Skip to content

Code Execution Platform — Detailed#

flowchart TB
  subgraph Client
    UI([Web IDE])
  end

  subgraph API
    SUB[Submit endpoint]
    AUTH[Auth + rate limit]
    VAL[Lang + version validate]
  end

  subgraph Queue
    Q[[Priority queue]]
    DEAD[[(DLQ)]]
  end

  subgraph Sandbox[Sandbox executor]
    POOL([Worker pool])
    DOCKER[Container per submission]
    FIRECRACKER[Firecracker microVM<br/>strong isolation]
    SECCOMP[seccomp + namespaces]
    CGROUPS[CPU / memory / time limits]
    NETN[Network isolation]
    FS[Read-only FS + tmpfs scratch]
    LANG[Language runtimes + deps]
  end

  subgraph TestRun[Test runner]
    INP[Stdin inputs]
    EXEC[Run with timeout]
    OUT[Capture stdout/stderr]
    DIFF[Compare expected]
    SCORE[Score / partial credit]
  end

  subgraph Storage
    SUBS[(Submissions)]
    PROB[(Problems / hidden tests)]
    LDB[(Leaderboards)]
    SOLS([(Per-user solutions)])
  end

  subgraph Ops
    SCALE([Autoscale workers])
    METR[[Time-per-run, queue lag]]
    ABUSE[Abuse / fork bomb detection]
  end

  Client --> API --> Queue --> Sandbox --> TestRun --> Storage
  Ops --- Sandbox

    classDef client fill:#dbeafe,stroke:#1e40af,stroke-width:1px,color:#0f172a;
    classDef edge fill:#cffafe,stroke:#0e7490,stroke-width:1px,color:#0f172a;
    classDef service fill:#fef3c7,stroke:#92400e,stroke-width:1px,color:#0f172a;
    classDef datastore fill:#fee2e2,stroke:#991b1b,stroke-width:1px,color:#0f172a;
    classDef cache fill:#fed7aa,stroke:#9a3412,stroke-width:1px,color:#0f172a;
    classDef queue fill:#ede9fe,stroke:#5b21b6,stroke-width:1px,color:#0f172a;
    classDef compute fill:#d1fae5,stroke:#065f46,stroke-width:1px,color:#0f172a;
    classDef storage fill:#e5e7eb,stroke:#374151,stroke-width:1px,color:#0f172a;
    classDef external fill:#fce7f3,stroke:#9d174d,stroke-width:1px,color:#0f172a;
    classDef obs fill:#f3e8ff,stroke:#6b21a8,stroke-width:1px,color:#0f172a;
    class UI client;
    class SUB,AUTH,VAL,DOCKER,FIRECRACKER,SECCOMP,CGROUPS,NETN,FS,LANG,INP,EXEC,OUT,DIFF,SCORE,ABUSE service;
    class DEAD,SUBS,PROB,LDB,SOLS datastore;
    class Q,METR queue;
    class POOL,SCALE compute;

Isolation choices#

  • Containers (Docker) = fast, weaker isolation.
  • MicroVMs (Firecracker / gVisor) = stronger; sub-100 ms start.
  • One-shot ephemeral per submission; no cross-submission state.

Resource limits#

  • CPU cgroup, memory cgroup, wall-clock + cpu-time limits.
  • seccomp filters disallowed syscalls.
  • No network unless explicitly needed.

Glossary & fundamentals#

Concepts referenced in this design. Each row links to its canonical page; the tag column shows whether it is a high-level (HLD) or low-level (LLD) concept.

Tag Concept What it is Page
HLD Pub/Sub & message brokers topics, consumer groups, delivery semantics pub-sub-pattern