While reading How Workers works on Cloudflare’s blog, I learned about V8 Isolates.

V8 orchestrates isolates: lightweight contexts that provide your code with variables it can access and a safe environment to be executed within. You could even consider an isolate a sandbox for your function to run in.

A single instance of the runtime can run hundreds or thousands of isolates, seamlessly switching between them. Each isolate’s memory is completely isolated, so each piece of code is protected from other untrusted or user-written code on the runtime. Isolates are also designed to start very quickly. Instead of creating a virtual machine for each function, an isolate is created within an existing environment. This model eliminates the cold starts of the virtual machine model.

That reads suspiciously like threads, doesn’t it? Yes, sort of – it depends on the implementation. This is what Chromium’s Blink has to say:

An isolate is a concept of an instance in V8. In Blink, isolates and threads are in 1:1 relationship. One isolate is associated with the main thread. One isolate is associated with one worker thread.

Anyway, circling back to what Cloudflare workers – I wonder what the implications for security and isolation are across the various isolates? There’s various threads of discussion on this, notably this thread from the orange website. It defers the decision to it depends with process based isolation being preferred when running untrusted code.