard limit to how long a sandboxed solution can take to be completed. By default, this is 30 seconds. If a sandboxed solution exceeds the limit, the application domain that handles the request (but not the sandboxed worker process) is terminated. This limit is configurable, but only through custom code against the object model. The relevant parts of the object model cannot be accessed by sandboxed solutions, so no sandboxed solution can change the limit.

  • Per Request, with the Process Penalized: There is a set of 15 additional resource limits that apply to requests. If a request exceeds one of them, the process (and all the sandboxed solutions that are running in it, including those that are well-behaved) is terminated. These limits are also configurable through SharePoint Management Shell or custom code against the object model.

  • Per Day/Per Site Collection, with the Site Collection's Entire Set of Sandboxed Solutions Penalized: Each site collection is subject to a configurable maximum of daily resource points. These points accumulate based on a proprietary algorithm that takes into account the use of resources in the 15 resource categories by the sandboxed solutions that are installed in the site collection. When a site collection exceeds its maximum allowed points, which by default is set at 300, all sandboxed solutions in the site collection are terminated, and no more can run for the remainder of the day. Site collection administrators can view the current day's total resource points used by the sandboxed solutions of the site collection (and the 14-day average) in the site collection's solution gallery. The resource points used by each solution are also shown. They can deactivate and remove any sandboxed solution in the same gallery. Farm administrators can configure the total allowable points per site collection on a per site collection basis in the Central Administration application. The number of points assigned to each unit of each type of resource is configurable through SharePoint Management Shell or custom code against the object model.

Resources Measured

The following table lists the 15 system resources that are monitored.

  • The Minimum Threshold column specifies the default minimum amount of the resource that must be reached before it is aggregated into the running total at all. But 0 in this column means that any quantity, however small, is aggregated.

  • The Absolute Limit column specifies the default amount that will trigger an immediate termination of the process. Note that there is a 1 in this column for some resources. This means that even a single instance of the resource triggers an immediate termination of the process.

  • The Resources Per Point column specifies how much of the resource, by default, causes an additional point to be added toward the Per Day/Per Site Collection total.

Resource

Remarks

Minimum Threshold

Absolute Limit

Resources Per Point

AbnormalProcessTerminationCount

This "resource" exists only to impose an additional penalty on a sandboxed solution that is terminated for some other reason. Specifically, 1 point is added toward the Per Day/Per Site Collection total. So, this "resource" penalty represents an occasion when either (1) the absolute limit of one of the other measures was exceeded and the sandboxed process was immediately shut down, or (2) an application domain handling a request was shut down because the request was taking too long (see Per Request, with the Request Penalized above). Hence, the Minimum Threshold and Absolute Limit columns of this row are not applicable.

0

1

1

CPUExecutionTime

(measured in seconds)

The absolute limit of this resource is not applicable as long as it is set higher than the Per Request, with the Request Penalized limit described above. Normally, administrators will want to keep it higher so that the slow request is terminated before it causes a termination of the whole sandboxed worker process, including even the well-behaved sandboxed solutions running in it.

0.1

60

200

CriticalExceptionCount

Critical exceptions include the following:

  • ThreadAbortException

  • OutOfMemoryException

  • AccessViolationException

  • AppDomainUnloadedException

  • BadImageFormatException

  • TypeInitializationException

  • MissingMethodException

  • ExecutionEngineException

0

3

10

IdlePercentProcessorTime

This measure applies only to sandboxed worker processes that are not currently handling any requests. Such processes should not use much processor time. The 10 in the Absolute Limit column means that if such a process uses more than 10 percent of the processor's time, the process is terminated. The Resources Per Point value is never used. However, when the process is terminated, the AbnormalProcessTerminationCount applies, and a resource point is added to the day's resource count.

0

10

100

InvocationCount

0

100

100

PercentProcessorTime

0

100

85

ProcessCPUCycles

10,000,000,000

100,000,000,000

100,000,000,000

ProcessHandleCount

500

5000

10,000

ProcessIOBytes

0

100,000,000

10,000,000

ProcessThreadCount

10

200

10,000

ProcessVirtualBytes

100000000

4,000,000,000

1,000,000,000

SharePointDatabaseQueryCount

The queries made to SharePoint content and configuration databases.

0

100

400

SharePointDatabaseQueryTime

measured in seconds

The amount of time spent querying SharePoint content and configuration databases.

0.1

60

20

UnhandledExceptionCount

0

3

50

UnresponsiveprocessCount

0

1

2

Important Resource Usage APIs

You can change these values by using the SharePoint Foundation object model. The following are the critical APIs that you use to do this.

You can get a reference to a specific resource measure by using its name or GUID as an index. For example, the following line of code lowers the absolute limit for the SharePointDatabaseQueryTime measure to 30 seconds.

SPUserCodeService.Local.ResourceMeasures["SharePointDatabaseQueryTime"].AbsoluteLimit = 30.0;
SPUserCodeService.Local.Update();

The following code raises the value of the Per Request, with the Request Penalized limit to 40 seconds.

SPUserCodeService.Local.WorkerProcessExecutionTimeout = 40;
SPUserCodeService.Local.Update();

Important

For the changes to take effect, the Microsoft SharePoint Foundation Sandboxed Code Service must be restarted on all servers on which it is running.

See Also

Concepts

Restrictions on Sandboxed Solutions in SharePoint 2010

What Can Be Implemented in Sandboxed Solutions in SharePoint 2010

Other Resources

Sandboxed Solutions Resource Center | SharePoint 2010

SharePoint Developer Team Blog

SharePoint Developer Center